|
VCID-11fa-rzjz-nqbk
|
kernel: mm/slub: Avoid list corruption when removing a slab from the full list
|
CVE-2024-56566
|
|
VCID-123n-sr2p-dugq
|
kernel: cgroup/cpuset: remove kernfs active break
|
CVE-2025-21634
|
|
VCID-13fa-5nt8-skd9
|
kernel: btrfs: fix zero size inode with non-zero size after log replay
|
CVE-2026-43118
|
|
VCID-161a-dxha-yydc
|
kernel: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
|
CVE-2026-31697
|
|
VCID-1ah9-1zbd-xyb5
|
In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory.
|
CVE-2024-36911
|
|
VCID-1akk-725w-xbfd
|
kernel: slip: reject VJ receive packets on instances with no rstate array
|
CVE-2026-45842
|
|
VCID-1bue-7zwu-zkc6
|
kernel: rxrpc: Fix call removal to use RCU safe deletion
|
CVE-2026-31642
|
|
VCID-1bux-ujdf-g7ct
|
kernel: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
|
CVE-2026-31577
|
|
VCID-1c99-bwws-q3gp
|
In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.
|
CVE-2023-52629
|
|
VCID-1e8y-b7fa-zyfy
|
In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list, hence xdo_dev_state_add and xdo_dev_state_delete are called inside this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep, "scheduling while atomic" will be triggered when changing bond's active slave. [ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200 [ 101.055726] Modules linked in: [ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1 [ 101.058760] Hardware name: [ 101.059434] Call Trace: [ 101.059436] <TASK> [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? usleep_range_state+0x90/0x90 [ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core] [ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core] [ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core] [ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core] [ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] bond_change_active_slave+0x392/0x900 [bonding] [ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding] [ 101.070454] __bond_opt_set+0xa6/0x430 [bonding] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called from bond_change_active_slave, which requires holding the RTNL lock. And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user context. So ipsec_lock doesn't have to be spin lock, change it to mutex, and thus the above issue can be resolved.
|
CVE-2024-46678
|
|
VCID-1etx-xbxk-qucx
|
kernel: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM
|
CVE-2024-56611
|
|
VCID-1fvw-tgan-77c8
|
kernel: loop: Avoid updating block size under exclusive owner
|
CVE-2025-38709
|
|
VCID-1fxc-d13u-3uf5
|
kernel: KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN
|
CVE-2026-46059
|
|
VCID-1gs1-55u4-bqee
|
kernel: ALSA: mixer: oss: Add card disconnect checkpoints
|
CVE-2026-43126
|
|
VCID-1gz6-5jgt-8ube
|
kernel: netfilter: nf_tables: unconditionally bump set->nelems before insertion
|
CVE-2026-23272
|
|
VCID-1jad-f5dd-3fez
|
kernel: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
|
CVE-2026-46069
|
|
VCID-1jh4-z86q-c3ax
|
kernel: x86-64: rename misleadingly named '__copy_user_nocache()' function
|
CVE-2026-43073
|
|
VCID-1jnu-sac8-kbdq
|
kernel: crypto: ccree - fix a memory leak in cc_mac_digest()
|
CVE-2026-45986
|
|
VCID-1nnz-an6v-wbgm
|
kernel: 9p/xen: protect xen_9pfs_front_free against concurrent calls
|
CVE-2026-43249
|
|
VCID-1np6-vwa9-ebdf
|
kernel: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
|
CVE-2026-31705
|
|
VCID-1pnf-prn5-2fhq
|
In the Linux kernel, the following vulnerability has been resolved: ax25: fix use-after-free bugs caused by ax25_ds_del_timer When the ax25 device is detaching, the ax25_dev_device_down() calls ax25_ds_del_timer() to cleanup the slave_timer. When the timer handler is running, the ax25_ds_del_timer() that calls del_timer() in it will return directly. As a result, the use-after-free bugs could happen, one of the scenarios is shown below: (Thread 1) | (Thread 2) | ax25_ds_timeout() ax25_dev_device_down() | ax25_ds_del_timer() | del_timer() | ax25_dev_put() //FREE | | ax25_dev-> //USE In order to mitigate bugs, when the device is detaching, use timer_shutdown_sync() to stop the timer.
|
CVE-2024-35887
|
|
VCID-1pp9-sx9y-b3e7
|
kernel: fbdev: hyperv_fb: Allow graceful removal of framebuffer
|
CVE-2025-21976
|
|
VCID-1pqd-rvyw-p3aj
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: range check cp bad op exception interrupts Due to a CP interrupt bug, bad packet garbage exception codes are raised. Do a range check so that the debugger and runtime do not receive garbage codes. Update the user api to guard exception code type checking as well.
|
CVE-2024-36951
|
|
VCID-1qk7-g1rk-aubp
|
kernel: wifi: mac80211: don't WARN for connections on invalid channels
|
CVE-2025-71227
|
|
VCID-1qkb-bkts-a3hg
|
kernel: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer
|
CVE-2024-49919
|
|
VCID-1spb-f3x7-63es
|
kernel: mptcp: pm: ADD_ADDR rtx: free sk if last
|
CVE-2026-46170
|
|
VCID-1tbz-yhnv-r3f4
|
kernel: rcu: Fix rcu_read_unlock() deadloop due to softirq
|
CVE-2026-45957
|
|
VCID-1ukf-fgp9-uud3
|
kernel: net: qrtr: ns: Limit the maximum number of lookups
|
CVE-2026-46026
|
|
VCID-1uph-bbvj-ybbg
|
kernel: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
|
CVE-2026-31616
|
|
VCID-1v3m-p5gz-1bbh
|
kernel: um: work around sched_yield not yielding in time-travel mode
|
CVE-2025-37880
|
|
VCID-1wtr-f7gr-5bgx
|
kernel: ALSA: hda: Fix missing pointer check in hda_component_manager_init function
|
CVE-2025-40097
|
|
VCID-1z6m-1enx-6ybu
|
kernel: mm/thp: fix deferred split unqueue naming and locking
|
CVE-2024-53079
|
|
VCID-224v-76nf-f3g8
|
kernel: iommu/vt-d: Clear Present bit before tearing down PASID entry
|
CVE-2026-45894
|
|
VCID-2273-rk95-7yhn
|
kernel: drm/amd/display: add null check
|
CVE-2025-39762
|
|
VCID-22gf-sy78-4kbj
|
kernel: io_uring/kbuf: re-using old struct io_buffer_list may lead to a use-after-free situation
|
CVE-2025-21836
|
|
VCID-22qe-9k22-skeh
|
kernel: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()
|
CVE-2024-52559
|
|
VCID-257x-4nsw-dbfr
|
kernel: eth: bnxt: fix truesize for mb-xdp-pass case
|
CVE-2025-21961
|
|
VCID-25eu-bfsu-qkhe
|
kernel: drm/vc4: Fix memory leak of BO array in hang state
|
CVE-2026-43105
|
|
VCID-25qa-2f41-kydz
|
kernel: perf/x86/intel/uncore: Skip discovery table for offline dies
|
CVE-2026-43079
|
|
VCID-26f6-7mh9-93a2
|
kernel: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers
|
CVE-2025-21870
|
|
VCID-29t9-3w93-y3cq
|
A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.
|
CVE-2023-0597
|
|
VCID-2ajm-bteu-9bby
|
kernel: btrfs: fix NULL dereference on root when tracing inode eviction
|
CVE-2025-71184
|
|
VCID-2brz-3f7f-yqcm
|
kernel: f2fs: fix to do sanity check on direct node in truncate_dnode()
|
CVE-2023-53846
|
|
VCID-2bvq-sxrn-xkgb
|
In the Linux kernel, the following vulnerability has been resolved: md: Don't register sync_thread for reshape directly Currently, if reshape is interrupted, then reassemble the array will register sync_thread directly from pers->run(), in this case 'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee that md_do_sync() will be executed, hence stop_sync_thread() will hang because 'MD_RECOVERY_RUNNING' can't be cleared. Last patch make sure that md_do_sync() will set MD_RECOVERY_DONE, however, following hang can still be triggered by dm-raid test shell/lvconvert-raid-reshape.sh occasionally: [root@fedora ~]# cat /proc/1982/stack [<0>] stop_sync_thread+0x1ab/0x270 [md_mod] [<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod] [<0>] raid_presuspend+0x1e/0x70 [dm_raid] [<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod] [<0>] __dm_destroy+0x2a5/0x310 [dm_mod] [<0>] dm_destroy+0x16/0x30 [dm_mod] [<0>] dev_remove+0x165/0x290 [dm_mod] [<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod] [<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod] [<0>] vfs_ioctl+0x21/0x60 [<0>] __x64_sys_ioctl+0xb9/0xe0 [<0>] do_syscall_64+0xc6/0x230 [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 Meanwhile mddev->recovery is: MD_RECOVERY_RUNNING | MD_RECOVERY_INTR | MD_RECOVERY_RESHAPE | MD_RECOVERY_FROZEN Fix this problem by remove the code to register sync_thread directly from raid10 and raid5. And let md_check_recovery() to register sync_thread.
|
CVE-2024-26756
|
|
VCID-2cbk-z139-8fdc
|
kernel: selinux: fix overlayfs mmap() and mprotect() access checks
|
CVE-2026-46054
|
|
VCID-2dhw-k1kj-x7dp
|
kernel: netfilter: nft_counter: serialize reset with spinlock
|
CVE-2026-45897
|
|
VCID-2fr6-h1xr-qfda
|
kernel: HID: core: Mitigate potential OOB by removing bogus memset()
|
CVE-2026-43048
|
|
VCID-2j6s-nbc8-fqh4
|
kernel: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
|
CVE-2026-45999
|
|
VCID-2jg1-38an-tybe
|
kernel: tcp: secure_seq: add back ports to TS offset
|
CVE-2026-23247
|
|
VCID-2k1c-29fd-6qce
|
kernel: smb: client: require a full NFS mode SID before reading mode bits
|
CVE-2026-43350
|
|
VCID-2ks5-yqg8-vkem
|
kernel: ASoC: Intel: avs: Do not share the name pointer between components
|
CVE-2025-40338
|
|
VCID-2nqp-hnv2-8ug8
|
kernel: bpf: bpf_sk_storage: Fix invalid wait context lockdep report
|
CVE-2023-53857
|
|
VCID-2pf5-4z83-7uau
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wake DMCUB before sending a command [Why] We can hang in place trying to send commands when the DMCUB isn't powered on. [How] For functions that execute within a DC context or DC lock we can wrap the direct calls to dm_execute_dmub_cmd/list with code that exits idle power optimizations and reallows once we're done with the command submission on success. For DM direct submissions the DM will need to manage the enter/exit sequencing manually. We cannot invoke a DMCUB command directly within the DM execution helper or we can deadlock.
|
CVE-2023-52485
|
|
VCID-2r4f-93jh-b3e9
|
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() l2cap_le_flowctl_init() can cause both div-by-zero and an integer overflow since hdev->le_mtu may not fall in the valid range. Move MTU from hci_dev to hci_conn to validate MTU and stop the connection process earlier if MTU is invalid. Also, add a missing validation in read_buffer_size() and make it return an error value if the validation fails. Now hci_conn_add() returns ERR_PTR() as it can fail due to the both a kzalloc failure and invalid MTU value. divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 PID: 67 Comm: kworker/u5:0 Tainted: G W 6.9.0-rc5+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:l2cap_le_flowctl_init+0x19e/0x3f0 net/bluetooth/l2cap_core.c:547 Code: e8 17 17 0c 00 66 41 89 9f 84 00 00 00 bf 01 00 00 00 41 b8 02 00 00 00 4c 89 fe 4c 89 e2 89 d9 e8 27 17 0c 00 44 89 f0 31 d2 <66> f7 f3 89 c3 ff c3 4d 8d b7 88 00 00 00 4c 89 f0 48 c1 e8 03 42 RSP: 0018:ffff88810bc0f858 EFLAGS: 00010246 RAX: 00000000000002a0 RBX: 0000000000000000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: ffff88810bc0f7c0 RDI: ffffc90002dcb66f RBP: ffff88810bc0f880 R08: aa69db2dda70ff01 R09: 0000ffaaaaaaaaaa R10: 0084000000ffaaaa R11: 0000000000000000 R12: ffff88810d65a084 R13: dffffc0000000000 R14: 00000000000002a0 R15: ffff88810d65a000 FS: 0000000000000000(0000) GS:ffff88811ac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000100 CR3: 0000000103268003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> l2cap_le_connect_req net/bluetooth/l2cap_core.c:4902 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5420 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5486 [inline] l2cap_recv_frame+0xe59d/0x11710 net/bluetooth/l2cap_core.c:6809 l2cap_recv_acldata+0x544/0x10a0 net/bluetooth/l2cap_core.c:7506 hci_acldata_packet net/bluetooth/hci_core.c:3939 [inline] hci_rx_work+0x5e5/0xb20 net/bluetooth/hci_core.c:4176 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x90f/0x1530 kernel/workqueue.c:3335 worker_thread+0x926/0xe70 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x5c/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]---
|
CVE-2024-36968
|
|
VCID-2sh9-5d9w-2bht
|
kernel: mptcp: fix scheduling with atomic in timestamp sockopt
|
CVE-2026-46168
|
|
VCID-2sxz-nbqh-4fgb
|
kernel: smc: Fix use-after-free in __pnet_find_base_ndev()
|
CVE-2025-40064
|
|
VCID-2xgc-ba1e-wkdu
|
kernel: crypto: stm32/cryp - call finalize with bh disabled
|
CVE-2024-47658
|
|
VCID-2xvp-epu5-tbbf
|
In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of clear-key structures on failure Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key.
|
CVE-2024-42156
|
|
VCID-2z7a-nge8-b3dr
|
kernel: bpf: Fix stackmap overflow check in __bpf_get_stackid()
|
CVE-2025-68378
|
|
VCID-2zk6-5pf5-jygn
|
kernel: wifi: ath11k: add srng->lock for ath11k_hal_srng_* in monitor mode
|
CVE-2024-58096
|
|
VCID-2zsk-c8mg-p7hb
|
kernel: rxrpc: Fix data-race warning and potential load/store tearing
|
CVE-2026-23118
|
|
VCID-2zta-31pp-j7hc
|
kernel: smb: client: fix UAF in decryption with multichannel
|
CVE-2025-37750
|
|
VCID-329c-4thm-4qa6
|
In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Wipe copies of protected- and secure-keys Although the clear-key of neither protected- nor secure-keys is accessible, this key material should only be visible to the calling process. So wipe all copies of protected- or secure-keys from stack, even in case of an error.
|
CVE-2024-42155
|
|
VCID-3821-uy1e-sqcm
|
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated---
|
CVE-2024-26944
|
|
VCID-3972-7qj6-cycr
|
kernel: md/raid5: fix soft lockup in retry_aligned_read()
|
CVE-2026-46051
|
|
VCID-3bwg-yjbx-77f8
|
kernel: ceph: fix race condition validating r_parent before applying state
|
CVE-2025-39927
|
|
VCID-3bzw-j1zt-6qe9
|
kernel: Kernel: Bluetooth HCI local DoS
|
CVE-2024-58241
|
|
VCID-3ca3-rbwm-myag
|
kernel: RDMA/mlx5: Fix a WARN during dereg_mr for DM type
|
CVE-2025-21888
|
|
VCID-3cdu-n6se-ruhe
|
kernel: mm: fix uprobe pte be overwritten when expanding vma
|
CVE-2025-38207
|
|
VCID-3cqb-d1sg-3yhs
|
kernel: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
|
CVE-2026-43353
|
|
VCID-3ebu-b7q6-ryce
|
kernel: ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
|
CVE-2026-43185
|
|
VCID-3frj-tse7-ubff
|
kernel: dmaengine: idxd: Fix not releasing workqueue on .release()
|
CVE-2026-43064
|
|
VCID-3fxt-tc69-6qcq
|
kernel: netfilter: xt_multiport: validate range encoding in checkentry
|
CVE-2026-31681
|
|
VCID-3gpx-pjwp-bqcn
|
kernel: net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work
|
CVE-2025-40003
|
|
VCID-3gu9-1ek3-tbb7
|
kernel: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
|
CVE-2026-46209
|
|
VCID-3gv2-szvg-jybh
|
kernel: iommu/amd/pgtbl: Fix possible race while increase page table level
|
CVE-2025-39961
|
|
VCID-3h3b-gupb-c7en
|
In the Linux kernel, the following vulnerability has been resolved: riscv: VMAP_STACK overflow detection thread-safe commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to `shadow_stack` temporarily before switching finally to per-cpu `overflow_stack`. If two CPUs/harts are racing and end up in over flowing kernel stack, one or both will end up corrupting each other state because `shadow_stack` is not per-cpu. This patch optimizes per-cpu overflow stack switch by directly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`. Following are the changes in this patch - Defines an asm macro to obtain per-cpu symbols in destination register. - In entry.S, when overflow is detected, per-cpu overflow stack is located using per-cpu asm macro. Computing per-cpu symbol requires a temporary register. x31 is saved away into CSR_SCRATCH (CSR_SCRATCH is anyways zero since we're in kernel). Please see Links for additional relevant disccussion and alternative solution. Tested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT` Kernel crash log below Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT Task stack: [0xff20000010a98000..0xff20000010a9c000] Overflow stack: [0xff600001f7d98370..0xff600001f7d99370] CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) epc : __memset+0x60/0xfc ra : recursive_loop+0x48/0xc6 [lkdtm] epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80 gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88 t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0 s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000 a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000 a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90 s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684 s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10 s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4 t5 : ffffffff815dbab8 t6 : ff20000010a9bb48 status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f Kernel panic - not syncing: Kernel stack overflow CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff80006754>] dump_backtrace+0x30/0x38 [<ffffffff808de798>] show_stack+0x40/0x4c [<ffffffff808ea2a8>] dump_stack_lvl+0x44/0x5c [<ffffffff808ea2d8>] dump_stack+0x18/0x20 [<ffffffff808dec06>] panic+0x126/0x2fe [<ffffffff800065ea>] walk_stackframe+0x0/0xf0 [<ffffffff0163a752>] recursive_loop+0x48/0xc6 [lkdtm] SMP: stopping secondary CPUs ---[ end Kernel panic - not syncing: Kernel stack overflow ]---
|
CVE-2023-52761
|
|
VCID-3hmq-thga-u3du
|
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.
|
CVE-2024-46760
|
|
VCID-3hvr-8xh7-q3dh
|
kernel: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
|
CVE-2026-46196
|
|
VCID-3p4f-tpzm-hqeq
|
kernel: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
|
CVE-2026-23371
|
|
VCID-3qxt-eh97-x7bq
|
kernel: net: dsa: clean up FDB, MDB, VLAN entries on unbind
|
CVE-2025-37864
|
|
VCID-3r4b-k6qt-wubz
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906] Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop.
|
CVE-2024-27010
|
|
VCID-3sez-j2xr-r3dk
|
kernel: can: raw: fix ro->uniq use-after-free in raw_rcv()
|
CVE-2026-31532
|
|
VCID-3szw-ar24-6uad
|
kernel: btrfs: don't check PageError in __extent_writepage
|
CVE-2023-53429
|
|
VCID-3tjr-ex8p-ykfw
|
kernel: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
|
CVE-2026-43495
|
|
VCID-3u85-1p3h-f7em
|
kernel: ptp: Add a upper bound on max_vclocks
|
CVE-2025-40057
|
|
VCID-3uce-tzmz-ukad
|
kernel: Linux kernel: Denial of Service in SMB client due to deadlock during channel reconnection
|
CVE-2025-38244
|
|
VCID-3uv2-pb56-4ugp
|
kernel: media: vimc: skip .s_stream() for stopped entities
|
CVE-2025-22028
|
|
VCID-3wq4-kpde-97f6
|
kernel: net/smc: fix UAF on smcsk after smc_listen_out()
|
CVE-2025-38734
|
|
VCID-3wu3-cc3e-7ya4
|
kernel: ASoC: qcom: q6asm: drop DSP responses for closed data streams
|
CVE-2026-43204
|
|
VCID-41tk-hr98-j3h9
|
kernel: rxrpc: Fix handling of received connection abort
|
CVE-2024-58053
|
|
VCID-41xc-sefr-57b4
|
kernel: spi: use generic driver_override infrastructure
|
CVE-2026-31487
|
|
VCID-42ue-3ewg-ubd9
|
kernel: fbcon: Avoid OOB font access if console rotation fails
|
CVE-2026-46191
|
|
VCID-4334-qg2c-gke1
|
kernel: RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error
|
CVE-2025-21732
|
|
VCID-434u-5z1z-3uf9
|
A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.
|
CVE-2023-6039
|
|
VCID-43ax-mak6-zyc5
|
kernel: vsock/virtio: fix accept queue count leak on transport mismatch
|
CVE-2026-46214
|
|
VCID-45wq-wawr-1ufx
|
kernel: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()
|
CVE-2026-43117
|
|
VCID-47p2-m48g-4qbt
|
kernel: iio: common: st_sensors: Fix use of uninitialize device structs
|
CVE-2025-38531
|
|
VCID-488g-7axm-n7ah
|
kernel: md raid: fix hang when stopping arrays with metadata through dm-raid
|
CVE-2026-43309
|
|
VCID-4ahj-ax4x-pqfg
|
kernel: net: stmmac: Prevent NULL deref when RX memory exhausted
|
CVE-2026-46110
|
|
VCID-4bnt-udp7-y3g5
|
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Check 'folio' pointer for NULL It can be NULL if bmap is called.
|
CVE-2024-38625
|
|
VCID-4e6b-wgqw-sbhp
|
kernel: isofs: validate block number from NFS file handle in isofs_export_iget
|
CVE-2026-46124
|
|
VCID-4f6c-qu8g-a3dq
|
kernel: sched/rt: Fix race in push_rt_task
|
CVE-2025-38234
|
|
VCID-4g7m-bykg-9bcz
|
kernel: spi: spi-dw-dma: fix print error log when wait finish transaction
|
CVE-2026-31560
|
|
VCID-4gj8-v5c5-v7fb
|
kernel: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
|
CVE-2026-46199
|
|
VCID-4hug-t24z-kucs
|
kernel: ocfs2: split transactions in dio completion to avoid credit exhaustion
|
CVE-2026-46080
|
|
VCID-4jxk-1tab-n7c6
|
kernel: nf_tables: nft_dynset: fix possible stateful expression memleak in error path
|
CVE-2026-23399
|
|
VCID-4kj9-nb4y-2ub7
|
kernel: x86/mce: use is_copy_from_user() to determine copy-from-user context
|
CVE-2025-39989
|
|
VCID-4mct-k2js-6fag
|
kernel: ocfs2: fix possible deadlock between unlink and dio_end_io_write
|
CVE-2026-31598
|
|
VCID-4mw2-3r37-cfae
|
kernel: media: rc: xbox_remote: heed DMA restrictions
|
CVE-2026-46236
|
|
VCID-4n2r-jb5u-cfds
|
kernel: most: core: fix leak on early registration failure
|
CVE-2026-43317
|
|
VCID-4pjf-e5f7-mycu
|
kernel: crypto: atmel-tdes - fix DMA sync direction
|
CVE-2026-46077
|
|
VCID-4q22-t2t1-83bd
|
kernel: wifi: iwlwifi: fix debug actions order
|
CVE-2025-38045
|
|
VCID-4rbc-1z1g-3fe2
|
kernel: btrfs: harden block_group::bg_list against list_del() races
|
CVE-2025-37856
|
|
VCID-4rrw-ddx6-9bbb
|
kernel: btrfs: insert tree mod log move in push_node_left
|
CVE-2023-53538
|
|
VCID-4ssm-zf4k-abba
|
kernel: wifi: mt76: mt7921: fix a potential clc buffer length underflow
|
CVE-2026-46136
|
|
VCID-4syw-6j26-mqh4
|
In the Linux kernel, the following vulnerability has been resolved: watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger When the cpu5wdt module is removing, the origin code uses del_timer() to de-activate the timer. If the timer handler is running, del_timer() could not stop it and will return directly. If the port region is released by release_region() and then the timer handler cpu5wdt_trigger() calls outb() to write into the region that is released, the use-after-free bug will happen. Change del_timer() to timer_shutdown_sync() in order that the timer handler could be finished before the port region is released.
|
CVE-2024-38630
|
|
VCID-4tdg-c1rj-8fbh
|
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: avoid PMD-size page cache if needed xarray can't support arbitrary page cache size. the largest and supported page cache size is defined as MAX_PAGECACHE_ORDER by commit 099d90642a71 ("mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray"). However, it's possible to have 512MB page cache in the huge memory's collapsing path on ARM64 system whose base page size is 64KB. 512MB page cache is breaking the limitation and a warning is raised when the xarray entry is split as shown in the following example. [root@dhcp-10-26-1-207 ~]# cat /proc/1/smaps | grep KernelPageSize KernelPageSize: 64 kB [root@dhcp-10-26-1-207 ~]# cat /tmp/test.c : int main(int argc, char **argv) { const char *filename = TEST_XFS_FILENAME; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret = 0; if (pgsize != 0x10000) { fprintf(stdout, "System with 64KB base page size is required!\n"); return -EPERM; } system("echo 0 > /sys/devices/virtual/bdi/253:0/read_ahead_kb"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open the xfs file */ fd = open(filename, O_RDONLY); assert(fd > 0); /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ, MAP_SHARED, fd, 0); assert(buf != (void *)-1); fprintf(stdout, "mapped buffer at 0x%p\n", buf); /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_NOHUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_READ); assert(ret == 0); /* Collapse VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); assert(ret == 0); ret = madvise(buf, TEST_MEM_SIZE, MADV_COLLAPSE); if (ret) { fprintf(stdout, "Error %d to madvise(MADV_COLLAPSE)\n", errno); goto out; } /* Split xarray entry. Write permission is needed */ munmap(buf, TEST_MEM_SIZE); buf = (void *)-1; close(fd); fd = open(filename, O_RDWR); assert(fd > 0); fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); out: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return ret; } [root@dhcp-10-26-1-207 ~]# gcc /tmp/test.c -o /tmp/test [root@dhcp-10-26-1-207 ~]# /tmp/test ------------[ cut here ]------------ WARNING: CPU: 25 PID: 7560 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse \ xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 virtio_net \ sha1_ce net_failover virtio_blk virtio_console failover dimlib virtio_mmio CPU: 25 PID: 7560 Comm: test Kdump: loaded Not tainted 6.10.0-rc7-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x780 sp : ffff8000ac32f660 x29: ffff8000ac32f660 x28: ffff0000e0969eb0 x27: ffff8000ac32f6c0 x26: 0000000000000c40 x25: ffff0000e0969eb0 x24: 000000000000000d x23: ffff8000ac32f6c0 x22: ffffffdfc0700000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0700000 x18: 0000000000000000 x17: 0000000000000000 x16: ffffd5f3708ffc70 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffffffffffffc0 x10: 0000000000000040 x9 : ffffd5f3708e692c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff0000e0969eb8 x5 : ffffd5f37289e378 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x780 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa ---truncated---
|
CVE-2024-42317
|
|
VCID-4tqg-v218-eubx
|
kernel: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers
|
CVE-2025-21885
|
|
VCID-4u3m-s26p-3ufs
|
kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
|
CVE-2026-46056
|
|
VCID-4vjj-9rpt-cyhb
|
kernel: io_uring: check for overflows in io_pin_pages
|
CVE-2024-53187
|
|
VCID-4w8u-eyqr-vybb
|
kernel: net: bridge: use a stable FDB dst snapshot in RCU readers
|
CVE-2026-46086
|
|
VCID-4wmu-sr6f-yfe8
|
kernel: mm/kasan: fix double free for kasan pXds
|
CVE-2026-31686
|
|
VCID-4xmu-tayk-skga
|
kernel: cifs: fix memory leak in smb3_fs_context_parse_param error path
|
CVE-2025-68219
|
|
VCID-4yvc-u8ju-byh3
|
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix soft lockup under heavy CEQE load CEQEs are handled in interrupt handler currently. This may cause the CPU core staying in interrupt context too long and lead to soft lockup under heavy load. Handle CEQEs in BH workqueue and set an upper limit for the number of CEQE handled by a single call of work handler.
|
CVE-2024-43872
|
|
VCID-4yxa-fq12-xqb8
|
In the Linux kernel, the following vulnerability has been resolved: gve: Account for stopped queues when reading NIC stats We now account for the fact that the NIC might send us stats for a subset of queues. Without this change, gve_get_ethtool_stats might make an invalid access on the priv->stats_report->stats array.
|
CVE-2024-42162
|
|
VCID-4zt2-g3gp-sufg
|
kernel: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
|
CVE-2024-47691
|
|
VCID-52qw-6ek2-mucp
|
kernel: batman-adv: stop caching unowned originator pointers in BAT IV
|
CVE-2026-46238
|
|
VCID-53ct-dtua-tbea
|
kernel: Input: alps - fix use-after-free bugs caused by dev3_register_work
|
CVE-2025-68822
|
|
VCID-54jw-hc51-5kak
|
kernel: rxrpc: Fix re-decryption of RESPONSE packets
|
CVE-2026-45988
|
|
VCID-589p-yept-hyg7
|
kernel: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
|
CVE-2026-43497
|
|
VCID-5at1-tqba-6kfg
|
In the Linux kernel, the following vulnerability has been resolved: ocfs2: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change ocfs2 rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem.
|
CVE-2023-52590
|
|
VCID-5au8-v1ew-xfbj
|
kernel: net: add xmit recursion limit to tunnel xmit functions
|
CVE-2026-23276
|
|
VCID-5b7d-bdu5-j7be
|
kernel: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data
|
CVE-2025-68342
|
|
VCID-5bpc-4f3q-83hx
|
kernel: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
|
CVE-2026-46156
|
|
VCID-5bv2-jrdq-xfcv
|
kernel: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
|
CVE-2026-46113
|
|
VCID-5cag-9f3c-tbcw
|
kernel: ksmbd: fix use-after-free in ksmbd_free_work_struct
|
CVE-2025-21967
|
|
VCID-5e2p-bgdk-m3dj
|
kernel: RDMA/mlx5: Move events notifier registration to be after device registration
|
CVE-2024-53224
|
|
VCID-5g9r-8x26-w7gc
|
kernel: md-cluster: fix NULL pointer dereference in process_metadata_update
|
CVE-2026-43271
|
|
VCID-5gdq-11ey-d7dq
|
kernel: RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
|
CVE-2026-46178
|
|
VCID-5gyc-6acn-5fff
|
kernel: bpf: check changes_pkt_data property for extension programs
|
CVE-2024-58100
|
|
VCID-5j8s-mjp8-47h9
|
kernel: padata: Fix pd UAF once and for all
|
CVE-2025-38584
|
|
VCID-5kze-9ku6-83dn
|
kernel: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
|
CVE-2026-46022
|
|
VCID-5mav-3aap-pkee
|
In the Linux kernel, the following vulnerability has been resolved: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() In the following concurrency we will access the uninitialized rs->lock: ext4_fill_super ext4_register_sysfs // sysfs registered msg_ratelimit_interval_ms // Other processes modify rs->interval to // non-zero via msg_ratelimit_interval_ms ext4_orphan_cleanup ext4_msg(sb, KERN_INFO, "Errors on filesystem, " __ext4_msg ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state) if (!rs->interval) // do nothing if interval is 0 return 1; raw_spin_trylock_irqsave(&rs->lock, flags) raw_spin_trylock(lock) _raw_spin_trylock __raw_spin_trylock spin_acquire(&lock->dep_map, 0, 1, _RET_IP_) lock_acquire __lock_acquire register_lock_class assign_lock_key dump_stack(); ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10); raw_spin_lock_init(&rs->lock); // init rs->lock here and get the following dump_stack: ========================================================= INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504 [...] Call Trace: dump_stack_lvl+0xc5/0x170 dump_stack+0x18/0x30 register_lock_class+0x740/0x7c0 __lock_acquire+0x69/0x13a0 lock_acquire+0x120/0x450 _raw_spin_trylock+0x98/0xd0 ___ratelimit+0xf6/0x220 __ext4_msg+0x7f/0x160 [ext4] ext4_orphan_cleanup+0x665/0x740 [ext4] __ext4_fill_super+0x21ea/0x2b10 [ext4] ext4_fill_super+0x14d/0x360 [ext4] [...] ========================================================= Normally interval is 0 until s_msg_ratelimit_state is initialized, so ___ratelimit() does nothing. But registering sysfs precedes initializing rs->lock, so it is possible to change rs->interval to a non-zero value via the msg_ratelimit_interval_ms interface of sysfs while rs->lock is uninitialized, and then a call to ext4_msg triggers the problem by accessing an uninitialized rs->lock. Therefore register sysfs after all initializations are complete to avoid such problems.
|
CVE-2024-40998
|
|
VCID-5mcr-qj9x-vudh
|
kernel: ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
|
CVE-2026-45858
|
|
VCID-5nry-t9a9-s7cf
|
kernel: btrfs: fix double free in create_space_info() error path
|
CVE-2026-46129
|
|
VCID-5ppr-xdw3-fyab
|
kernel: batman-adv: bla: put backbone reference on failed claim hash insert
|
CVE-2026-46231
|
|
VCID-5q61-adj2-wfd1
|
kernel: media: ipu-bridge: Fix null pointer deref on SSDB/PLD parsing warnings
|
CVE-2023-53336
|
|
VCID-5qa4-qfey-5fas
|
kernel: f2fs: fix to detect potential corrupted nid in free_nid_list
|
CVE-2025-68315
|
|
VCID-5qn2-7uv7-fbf9
|
kernel: net: qrtr: ns: Limit the maximum server registration per node
|
CVE-2026-43491
|
|
VCID-5ss5-e46g-6bc8
|
kernel: ext4: move ext4_percpu_param_init() before ext4_mb_init()
|
CVE-2026-43288
|
|
VCID-5vdc-navr-vud4
|
kernel: f2fs: fix to bail out in get_new_segment()
|
CVE-2025-38333
|
|
VCID-5vw1-84qq-qygy
|
kernel: usbip: validate number_of_packets in usbip_pack_ret_submit()
|
CVE-2026-31607
|
|
VCID-5wpn-8frj-nbaf
|
kernel: drm/amd/display: Add NULL check for function pointer in dcn401_set_output_transfer_func
|
CVE-2024-49910
|
|
VCID-5xrf-e87u-h7c5
|
kernel: pNFS: Fix a deadlock when returning a delegation during open()
|
CVE-2026-23050
|
|
VCID-5zja-98vc-qucg
|
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix uninitialized pointer dmactl In the case where __lpass_get_dmactl_handle is called and the driver id dai_id is invalid the pointer dmactl is not being assigned a value, and dmactl contains a garbage value since it has not been initialized and so the null check may not work. Fix this to initialize dmactl to NULL. One could argue that modern compilers will set this to zero, but it is useful to keep this initialized as per the same way in functions __lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params. Cleans up clang scan build warning: sound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition evaluates to a garbage value [core.uninitialized.Branch]
|
CVE-2024-26799
|
|
VCID-5zy9-585y-6yf3
|
kernel: nfc: llcp: add missing return after LLCP_CLOSED checks
|
CVE-2026-31629
|
|
VCID-61es-uvb3-u7ah
|
kernel: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
|
CVE-2026-23004
|
|
VCID-6292-znkq-7fd1
|
kernel: ipmi: Add limits to event and receive message requests
|
CVE-2026-46177
|
|
VCID-63rv-t9zp-z3cd
|
kernel: LoongArch: BPF: Don't override subprog's return value
|
CVE-2025-22048
|
|
VCID-63v1-tm38-zyfn
|
kernel: most: core: fix resource leak in most_register_interface error paths
|
CVE-2025-71272
|
|
VCID-6598-5a6d-hbew
|
kernel: fanotify: fix false positive on permission events
|
CVE-2026-46150
|
|
VCID-66b2-xcuu-23hv
|
kernel: hwmon: (pmbus/core) Protect regulator operations with mutex
|
CVE-2026-31486
|
|
VCID-68tr-q3r5-eqhe
|
kernel: spi: mpc52xx: fix use-after-free on registration failure
|
CVE-2026-46241
|
|
VCID-68u4-cn8r-sbeg
|
kernel: udf: fix partition descriptor append bookkeeping
|
CVE-2026-45991
|
|
VCID-68zw-qu7t-zfbv
|
kernel: bonding: check xdp prog when set bond mode
|
CVE-2025-22105
|
|
VCID-6976-pmhu-9qg3
|
In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: reset ptes when close() for wr-protected ones Userfaultfd unregister includes a step to remove wr-protect bits from all the relevant pgtable entries, but that only covered an explicit UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover that too. This fixes a WARN trace. The only user visible side effect is the user can observe leftover wr-protect bits even if the user close()ed on an userfaultfd when releasing the last reference of it. However hopefully that should be harmless, and nothing bad should happen even if so. This change is now more important after the recent page-table-check patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check: support userfault wr-protect entries")), as we'll do sanity check on uffd-wp bits without vma context. So it's better if we can 100% guarantee no uffd-wp bit leftovers, to make sure each report will be valid.
|
CVE-2024-36881
|
|
VCID-69m9-3xhd-v7g2
|
kernel: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
|
CVE-2026-45846
|
|
VCID-69sw-db78-rfcd
|
kernel: drm/amd/display: Disable DMCUB timeout for DCN35
|
CVE-2024-46870
|
|
VCID-6b37-vrxv-nkhw
|
kernel: exfat: add cluster chain loop check for dir
|
CVE-2025-38692
|
|
VCID-6ccm-6dwt-bkfs
|
In the Linux kernel, the following vulnerability has been resolved: spi: lpspi: Avoid potential use-after-free in probe() fsl_lpspi_probe() is allocating/disposing memory manually with spi_alloc_host()/spi_alloc_target(), but uses devm_spi_register_controller(). In case of error after the latter call the memory will be explicitly freed in the probe function by spi_controller_put() call, but used afterwards by "devm" management outside probe() (spi_unregister_controller() <- devm_spi_unregister() below). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000070 ... Call trace: kernfs_find_ns kernfs_find_and_get_ns sysfs_remove_group sysfs_remove_groups device_remove_attrs device_del spi_unregister_controller devm_spi_unregister release_nodes devres_release_all really_probe driver_probe_device __device_attach_driver bus_for_each_drv __device_attach device_initial_probe bus_probe_device deferred_probe_work_func process_one_work worker_thread kthread ret_from_fork
|
CVE-2024-26866
|
|
VCID-6cya-7s19-bqb5
|
kernel: usb: gadget: f_ecm: Fix net_device lifecycle with device_move
|
CVE-2026-31725
|
|
VCID-6dkm-2uxm-3ug3
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.
|
CVE-2024-46775
|
|
VCID-6ea3-484m-eqde
|
kernel: arm64: mm: fix VA-range sanity check
|
CVE-2023-53989
|
|
VCID-6es6-jdz7-3ugx
|
kernel: spi: fsl-qspi: use devm function instead of driver remove
|
CVE-2025-37842
|
|
VCID-6esn-wjxv-7ycm
|
kernel: iomap: adjust read range correctly for non-block-aligned positions
|
CVE-2025-68794
|
|
VCID-6f5t-gk89-yuh1
|
kernel: drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe
|
CVE-2024-49914
|
|
VCID-6f8m-mtma-ybfg
|
kernel: btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation
|
CVE-2026-45934
|
|
VCID-6g8w-5b5e-guag
|
kernel: ksmbd: Fix UAF in __close_file_table_ids
|
CVE-2025-37952
|
|
VCID-6gss-py8j-gqb3
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stack memory (ever since 6715df8d5) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
|
CVE-2023-52452
|
|
VCID-6hk2-sak7-w3ad
|
kernel: ceph: only d_add() negative dentries when they are unhashed
|
CVE-2026-46052
|
|
VCID-6j73-yxec-1ugy
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add a dc_state NULL check in dc_state_release [How] Check wheather state is NULL before releasing it.
|
CVE-2024-26948
|
|
VCID-6k83-qmp5-7uhk
|
kernel: Linux kernel use-after-free in eventpoll
|
CVE-2025-38349
|
|
VCID-6m59-3cy4-gucw
|
kernel: team: fix header_ops type confusion with non-Ethernet ports
|
CVE-2026-31502
|
|
VCID-6m5s-a75h-9qgv
|
kernel: usb: ulpi: fix memory leak on ulpi_register() error paths
|
CVE-2026-46109
|
|
VCID-6nf9-3yaw-5bhc
|
kernel: PCI: endpoint: Add missing NULL check for alloc_workqueue()
|
CVE-2025-71313
|
|
VCID-6p5u-5tpz-6fd4
|
kernel: i40e: remove read access to debugfs files
|
CVE-2025-39901
|
|
VCID-6rjy-549b-h7hy
|
In the Linux kernel, the following vulnerability has been resolved: md/dm-raid: don't call md_reap_sync_thread() directly Currently md_reap_sync_thread() is called from raid_message() directly without holding 'reconfig_mutex', this is definitely unsafe because md_reap_sync_thread() can change many fields that is protected by 'reconfig_mutex'. However, hold 'reconfig_mutex' here is still problematic because this will cause deadlock, for example, commit 130443d60b1b ("md: refactor idle/frozen_sync_thread() to fix deadlock"). Fix this problem by using stop_sync_thread() to unregister sync_thread, like md/raid did.
|
CVE-2024-35808
|
|
VCID-6rzv-dyej-qba9
|
kernel: rtmutex: Use waiter::task instead of current in remove_waiter()
|
CVE-2026-43499
|
|
VCID-6tne-hgku-qyfp
|
kernel: usb: typec: tipd: Free IRQ only if it was requested before
|
CVE-2024-50057
|
|
VCID-6v82-3vjx-vbfv
|
kernel: exit: prevent preemption of oopsing TASK_DEAD task
|
CVE-2026-46173
|
|
VCID-6vcg-2c3q-jfe6
|
kernel: Linux kernel: Denial of Service via use-after-free in IMM SCSI host adapter
|
CVE-2025-68324
|
|
VCID-6wtk-ury7-myhv
|
kernel: net: dsa: properly keep track of conduit reference
|
CVE-2025-71152
|
|
VCID-6xwu-xjrg-eygz
|
kernel: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using
|
CVE-2025-38369
|
|
VCID-6xxb-wgp3-tbdw
|
kernel: xfs: remove xfs_attr_leaf_hasname
|
CVE-2026-43153
|
|
VCID-6z49-a79y-m7d7
|
kernel: btrfs: log new dentries when logging parent dir of a conflicting inode
|
CVE-2026-23465
|
|
VCID-6zps-gxac-3fbj
|
kernel: dm-verity-fec: fix reading parity bytes split across blocks (take 3)
|
CVE-2026-46130
|
|
VCID-6zxx-2e89-aqcw
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix incorrect mpc_combine array size [why] MAX_SURFACES is per stream, while MAX_PLANES is per asic. The mpc_combine is an array that records all the planes per asic. Therefore MAX_PLANES should be used as the array size. Using MAX_SURFACES causes array overflow when there are more than 3 planes. [how] Use the MAX_PLANES for the mpc_combine array size.
|
CVE-2024-26914
|
|
VCID-73ef-4zfx-b3af
|
In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount.
|
CVE-2024-35904
|
|
VCID-745k-gvw3-q3g3
|
kernel: mptcp: pm: ADD_ADDR rtx: fix potential data-race
|
CVE-2026-46137
|
|
VCID-749j-73hj-u7bf
|
kernel: accel/habanalabs: fix mem leak in capture user mappings
|
CVE-2023-53367
|
|
VCID-75na-zt1j-c3ar
|
kernel: wifi: rsi: fix kthread lifetime race between self-exit and external-stop
|
CVE-2026-46187
|
|
VCID-78ub-vbjv-xufb
|
kernel: hisi_acc_vfio_pci: bugfix live migration function without VF device driver
|
CVE-2025-38283
|
|
VCID-78xy-94h7-v3f4
|
kernel: scsi: ufs: core: Fix use-after free in init error and remove paths
|
CVE-2025-21739
|
|
VCID-7aps-jvpz-73bq
|
kernel: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags
|
CVE-2024-49923
|
|
VCID-7b38-kbe4-rbge
|
kernel: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure
|
CVE-2026-43049
|
|
VCID-7dfh-s33h-23df
|
kernel: erofs: Fix detection of atomic context
|
CVE-2023-53231
|
|
VCID-7djh-s68v-wuhw
|
kernel: inet: frags: flush pending skbs in fqdir_pre_exit()
|
CVE-2025-68768
|
|
VCID-7f29-u75a-bfgp
|
kernel: net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled
|
CVE-2025-38039
|
|
VCID-7fd1-c8xg-ffba
|
kernel: net: rds: fix MR cleanup on copy error
|
CVE-2026-46053
|
|
VCID-7fpp-efkq-g3df
|
kernel: jfs: add check read-only before truncation in jfs_truncate_nolock()
|
CVE-2024-58094
|
|
VCID-7gc9-aqme-jfgw
|
kernel: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
|
CVE-2026-46006
|
|
VCID-7gpv-2e5x-ykb2
|
kernel: usb: gadget: f_hid: don't call cdev_init while cdev in use
|
CVE-2026-31606
|
|
VCID-7kvb-s4st-mydx
|
kernel: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
|
CVE-2026-43352
|
|
VCID-7m2y-6mtw-kkfj
|
kernel: RISC-V: KVM: Write hgatp register with valid mode bits
|
CVE-2025-40065
|
|
VCID-7n6h-gda8-tfbn
|
kernel: can: ucan: fix devres lifetime
|
CVE-2026-46103
|
|
VCID-7paq-ky6q-q7ew
|
kernel: wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
|
CVE-2025-39732
|
|
VCID-7scc-8ehc-p7fd
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue [why] odm calculation is missing for pipe split policy determination and cause Underflow/Corruption issue. [how] Add the odm calculation.
|
CVE-2024-26913
|
|
VCID-7skd-w8rx-2yas
|
kernel: arm64: set __exception_irq_entry with __irq_entry as a default
|
CVE-2023-54322
|
|
VCID-7szf-gnnm-27gc
|
kernel: net: mctp: Don't access ifa_index when missing
|
CVE-2025-38006
|
|
VCID-7tgr-hn4b-qbhe
|
kernel: net/mlx5e: Harden uplink netdev access against device unbind
|
CVE-2025-39947
|
|
VCID-7u8a-kbpj-xyhd
|
kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion
|
CVE-2025-21729
|
|
VCID-7u9k-ccce-3yhp
|
kernel: gfs2: Validate i_depth for exhash directories
|
CVE-2025-38710
|
|
VCID-7vaw-mv2d-4qbu
|
kernel: KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock
|
CVE-2026-31592
|
|
VCID-7w9b-5ncz-jfbq
|
kernel: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
|
CVE-2026-46230
|
|
VCID-7x8k-fzmq-uqfk
|
kernel: drm/amd/display: Fix out-of-bound accesses
|
CVE-2025-21985
|
|
VCID-7xek-tb5s-kyby
|
kernel: ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
|
CVE-2026-31610
|
|
VCID-7xg3-nmm2-c3c2
|
kernel: media: vidtv: fix nfeeds state corruption on start_streaming failure
|
CVE-2026-31585
|
|
VCID-7xyk-3chx-9keg
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wake DMCUB before executing GPINT commands [Why] DMCUB can be in idle when we attempt to interface with the HW through the GPINT mailbox resulting in a system hang. [How] Add dc_wake_and_execute_gpint() to wrap the wake, execute, sleep sequence. If the GPINT executes successfully then DMCUB will be put back into sleep after the optional response is returned. It functions similar to the inbox command interface.
|
CVE-2023-52624
|
|
VCID-7z6c-mtvx-kufs
|
kernel: ntfs3: fix integer overflow in run_unpack() volume boundary check
|
CVE-2026-46062
|
|
VCID-81bs-h5re-ckhx
|
kernel: jfs: Fix null-ptr-deref in jfs_ioc_trim
|
CVE-2025-38203
|
|
VCID-81g1-bywe-yyb3
|
kernel: kprobes: avoid crash when rmmod/insmod after ftrace killed
|
CVE-2026-43409
|
|
VCID-82xy-72wt-nqfp
|
kernel: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn
|
CVE-2025-38042
|
|
VCID-83ts-4hnr-jubv
|
kernel: i2c: s3c24xx: check the size of the SMBUS message before using it
|
CVE-2026-31627
|
|
VCID-8462-gzg8-nkcc
|
kernel: RDMA/siw: Remove direct link to net_device
|
CVE-2024-57857
|
|
VCID-84ta-rw6f-jqbs
|
kernel: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
|
CVE-2026-23468
|
|
VCID-85qz-x2kp-b3em
|
kernel: fs/9p: fix NULL pointer dereference on mkdir
|
CVE-2025-22070
|
|
VCID-86s3-pjkh-qkex
|
kernel: dm mirror: fix integer overflow in create_dirty_log()
|
CVE-2026-46023
|
|
VCID-87u5-4332-v7dm
|
kernel: ASoC: nau8821: Cancel delayed work on component remove
|
CVE-2026-45963
|
|
VCID-87xg-7fgu-e3h8
|
kernel: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
|
CVE-2025-21927
|
|
VCID-8a5s-9sfa-q3dp
|
kernel: io_uring/net: don't overflow multishot recv
|
CVE-2023-54030
|
|
VCID-8aef-4m1v-37as
|
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend When the system is suspended while audio is active, the sof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during suspend the DSP is turned off, streams will be re-started after resume. If the firmware crashes during while audio is running (or when we reset the stream before suspend) then the sof_ipc4_set_multi_pipeline_state() will fail with IPC error and the state change is interrupted. This will cause misalignment between the kernel and firmware state on next DSP boot resulting errors returned by firmware for IPC messages, eventually failing the audio resume. On stream close the errors are ignored so the kernel state will be corrected on the next DSP boot, so the second boot after the DSP panic. If sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then state parameter is SOF_IPC4_PIPE_RESET and only in this case. Treat a forced pipeline reset similarly to how we treat a pcm_free by ignoring error on state sending to allow the kernel's state to be consistent with the state the firmware will have after the next boot.
|
CVE-2024-27057
|
|
VCID-8dv7-mht7-pqaa
|
kernel: ocfs2: validate inline data i_size during inode read
|
CVE-2026-43076
|
|
VCID-8e2n-p7q1-jbh7
|
kernel: net: hns3: don't auto enable misc vector
|
CVE-2025-21651
|
|
VCID-8en9-7zbw-5ufg
|
kernel: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset()
|
CVE-2025-38195
|
|
VCID-8ga8-7jq6-4qfv
|
In the Linux kernel, the following vulnerability has been resolved: platform/x86: x86-android-tablets: Unregister devices in reverse order Not all subsystems support a device getting removed while there are still consumers of the device with a reference to the device. One example of this is the regulator subsystem. If a regulator gets unregistered while there are still drivers holding a reference a WARN() at drivers/regulator/core.c:5829 triggers, e.g.: WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015 RIP: 0010:regulator_unregister Call Trace: <TASK> regulator_unregister devres_release_group i2c_device_remove device_release_driver_internal bus_remove_device device_del device_unregister x86_android_tablet_remove On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides a 5V boost converter output for powering USB devices connected to the micro USB port, the bq24190-charger driver exports this as a Vbus regulator. On the 830 (8") and 1050 ("10") models this regulator is controlled by a platform_device and x86_android_tablet_remove() removes platform_device-s before i2c_clients so the consumer gets removed first. But on the 1380 (13") model there is a lc824206xa micro-USB switch connected over I2C and the extcon driver for that controls the regulator. The bq24190 i2c-client *must* be registered first, because that creates the regulator with the lc824206xa listed as its consumer. If the regulator has not been registered yet the lc824206xa driver will end up getting a dummy regulator. Since in this case both the regulator provider and consumer are I2C devices, the only way to ensure that the consumer is unregistered first is to unregister the I2C devices in reverse order of in which they were created. For consistency and to avoid similar problems in the future change x86_android_tablet_remove() to unregister all device types in reverse order.
|
CVE-2024-40975
|
|
VCID-8gnz-gx93-vudc
|
kernel: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
|
CVE-2026-31708
|
|
VCID-8gz1-s2ux-3bfr
|
kernel: svcrdma: bound check rq_pages index in inline path
|
CVE-2025-71068
|
|
VCID-8he5-pkyb-nug9
|
kernel: Bluetooth: MGMT: Fix possible UAFs
|
CVE-2025-39981
|
|
VCID-8hzz-nvf8-nuaf
|
kernel: mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop
|
CVE-2025-40180
|
|
VCID-8j5t-9xgb-ukc8
|
kernel: ALSA: ctxfi: Add fallback to default RSR for S/PDIF
|
CVE-2026-46049
|
|
VCID-8m6g-4wxe-7ygg
|
kernel: dlm: prevent NPD when writing a positive value to event_done
|
CVE-2025-23131
|
|
VCID-8nnw-td3u-p3gy
|
kernel: media: saa7164: add ioremap return checks and cleanups
|
CVE-2026-46235
|
|
VCID-8p6s-anxs-5kas
|
A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. This issue occurs in the device cleanup routine due to a possible rearming of the watchdog_timer from the workqueue. This could allow a local user to crash the system, causing a denial of service.
|
CVE-2023-4134
|
|
VCID-8qjw-1gn8-r7gt
|
In the Linux kernel, the following vulnerability has been resolved: i2c: lpi2c: Avoid calling clk_get_rate during transfer Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well.
|
CVE-2024-40965
|
|
VCID-8r9x-zpje-ufdq
|
In the Linux kernel, the following vulnerability has been resolved: net: ena: Add validation for completion descriptors consistency Validate that `first` flag is set only for the first descriptor in multi-buffer packets. In case of an invalid descriptor, a reset will occur. A new reset reason for RX data corruption has been added.
|
CVE-2024-40999
|
|
VCID-8ru3-745t-xbeg
|
kernel: ASoC: qcom: q6apm: move component registration to unmanaged version
|
CVE-2026-31587
|
|
VCID-8te4-ky3u-skfd
|
kernel: net/mlx5e: xsk: Fix crash on regular rq reactivation
|
CVE-2023-53394
|
|
VCID-8u5k-1tvr-b3ah
|
kernel: net: ioam6: fix OOB and missing lock
|
CVE-2026-43083
|
|
VCID-8usm-qmgu-uudv
|
kernel: erofs: fix inline data read failure for ztailpacking pclusters
|
CVE-2026-45943
|
|
VCID-8ve7-b7xm-cfd3
|
kernel: btrfs: avoid NULL pointer dereference if no valid extent tree
|
CVE-2025-21658
|
|
VCID-8wfq-6met-8kgw
|
kernel: drm/msm: Add error handling for krealloc in metadata setup
|
CVE-2025-39747
|
|
VCID-8xhs-5sqt-dyh4
|
kernel: batman-adv: stop tp_meter sessions during mesh teardown
|
CVE-2026-46208
|
|
VCID-8zrv-ahdx-ykej
|
kernel: Bluetooth: hci_sync: annotate data-races around hdev->req_status
|
CVE-2026-43119
|
|
VCID-913f-gya7-z7gv
|
kernel: btrfs: reject new transactions if the fs is fully read-only
|
CVE-2026-23214
|
|
VCID-91dq-3zbb-eqet
|
kernel: scsi: hisi_sas: Create all dump files during debugfs initialization
|
CVE-2024-56588
|
|
VCID-91p2-a2h2-3fh9
|
A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.
|
CVE-2024-25740
|
|
VCID-91wv-9yjq-wkef
|
kernel: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
|
CVE-2026-22996
|
|
VCID-92yh-n8su-bkah
|
kernel: ALSA: ctxfi: Limit PTP to a single page
|
CVE-2026-31602
|
|
VCID-93hx-2q51-27ac
|
kernel: mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
|
CVE-2026-31648
|
|
VCID-94as-r5ts-cbfa
|
kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match()
|
CVE-2025-40168
|
|
VCID-95fp-wpu1-nbad
|
kernel: smb: client: fix in-place encryption corruption in SMB2_write()
|
CVE-2026-43362
|
|
VCID-95rh-b457-2fh1
|
kernel: Linux kernel: Denial of Service due to improper resource deallocation in tracing functionality
|
CVE-2025-39829
|
|
VCID-96sp-mbf5-wuay
|
In the Linux kernel, the following vulnerability has been resolved: parisc: Try to fix random segmentation faults in package builds PA-RISC systems with PA8800 and PA8900 processors have had problems with random segmentation faults for many years. Systems with earlier processors are much more stable. Systems with PA8800 and PA8900 processors have a large L2 cache which needs per page flushing for decent performance when a large range is flushed. The combined cache in these systems is also more sensitive to non-equivalent aliases than the caches in earlier systems. The majority of random segmentation faults that I have looked at appear to be memory corruption in memory allocated using mmap and malloc. My first attempt at fixing the random faults didn't work. On reviewing the cache code, I realized that there were two issues which the existing code didn't handle correctly. Both relate to cache move-in. Another issue is that the present bit in PTEs is racy. 1) PA-RISC caches have a mind of their own and they can speculatively load data and instructions for a page as long as there is a entry in the TLB for the page which allows move-in. TLBs are local to each CPU. Thus, the TLB entry for a page must be purged before flushing the page. This is particularly important on SMP systems. In some of the flush routines, the flush routine would be called and then the TLB entry would be purged. This was because the flush routine needed the TLB entry to do the flush. 2) My initial approach to trying the fix the random faults was to try and use flush_cache_page_if_present for all flush operations. This actually made things worse and led to a couple of hardware lockups. It finally dawned on me that some lines weren't being flushed because the pte check code was racy. This resulted in random inequivalent mappings to physical pages. The __flush_cache_page tmpalias flush sets up its own TLB entry and it doesn't need the existing TLB entry. As long as we can find the pte pointer for the vm page, we can get the pfn and physical address of the page. We can also purge the TLB entry for the page before doing the flush. Further, __flush_cache_page uses a special TLB entry that inhibits cache move-in. When switching page mappings, we need to ensure that lines are removed from the cache. It is not sufficient to just flush the lines to memory as they may come back. This made it clear that we needed to implement all the required flush operations using tmpalias routines. This includes flushes for user and kernel pages. After modifying the code to use tmpalias flushes, it became clear that the random segmentation faults were not fully resolved. The frequency of faults was worse on systems with a 64 MB L2 (PA8900) and systems with more CPUs (rp4440). The warning that I added to flush_cache_page_if_present to detect pages that couldn't be flushed triggered frequently on some systems. Helge and I looked at the pages that couldn't be flushed and found that the PTE was either cleared or for a swap page. Ignoring pages that were swapped out seemed okay but pages with cleared PTEs seemed problematic. I looked at routines related to pte_clear and noticed ptep_clear_flush. The default implementation just flushes the TLB entry. However, it was obvious that on parisc we need to flush the cache page as well. If we don't flush the cache page, stale lines will be left in the cache and cause random corruption. Once a PTE is cleared, there is no way to find the physical address associated with the PTE and flush the associated page at a later time. I implemented an updated change with a parisc specific version of ptep_clear_flush. It fixed the random data corruption on Helge's rp4440 and rp3440, as well as on my c8000. At this point, I realized that I could restore the code where we only flush in flush_cache_page_if_present if the page has been accessed. However, for this, we also need to flush the cache when the accessed bit is cleared in ---truncated---
|
CVE-2024-40918
|
|
VCID-989t-nkg7-h3g7
|
kernel: pmdomain: imx93-blk-ctrl: correct remove path
|
CVE-2024-53134
|
|
VCID-9943-gmpa-vqct
|
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix a memleak in gss_import_v2_context The ctx->mech_used.data allocated by kmemdup is not freed in neither gss_import_v2_context nor it only caller gss_krb5_import_sec_context, which frees ctx on error. Thus, this patch reform the last call of gss_import_v2_context to the gss_krb5_import_ctx_v2, preventing the memleak while keepping the return formation.
|
CVE-2023-52653
|
|
VCID-9afn-v73t-7ya5
|
kernel: gfs2: fix memory leaks in gfs2_fill_super error path
|
CVE-2026-45961
|
|
VCID-9b44-qmse-rfas
|
kernel: rxrpc: Fix recv-recv race of completed call
|
CVE-2025-38524
|
|
VCID-9c51-emt6-43cq
|
kernel: Bluetooth: virtio_bt: validate rx pkt_type header length
|
CVE-2026-46186
|
|
VCID-9c9x-frp6-rufn
|
kernel: drm/amd/pm: fix null pointer access
|
CVE-2025-38705
|
|
VCID-9cgq-zhac-ybcm
|
kernel: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT
|
CVE-2026-46032
|
|
VCID-9f3f-6g2b-bue1
|
kernel: iommu/vt-d: Clear Present bit before tearing down context entry
|
CVE-2026-45944
|
|
VCID-9gus-9fja-f7e3
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not return negative stream id for array [WHY] resource_stream_to_stream_idx returns an array index and it return -1 when not found; however, -1 is not a valid array index number. [HOW] When this happens, call ASSERT(), and return a zero instead. This fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.
|
CVE-2024-42118
|
|
VCID-9gwt-a5ac-2qe4
|
kernel: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP
|
CVE-2023-54263
|
|
VCID-9hr2-pz1m-muh9
|
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the same value twice, then obtain the lock, and reclaim from there to two different places, but crucially reclaim the same entry twice, resulting in the WARN_ONCE() a little later. Fix that by reading txq->read_ptr under lock.
|
CVE-2024-36922
|
|
VCID-9jba-rsk1-pygc
|
kernel: ASoC: SOF: Intel: hda: Fix NULL pointer dereference
|
CVE-2026-43137
|
|
VCID-9jn6-pdej-wygd
|
kernel: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
|
CVE-2026-23383
|
|
VCID-9kb2-xqxj-rygm
|
kernel: Linux kernel: Denial of Service via NULL pointer dereference in blk-cgroup
|
CVE-2023-54271
|
|
VCID-9myy-kwbc-67h6
|
kernel: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port
|
CVE-2025-38597
|
|
VCID-9n5y-eu7q-6ua4
|
|
CVE-2026-45981
|
|
VCID-9nmw-sbv9-v7f7
|
kernel: net/sched: Fix backlog accounting in qdisc_dequeue_internal
|
CVE-2025-39677
|
|
VCID-9pbe-cuyx-xug2
|
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Update cpu_sibling_map when disabling nonboot CPUs Update cpu_sibling_map when disabling nonboot CPUs by defining & calling clear_cpu_sibling_map(), otherwise we get such errors on SMT systems: jump label: negative count! WARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100 CPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340 pc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20 a0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280 a4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001 t0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000 t4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964 t8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8 s1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040 s5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006 ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100 ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1c (LIE=2-4,10-12 VS=7) ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) CPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340 Stack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c ... Call Trace: [<9000000000224528>] show_stack+0x48/0x1a0 [<900000000179afc8>] dump_stack_lvl+0x78/0xa0 [<9000000000263ed0>] __warn+0x90/0x1a0 [<90000000017419b8>] report_bug+0x1b8/0x280 [<900000000179c564>] do_bp+0x264/0x420 [<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100 [<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300 [<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0 [<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240 [<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0 [<900000000029a720>] kthread+0x140/0x160 [<9000000000222288>] ret_from_kernel_thread+0xc/0xa4
|
CVE-2024-26841
|
|
VCID-9pkt-xuuk-73a8
|
kernel: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
|
CVE-2026-31595
|
|
VCID-9qvz-mrkc-7kbj
|
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove The following warning is seen during bwmon_remove due to refcount imbalance, fix this by releasing the OPPs after use. Logs: WARNING: at drivers/opp/core.c:1640 _opp_table_kref_release+0x150/0x158 Hardware name: Qualcomm Technologies, Inc. X1E80100 CRD (DT) ... Call trace: _opp_table_kref_release+0x150/0x158 dev_pm_opp_remove_table+0x100/0x1b4 devm_pm_opp_of_table_release+0x10/0x1c devm_action_release+0x14/0x20 devres_release_all+0xa4/0x104 device_unbind_cleanup+0x18/0x60 device_release_driver_internal+0x1ec/0x228 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 bwmon_driver_exit+0x18/0x524 [icc_bwmon] __arm64_sys_delete_module+0x184/0x264 invoke_syscall+0x48/0x118 el0_svc_common.constprop.0+0xc8/0xe8 do_el0_svc+0x20/0x2c el0_svc+0x34/0xdc el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 --[ end trace 0000000000000000 ]---
|
CVE-2024-43850
|
|
VCID-9r99-xxqs-c7gq
|
kernel: fsl/fman: Fix refcount handling of fman-related devices
|
CVE-2024-50166
|
|
VCID-9rmj-e3zy-kfhb
|
kernel: net: use skb_header_pointer() for TCPv4 GSO frag_off check
|
CVE-2026-43036
|
|
VCID-9rp9-7xn9-kffn
|
kernel: interconnect: Fix locking for runpm vs reclaim
|
CVE-2023-54013
|
|
VCID-9sd9-gbg6-r7ff
|
kernel: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
|
CVE-2026-46046
|
|
VCID-9sxe-jbj3-7fhr
|
kernel: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
|
CVE-2026-46158
|
|
VCID-9t3n-39m3-s3a5
|
kernel: RDMA/rxe: Reject unknown opcodes before ICRC processing
|
CVE-2026-46133
|
|
VCID-9tqt-46fb-9ugy
|
kernel: drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability
|
CVE-2024-53051
|
|
VCID-9v4n-nres-2kfn
|
kernel: ksmbd: validate EaNameLength in smb2_get_ea()
|
CVE-2026-31612
|
|
VCID-9wb8-qrzj-8qcf
|
kernel: KVM: x86: Use scratch field in MMIO fragment to hold small write values
|
CVE-2026-31588
|
|
VCID-9wh1-8hg9-1bca
|
kernel: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
|
CVE-2026-45841
|
|
VCID-9xbd-svtj-37dj
|
kernel: net: fix NULL pointer dereference in l3mdev_l3_rcv
|
CVE-2025-22103
|
|
VCID-9xhz-53za-4ubq
|
In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix task_struct reference leak During the execution of the following stress test with linux-rt: stress-ng --cyclic 30 --timeout 30 --minimize --quiet kmemleak frequently reported a memory leak concerning the task_struct: unreferenced object 0xffff8881305b8000 (size 16136): comm "stress-ng", pid 614, jiffies 4294883961 (age 286.412s) object hex dump (first 32 bytes): 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ debug hex dump (first 16 bytes): 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S............... backtrace: [<00000000046b6790>] dup_task_struct+0x30/0x540 [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0 [<00000000ced59777>] kernel_clone+0xb0/0x770 [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0 [<000000001dbf2008>] do_syscall_64+0x5d/0xf0 [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 The issue occurs in start_dl_timer(), which increments the task_struct reference count and sets a timer. The timer callback, dl_task_timer, is supposed to decrement the reference count upon expiration. However, if enqueue_task_dl() is called before the timer expires and cancels it, the reference count is not decremented, leading to the leak. This patch fixes the reference leak by ensuring the task_struct reference count is properly decremented when the timer is canceled.
|
CVE-2024-41023
|
|
VCID-9ywr-d4fv-jbhc
|
kernel: Linux kernel:A use-after-free in bridge multicast in br_multicast_port_ctx_init
|
CVE-2025-38248
|
|
VCID-9zwa-j9s1-u7f7
|
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to cover read extent cache access with lock syzbot reports a f2fs bug as below: BUG: KASAN: slab-use-after-free in sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 Read of size 4 at addr ffff8880739ab220 by task syz-executor200/5097 CPU: 0 PID: 5097 Comm: syz-executor200 Not tainted 6.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 sanity_check_extent_cache+0x370/0x410 fs/f2fs/extent_cache.c:46 do_read_inode fs/f2fs/inode.c:509 [inline] f2fs_iget+0x33e1/0x46e0 fs/f2fs/inode.c:560 f2fs_nfs_get_inode+0x74/0x100 fs/f2fs/super.c:3237 generic_fh_to_dentry+0x9f/0xf0 fs/libfs.c:1413 exportfs_decode_fh_raw+0x152/0x5f0 fs/exportfs/expfs.c:444 exportfs_decode_fh+0x3c/0x80 fs/exportfs/expfs.c:584 do_handle_to_path fs/fhandle.c:155 [inline] handle_to_path fs/fhandle.c:210 [inline] do_handle_open+0x495/0x650 fs/fhandle.c:226 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f We missed to cover sanity_check_extent_cache() w/ extent cache lock, so, below race case may happen, result in use after free issue. - f2fs_iget - do_read_inode - f2fs_init_read_extent_tree : add largest extent entry in to cache - shrink - f2fs_shrink_read_extent_tree - __shrink_extent_tree - __detach_extent_node : drop largest extent entry - sanity_check_extent_cache : access et->largest w/o lock let's refactor sanity_check_extent_cache() to avoid extent cache access and call it before f2fs_init_read_extent_tree() to fix this issue.
|
CVE-2024-44941
|
|
VCID-a1s8-xmrh-9bf3
|
In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command in the same time by user tasks, this may exhaust all tags of admin_q. If a reset (nvme reset or IO timeout) occurs before these commands finish, reconnect routine may fail to update nvme regs due to insufficient tags, which will cause kernel hang forever. In order to workaround this issue, maybe we can let reg_read32()/reg_read64()/reg_write32() use reserved tags. This maybe safe for nvmf: 1. For the disable ctrl path, we will not issue connect command 2. For the enable ctrl / fw activate path, since connect and reg_xx() are called serially. So the reserved tags may still be enough while reg_xx() use reserved tags.
|
CVE-2024-41082
|
|
VCID-a1sf-776n-dyb8
|
In the Linux kernel, the following vulnerability has been resolved: ice: Don't process extts if PTP is disabled The ice_ptp_extts_event() function can race with ice_ptp_release() and result in a NULL pointer dereference which leads to a kernel panic. Panic occurs because the ice_ptp_extts_event() function calls ptp_clock_event() with a NULL pointer. The ice driver has already released the PTP clock by the time the interrupt for the next external timestamp event occurs. To fix this, modify the ice_ptp_extts_event() function to check the PTP state and bail early if PTP is not ready.
|
CVE-2024-42107
|
|
VCID-a2sv-jpsc-w7h8
|
kernel: ipmi:ssif: Clean up kthread on errors
|
CVE-2026-46044
|
|
VCID-a3yf-n4j2-2bga
|
kernel: sfc: fix NULL dereferences in ef100_process_design_param()
|
CVE-2025-37860
|
|
VCID-a4n3-5pev-nkhd
|
kernel: drm/amd/display: increase max link count and fix link->enc NULL pointer access
|
CVE-2025-40354
|
|
VCID-a5vf-ryt4-zyb1
|
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Fix delete_endpoint() vs parent unregistration race The CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of ports (struct cxl_port objects) between an endpoint and the root of a CXL topology. Each port including the endpoint port is attached to the cxl_port driver. Given that setup, it follows that when either any port in that lineage goes through a cxl_port ->remove() event, or the memdev goes through a cxl_mem ->remove() event. The hierarchy below the removed port, or the entire hierarchy if the memdev is removed needs to come down. The delete_endpoint() callback is careful to check whether it is being called to tear down the hierarchy, or if it is only being called to teardown the memdev because an ancestor port is going through ->remove(). That care needs to take the device_lock() of the endpoint's parent. Which requires 2 bugs to be fixed: 1/ A reference on the parent is needed to prevent use-after-free scenarios like this signature: BUG: spinlock bad magic on CPU#0, kworker/u56:0/11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023 Workqueue: cxl_port detach_memdev [cxl_core] RIP: 0010:spin_bug+0x65/0xa0 Call Trace: do_raw_spin_lock+0x69/0xa0 __mutex_lock+0x695/0xb80 delete_endpoint+0xad/0x150 [cxl_core] devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1d2/0x210 detach_memdev+0x15/0x20 [cxl_core] process_one_work+0x1e3/0x4c0 worker_thread+0x1dd/0x3d0 2/ In the case of RCH topologies, the parent device that needs to be locked is not always @port->dev as returned by cxl_mem_find_port(), use endpoint->dev.parent instead.
|
CVE-2023-52771
|
|
VCID-a62x-2px1-tfa8
|
kernel: mpls: add seqcount to protect the platform_label{,s} pair
|
CVE-2026-43042
|
|
VCID-a64b-5b73-zqfw
|
kernel: Linux kernel: Denial of Service in kTLS due to race condition in receive path
|
CVE-2025-38616
|
|
VCID-a69z-seup-33a6
|
kernel: scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()
|
CVE-2024-57872
|
|
VCID-a8n1-7q38-5fhh
|
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add callback function pointer check before its call In dpu_core_irq_callback_handler() callback function pointer is compared to NULL, but then callback function is unconditionally called by this pointer. Fix this bug by adding conditional return. Found by Linux Verification Center (linuxtesting.org) with SVACE. Patchwork: https://patchwork.freedesktop.org/patch/588237/
|
CVE-2024-38622
|
|
VCID-a8rx-4ufy-m3g5
|
kernel: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition
|
CVE-2026-43443
|
|
VCID-a91t-zyzf-kqdc
|
kernel: mm/smaps: fix race between smaps_hugetlb_range and migration
|
CVE-2025-39754
|
|
VCID-aa2f-kqqc-uug3
|
kernel: af_unix: read UNIX_DIAG_VFS data under unix_state_lock
|
CVE-2026-31673
|
|
VCID-acrn-tqmw-3baz
|
kernel: f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
|
CVE-2024-53221
|
|
VCID-aczn-u94v-dyge
|
kernel: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
|
CVE-2026-46018
|
|
VCID-aef3-pt58-5qcn
|
kernel: hfs: fix general protection fault in hfs_find_init()
|
CVE-2025-38716
|
|
VCID-agz8-xv9n-7qfh
|
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate meta inode pages forcely Below race case can cause data corruption: Thread A GC thread - gc_data_segment - ra_data_block - locked meta_inode page - f2fs_inplace_write_data - invalidate_mapping_pages : fail to invalidate meta_inode page due to lock failure or dirty|writeback status - f2fs_submit_page_bio : write last dirty data to old blkaddr - move_data_block - load old data from meta_inode page - f2fs_submit_page_write : write old data to new blkaddr Because invalidate_mapping_pages() will skip invalidating page which has unclear status including locked, dirty, writeback and so on, so we need to use truncate_inode_pages_range() instead of invalidate_mapping_pages() to make sure meta_inode page will be dropped.
|
CVE-2024-26869
|
|
VCID-ah2n-swty-wyez
|
In the Linux kernel, the following vulnerability has been resolved: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Patch series "mm/filemap: Limit page cache size to that supported by xarray", v2. Currently, xarray can't support arbitrary page cache size. More details can be found from the WARN_ON() statement in xas_split_alloc(). In our test whose code is attached below, we hit the WARN_ON() on ARM64 system where the base page size is 64KB and huge page size is 512MB. The issue was reported long time ago and some discussions on it can be found here [1]. [1] https://www.spinics.net/lists/linux-xfs/msg75404.html In order to fix the issue, we need to adjust MAX_PAGECACHE_ORDER to one supported by xarray and avoid PMD-sized page cache if needed. The code changes are suggested by David Hildenbrand. PATCH[1] adjusts MAX_PAGECACHE_ORDER to that supported by xarray PATCH[2-3] avoids PMD-sized page cache in the synchronous readahead path PATCH[4] avoids PMD-sized page cache for shmem files if needed Test program ============ # cat test.c #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <sys/syscall.h> #include <sys/mman.h> #define TEST_XFS_FILENAME "/tmp/data" #define TEST_SHMEM_FILENAME "/dev/shm/data" #define TEST_MEM_SIZE 0x20000000 int main(int argc, char **argv) { const char *filename; int fd = 0; void *buf = (void *)-1, *p; int pgsize = getpagesize(); int ret; if (pgsize != 0x10000) { fprintf(stderr, "64KB base page size is required\n"); return -EPERM; } system("echo force > /sys/kernel/mm/transparent_hugepage/shmem_enabled"); system("rm -fr /tmp/data"); system("rm -fr /dev/shm/data"); system("echo 1 > /proc/sys/vm/drop_caches"); /* Open xfs or shmem file */ filename = TEST_XFS_FILENAME; if (argc > 1 && !strcmp(argv[1], "shmem")) filename = TEST_SHMEM_FILENAME; fd = open(filename, O_CREAT | O_RDWR | O_TRUNC); if (fd < 0) { fprintf(stderr, "Unable to open <%s>\n", filename); return -EIO; } /* Extend file size */ ret = ftruncate(fd, TEST_MEM_SIZE); if (ret) { fprintf(stderr, "Error %d to ftruncate()\n", ret); goto cleanup; } /* Create VMA */ buf = mmap(NULL, TEST_MEM_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); if (buf == (void *)-1) { fprintf(stderr, "Unable to mmap <%s>\n", filename); goto cleanup; } fprintf(stdout, "mapped buffer at 0x%p\n", buf); ret = madvise(buf, TEST_MEM_SIZE, MADV_HUGEPAGE); if (ret) { fprintf(stderr, "Unable to madvise(MADV_HUGEPAGE)\n"); goto cleanup; } /* Populate VMA */ ret = madvise(buf, TEST_MEM_SIZE, MADV_POPULATE_WRITE); if (ret) { fprintf(stderr, "Error %d to madvise(MADV_POPULATE_WRITE)\n", ret); goto cleanup; } /* Punch the file to enforce xarray split */ ret = fallocate(fd, FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE, TEST_MEM_SIZE - pgsize, pgsize); if (ret) fprintf(stderr, "Error %d to fallocate()\n", ret); cleanup: if (buf != (void *)-1) munmap(buf, TEST_MEM_SIZE); if (fd > 0) close(fd); return 0; } # gcc test.c -o test # cat /proc/1/smaps | grep KernelPageSize | head -n 1 KernelPageSize: 64 kB # ./test shmem : ------------[ cut here ]------------ WARNING: CPU: 17 PID: 5253 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set nf_tables rfkill nfnetlink vfat fat virtio_balloon \ drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ virtio_net sha1_ce net_failover failover virtio_console virtio_blk \ dimlib virtio_mmio CPU: 17 PID: 5253 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #12 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TC ---truncated---
|
CVE-2024-42243
|
|
VCID-ah4m-mx3f-mfa3
|
kernel: af_unix: Give up GC if MSG_PEEK intervened
|
CVE-2026-23394
|
|
VCID-ajhg-jc8m-1fct
|
kernel: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
|
CVE-2026-31500
|
|
VCID-ajyb-nghk-gbct
|
kernel: udmabuf: change folios array from kmalloc to kvmalloc
|
CVE-2024-56544
|
|
VCID-akzh-e3va-ffdt
|
kernel: Linux kernel: Denial of Service via integer overflow in dm-stripe
|
CVE-2025-39940
|
|
VCID-ams6-gjza-1fe5
|
kernel: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
|
CVE-2026-23035
|
|
VCID-apzv-66pk-muh2
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak in map from abort path The delete set command does not rely on the transaction object for element removal, therefore, a combination of delete element + delete set from the abort path could result in restoring twice the refcount of the mapping. Check for inactive element in the next generation for the delete element command in the abort path, skip restoring state if next generation bit has been already cleared. This is similar to the activate logic using the set walk iterator. [ 6170.286929] ------------[ cut here ]------------ [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287071] Modules linked in: [...] [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 [ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 [ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 [ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 [ 6170.287962] Call Trace: [ 6170.287967] <TASK> [ 6170.287973] ? __warn+0x9f/0x1a0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.288104] ? handle_bug+0x3c/0x70 [ 6170.288112] ? exc_invalid_op+0x17/0x40 [ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20 [ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables] [ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]
|
CVE-2024-27011
|
|
VCID-aqxq-sr4b-n7dp
|
kernel: smb: server: let send_done handle a completion without IB_SEND_SIGNALED
|
CVE-2026-31536
|
|
VCID-arem-spxm-7fbk
|
kernel: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()
|
CVE-2024-53068
|
|
VCID-asa3-5h1k-wych
|
kernel: jfs: fix array-index-out-of-bounds read in add_missing_indices
|
CVE-2025-38204
|
|
VCID-asna-dv2f-abgx
|
kernel: l2tp: prevent possible tunnel refcount underflow
|
CVE-2024-49940
|
|
VCID-assx-fhys-jfe2
|
In the Linux kernel, the following vulnerability has been resolved: net: phy: phy_device: Prevent nullptr exceptions on ISR If phydev->irq is set unconditionally, check for valid interrupt handler or fall back to polling mode to prevent nullptr exceptions in interrupt service routine.
|
CVE-2024-35945
|
|
VCID-au69-ssv8-wffy
|
kernel: sound: ua101: fix division by zero at probe
|
CVE-2026-46184
|
|
VCID-az18-n6jc-zqba
|
kernel: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
|
CVE-2026-31622
|
|
VCID-b155-4pmw-5kct
|
kernel: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices
|
CVE-2025-21649
|
|
VCID-b1zm-r6nr-wfan
|
kernel: wifi: b43: enforce bounds check on firmware key index in b43_rx()
|
CVE-2026-46122
|
|
VCID-b2u3-w3y7-ufh4
|
kernel: ipmi:si: Return state to normal if message allocation fails
|
CVE-2026-46108
|
|
VCID-b374-5mmh-2ud8
|
kernel: bpf: Prevent tailcall infinite loop caused by freplace
|
CVE-2024-47794
|
|
VCID-b3rm-31tt-syed
|
kernel: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed
|
CVE-2026-31698
|
|
VCID-b48g-xhgu-9ke8
|
kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop
|
CVE-2026-46090
|
|
VCID-b4nb-r6zs-cqf5
|
kernel: net: add proper RCU protection to /proc/net/ptype
|
CVE-2026-23255
|
|
VCID-b4s1-j2ye-s7hp
|
kernel: ext4: avoid deadlock in fs reclaim with page writeback
|
CVE-2023-53149
|
|
VCID-b5vn-pb4e-4kgt
|
kernel: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value
|
CVE-2024-50009
|
|
VCID-b63v-qyb3-a3hg
|
kernel: hfsplus: fix uninit-value by validating catalog record size
|
CVE-2026-46169
|
|
VCID-b65x-qfnt-tugf
|
kernel: coresight: Fix memory leak in acpi_buffer->pointer
|
CVE-2023-53261
|
|
VCID-b78g-9jb1-dqan
|
kernel: Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
|
CVE-2025-21969
|
|
VCID-b7yn-a1n3-5bg3
|
kernel: pinmux: Use sequential access to access desc->pinmux data
|
CVE-2024-47141
|
|
VCID-b8ax-m5r3-wffb
|
kernel: drm/amd/display: Increase block_sequence array size
|
CVE-2025-38080
|
|
VCID-b8qh-zp4w-pyfy
|
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain According to i.MX8MP RM and HDMI ADD, the fdcc clock is part of hdmi rx verification IP that should not enable for HDMI TX. But actually if the clock is disabled before HDMI/LCDIF probe, LCDIF will not get pixel clock from HDMI PHY and print the error logs: [CRTC:39:crtc-2] vblank wait timed out WARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260 Add fdcc clock to LCDIF and HDMI TX power domains to fix the issue.
|
CVE-2024-35942
|
|
VCID-b9nv-ns3h-c7a2
|
In the Linux kernel, the following vulnerability has been resolved: net: esp: fix bad handling of pages from page_pool When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash. This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding: BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre] dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.
|
CVE-2024-26953
|
|
VCID-bads-rvn9-hbhq
|
kernel: nfsd: release svc_expkey/svc_export with rcu_work
|
CVE-2024-53216
|
|
VCID-bcqf-63bc-jfgr
|
kernel: crypto: authencesn - reject short ahash digests during instance creation
|
CVE-2026-46033
|
|
VCID-bd8e-uyqa-sbcz
|
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken *inside* kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires the kvm->lock while already holding the vcpu->mutex lock from kvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by protecting the hyp vm handle with the config_lock, much like we already do for other forms of VM-scoped data.
|
CVE-2024-26691
|
|
VCID-bdzt-dx77-c7bp
|
In the Linux kernel, the following vulnerability has been resolved: nouveau: lock the client object tree. It appears the client object tree has no locking unless I've missed something else. Fix races around adding/removing client objects, mostly vram bar mappings. 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI [ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27 [ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021 [ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau] [ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe [ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206 [ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58 [ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400 [ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000 [ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0 [ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007 [ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000 [ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0 [ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4562.099544] Call Trace: [ 4562.099555] <TASK> [ 4562.099573] ? die_addr+0x36/0x90 [ 4562.099583] ? exc_general_protection+0x246/0x4a0 [ 4562.099593] ? asm_exc_general_protection+0x26/0x30 [ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau] [ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau] [ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau] [ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau] [ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0 [ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm] [ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270 [ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau] [ 4562.100356] __do_fault+0x32/0x150 [ 4562.100362] do_fault+0x7c/0x560 [ 4562.100369] __handle_mm_fault+0x800/0xc10 [ 4562.100382] handle_mm_fault+0x17c/0x3e0 [ 4562.100388] do_user_addr_fault+0x208/0x860 [ 4562.100395] exc_page_fault+0x7f/0x200 [ 4562.100402] asm_exc_page_fault+0x26/0x30 [ 4562.100412] RIP: 0033:0x9b9870 [ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7 [ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246 [ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000 [ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066 [ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000 [ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff [ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 4562.100446] </TASK> [ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink ---truncated---
|
CVE-2024-27062
|
|
VCID-be5f-qq8x-yyca
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Guard stack limits against 32bit overflow This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904
|
CVE-2023-52676
|
|
VCID-bf4d-ux9u-yybs
|
kernel: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
|
CVE-2026-46116
|
|
VCID-bf8c-2zh3-z7gz
|
kernel: bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()
|
CVE-2025-39886
|
|
VCID-bgxd-5sn3-zqb9
|
kernel: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
|
CVE-2026-31579
|
|
VCID-bh64-9kub-efg4
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Prevent crash when disable stream [Why] Disabling stream encoder invokes a function that no longer exists. [How] Check if the function declaration is NULL in disable stream encoder.
|
CVE-2024-35799
|
|
VCID-bh9j-9yap-8ydw
|
kernel: habanalabs: fix UAF in export_dmabuf()
|
CVE-2025-38722
|
|
VCID-bhjm-r1e1-fbeh
|
kernel: net/rds: reset op_nents when zerocopy page pin fails
|
CVE-2026-43494
|
|
VCID-bhw2-7e12-vbbs
|
kernel: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
|
CVE-2026-43219
|
|
VCID-bj6s-1ase-87f6
|
kernel: udf: refactor inode_bmap() to handle error
|
CVE-2024-50211
|
|
VCID-bk5m-3sd5-hqce
|
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Limit read size on v1.2 Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was increased from 16 to 256. In order to avoid overflowing reads for older systems, add a mechanism to use the read UCSI version to truncate read sizes on UCSI v1.2.
|
CVE-2024-35924
|
|
VCID-bks6-5jc8-jqet
|
kernel: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
|
CVE-2026-46204
|
|
VCID-bpn1-u31n-1kad
|
kernel: cifs: client: fix memory leak in smb3_fs_context_parse_param
|
CVE-2025-40268
|
|
VCID-bq19-zm8n-5qb8
|
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Register devlink first under devlink lock In case device is having a non fatal FW error during probe, the driver will report the error to user via devlink. This will trigger a WARN_ON, since mlx5 is calling devlink_register() last. In order to avoid the WARN_ON[1], change mlx5 to invoke devl_register() first under devlink lock. [1] WARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0 CPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core] RIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0 Call Trace: <TASK> ? __warn+0x79/0x120 ? devlink_recover_notify.constprop.0+0xb8/0xc0 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? devlink_recover_notify.constprop.0+0xb8/0xc0 devlink_health_report+0x4a/0x1c0 mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core] process_one_work+0x1bb/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x4d/0x3c0 ? process_one_work+0x3c0/0x3c0 kthread+0xc6/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK>
|
CVE-2024-35961
|
|
VCID-bqz2-xrym-wkg8
|
kernel: hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur
|
CVE-2025-21656
|
|
VCID-br1a-9wm9-dudu
|
kernel: drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2)
|
CVE-2024-49908
|
|
VCID-brgv-b3hj-37fr
|
kernel: vhost: move vdpa group bound check to vhost_vdpa
|
CVE-2026-43248
|
|
VCID-brjs-u5tm-x7e2
|
kernel: ipv6: mcast: extend RCU protection in igmp6_send()
|
CVE-2025-21759
|
|
VCID-bsbk-wef1-tyaq
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs the underlying driver to remove its flow offload callback from the associated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack then continues to replay the removal of the filters in the block for this driver by iterating over the chains in the block and invoking the 'reoffload' operation of the classifier being used. In turn, the classifier in its 'reoffload' operation prepares and emits a 'FLOW_CLS_DESTROY' command for each filter. However, the stack does not do the same for chain templates and the underlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when a qdisc is deleted. This results in a memory leak [1] which can be reproduced using [2]. Fix by introducing a 'tmplt_reoffload' operation and have the stack invoke it with the appropriate arguments as part of the replay. Implement the operation in the sole classifier that supports chain templates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}' command based on whether a flow offload callback is being bound to a filter block or being unbound from one. As far as I can tell, the issue happens since cited commit which reordered tcf_block_offload_unbind() before tcf_block_flush_all_chains() in __tcf_block_put(). The order cannot be reversed as the filter block is expected to be freed after flushing all the chains. [1] unreferenced object 0xffff888107e28800 (size 2048): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[...... 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................ backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab374e>] __kmalloc+0x4e/0x90 [<ffffffff832aec6d>] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [<ffffffff8379d29a>] ___sys_sendmsg+0x13a/0x1e0 [<ffffffff8379d50c>] __sys_sendmsg+0x11c/0x1f0 [<ffffffff843b9ce0>] do_syscall_64+0x40/0xe0 unreferenced object 0xffff88816d2c0400 (size 1024): comm "tc", pid 1079, jiffies 4294958525 (age 3074.287s) hex dump (first 32 bytes): 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8..... 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m.... backtrace: [<ffffffff81c06a68>] __kmem_cache_alloc_node+0x1e8/0x320 [<ffffffff81ab36c1>] __kmalloc_node+0x51/0x90 [<ffffffff81a8ed96>] kvmalloc_node+0xa6/0x1f0 [<ffffffff82827d03>] bucket_table_alloc.isra.0+0x83/0x460 [<ffffffff82828d2b>] rhashtable_init+0x43b/0x7c0 [<ffffffff832aed48>] mlxsw_sp_acl_ruleset_get+0x428/0x7a0 [<ffffffff832bc195>] mlxsw_sp_flower_tmplt_create+0x145/0x180 [<ffffffff832b2e1a>] mlxsw_sp_flow_block_cb+0x1ea/0x280 [<ffffffff83a10613>] tc_setup_cb_call+0x183/0x340 [<ffffffff83a9f85a>] fl_tmplt_create+0x3da/0x4c0 [<ffffffff83a22435>] tc_ctl_chain+0xa15/0x1170 [<ffffffff838a863c>] rtnetlink_rcv_msg+0x3cc/0xed0 [<ffffffff83ac87f0>] netlink_rcv_skb+0x170/0x440 [<ffffffff83ac6270>] netlink_unicast+0x540/0x820 [<ffffffff83ac6e28>] netlink_sendmsg+0x8d8/0xda0 [<ffffffff83793def>] ____sys_sendmsg+0x30f/0xa80 [2] # tc qdisc add dev swp1 clsact # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32 # tc qdisc del dev ---truncated---
|
CVE-2024-26669
|
|
VCID-bsta-vps8-wkgy
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()' Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368) 357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev, enum amdgpu_mca_error_type type, 358 int idx, struct mca_bank_entry *entry) 359 { 360 const struct amdgpu_mca_smu_funcs *mca_funcs = adev->mca.mca_funcs; 361 int count; 362 363 switch (type) { 364 case AMDGPU_MCA_ERROR_TYPE_UE: 365 count = mca_funcs->max_ue_count; mca_funcs is dereferenced here. 366 break; 367 case AMDGPU_MCA_ERROR_TYPE_CE: 368 count = mca_funcs->max_ce_count; mca_funcs is dereferenced here. 369 break; 370 default: 371 return -EINVAL; 372 } 373 374 if (idx >= count) 375 return -EINVAL; 376 377 if (mca_funcs && mca_funcs->mca_get_mca_entry) ^^^^^^^^^ Checked too late!
|
CVE-2024-26672
|
|
VCID-bsuz-c2at-tqgt
|
kernel: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb()
|
CVE-2024-49926
|
|
VCID-btud-g93c-uyge
|
kernel: net: dsa: b53: do not enable EEE on bcm63xx
|
CVE-2025-38272
|
|
VCID-btvu-afur-sfgz
|
In the Linux kernel, the following vulnerability has been resolved: ice: Fix improper extts handling Extts events are disabled and enabled by the application ts2phc. However, in case where the driver is removed when the application is running, a specific extts event remains enabled and can cause a kernel crash. As a side effect, when the driver is reloaded and application is started again, remaining extts event for the channel from a previous run will keep firing and the message "extts on unexpected channel" might be printed to the user. To avoid that, extts events shall be disabled when PTP is released.
|
CVE-2024-42139
|
|
VCID-bw98-1z6f-53he
|
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Only free buffer VA that is not NULL In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly called only when the buffer to free exists, there are some instances that didn't do the check and triggered warnings in practice. We believe those checks were forgotten unintentionally. Add the checks back to fix the warnings.
|
CVE-2023-52888
|
|
VCID-bwmm-urwj-rbbb
|
kernel: netfilter: IDLETIMER: Fix for possible ABBA deadlock
|
CVE-2024-54683
|
|
VCID-bwy2-u6ku-8kh5
|
kernel: wifi: rtw88: check for PCI upstream bridge existence
|
CVE-2026-46092
|
|
VCID-by4j-bgga-ffae
|
kernel: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
|
CVE-2026-31505
|
|
VCID-by9b-urrc-7bca
|
kernel: drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn401_init_hw
|
CVE-2024-49916
|
|
VCID-c1tz-2kh3-pucz
|
kernel: ext4: drop extent cache when splitting extent fails
|
CVE-2026-45899
|
|
VCID-c25u-ce7c-v7eb
|
kernel: blk-mq: fix potential deadlock while nr_requests grown
|
CVE-2025-40146
|
|
VCID-c3y9-6zz4-fyey
|
kernel: mm/vmscan: don't try to reclaim hwpoison folio
|
CVE-2025-37834
|
|
VCID-c44q-jcs3-qfhj
|
In the Linux kernel, the following vulnerability has been resolved: drm/bridge: adv7511: fix crash on irq during probe Moved IRQ registration down to end of adv7511_probe(). If an IRQ already is pending during adv7511_probe (before adv7511_cec_init) then cec_received_msg_ts could crash using uninitialized data: Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5 Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP Call trace: cec_received_msg_ts+0x48/0x990 [cec] adv7511_cec_irq_process+0x1cc/0x308 [adv7511] adv7511_irq_process+0xd8/0x120 [adv7511] adv7511_irq_handler+0x1c/0x30 [adv7511] irq_thread_fn+0x30/0xa0 irq_thread+0x14c/0x238 kthread+0x190/0x1a8
|
CVE-2024-26876
|
|
VCID-c6bx-mgaq-tya5
|
kernel: usb: gadget: f_subset: Fix net_device lifecycle with device_move
|
CVE-2026-31723
|
|
VCID-c6ee-zm3t-zqg6
|
In the Linux kernel, the following vulnerability has been resolved: video/aperture: optionally match the device in sysfb_disable() In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled()
|
CVE-2024-46698
|
|
VCID-c6v8-r9bf-37h3
|
kernel: Linux kernel (mlx5e): Denial of Service due to NULL pointer dereference during network profile change
|
CVE-2026-23000
|
|
VCID-c6zk-te2v-t7a2
|
kernel: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
|
CVE-2026-23448
|
|
VCID-cat3-t7vf-qqd3
|
kernel: bridge: mrp: reject zero test interval to avoid OOM panic
|
CVE-2026-31420
|
|
VCID-cb9p-rejb-rkas
|
kernel: netfilter: ip6t_eui64: reject invalid MAC header for all packets
|
CVE-2026-31685
|
|
VCID-ceke-dy3x-2bh4
|
kernel: ax25: Remove broken autobind
|
CVE-2025-22109
|
|
VCID-cf25-t2f3-kkgp
|
kernel: net: Fix icmp host relookup triggering ip_rt_bug
|
CVE-2024-56647
|
|
VCID-cgqs-4ypu-jybf
|
kernel: drm/amd/display: Fix handling of plane refcount
|
CVE-2024-56775
|
|
VCID-cj3j-86vu-mqgv
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.
|
CVE-2024-46754
|
|
VCID-cjhd-us8e-6ygd
|
kernel: drm/gem: Acquire references on GEM handles for framebuffers
|
CVE-2025-38449
|
|
VCID-cjnz-en36-fbff
|
kernel: net: qrtr: ns: Fix use-after-free in driver remove()
|
CVE-2026-46047
|
|
VCID-cjrz-aqf5-5qaj
|
kernel: smb: client: Fix use-after-free of network namespace.
|
CVE-2024-53095
|
|
VCID-cm1e-ac4k-qfem
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Fail bpf_timer_cancel when callback is being cancelled Given a schedule: timer1 cb timer2 cb bpf_timer_cancel(timer2); bpf_timer_cancel(timer1); Both bpf_timer_cancel calls would wait for the other callback to finish executing, introducing a lockup. Add an atomic_t count named 'cancelling' in bpf_hrtimer. This keeps track of all in-flight cancellation requests for a given BPF timer. Whenever cancelling a BPF timer, we must check if we have outstanding cancellation requests, and if so, we must fail the operation with an error (-EDEADLK) since cancellation is synchronous and waits for the callback to finish executing. This implies that we can enter a deadlock situation involving two or more timer callbacks executing in parallel and attempting to cancel one another. Note that we avoid incrementing the cancelling counter for the target timer (the one being cancelled) if bpf_timer_cancel is not invoked from a callback, to avoid spurious errors. The whole point of detecting cur->cancelling and returning -EDEADLK is to not enter a busy wait loop (which may or may not lead to a lockup). This does not apply in case the caller is in a non-callback context, the other side can continue to cancel as it sees fit without running into errors. Background on prior attempts: Earlier versions of this patch used a bool 'cancelling' bit and used the following pattern under timer->lock to publish cancellation status. lock(t->lock); t->cancelling = true; mb(); if (cur->cancelling) return -EDEADLK; unlock(t->lock); hrtimer_cancel(t->timer); t->cancelling = false; The store outside the critical section could overwrite a parallel requests t->cancelling assignment to true, to ensure the parallely executing callback observes its cancellation status. It would be necessary to clear this cancelling bit once hrtimer_cancel is done, but lack of serialization introduced races. Another option was explored where bpf_timer_start would clear the bit when (re)starting the timer under timer->lock. This would ensure serialized access to the cancelling bit, but may allow it to be cleared before in-flight hrtimer_cancel has finished executing, such that lockups can occur again. Thus, we choose an atomic counter to keep track of all outstanding cancellation requests and use it to prevent lockups in case callbacks attempt to cancel each other while executing in parallel.
|
CVE-2024-42239
|
|
VCID-cpmb-dn6n-4fc1
|
kernel: wifi: wilc1000: avoid buffer overflow in WID string configuration
|
CVE-2025-39952
|
|
VCID-cqh9-93ph-ufb6
|
kernel: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
|
CVE-2026-46009
|
|
VCID-csz1-4zmw-17b9
|
kernel: mm: memory-failure: update ttu flag inside unmap_poisoned_folio
|
CVE-2025-21907
|
|
VCID-cu6r-wqtq-rqgk
|
In the Linux kernel, the following vulnerability has been resolved: f2fs: don't set RO when shutting down f2fs Shutdown does not check the error of thaw_super due to readonly, which causes a deadlock like below. f2fs_ioc_shutdown(F2FS_GOING_DOWN_FULLSYNC) issue_discard_thread - bdev_freeze - freeze_super - f2fs_stop_checkpoint() - f2fs_handle_critical_error - sb_start_write - set RO - waiting - bdev_thaw - thaw_super_locked - return -EINVAL, if sb_rdonly() - f2fs_stop_discard_thread -> wait for kthread_stop(discard_thread);
|
CVE-2024-40969
|
|
VCID-cux6-1z8v-zugn
|
kernel: netfilter: nf_tables: revert commit_mutex usage in reset path
|
CVE-2026-45901
|
|
VCID-cve4-w99k-tycg
|
kernel: netfilter: nf_tables: always walk all pending catchall elements
|
CVE-2026-23278
|
|
VCID-cvyu-6c3j-47eq
|
kernel: wifi: rtw89: pci: validate sequence number of TX release report
|
CVE-2026-43213
|
|
VCID-cwhw-j942-ukcu
|
kernel: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
|
CVE-2026-46172
|
|
VCID-cwrd-yrzw-ekca
|
kernel: drm/msm/dpu: Add missing NULL pointer check for pingpong interface
|
CVE-2025-71138
|
|
VCID-cwub-sdxr-wqag
|
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() Subject: [PATCH] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called.
|
CVE-2024-35951
|
|
VCID-cxb7-hrw1-jyez
|
kernel: ASoC: SOF: Don't allow pointer operations on unconfigured streams
|
CVE-2026-46179
|
|
VCID-cy75-rzyz-uudp
|
kernel: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
|
CVE-2026-46071
|
|
VCID-cyee-gj74-1khy
|
kernel: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
|
CVE-2026-43085
|
|
VCID-cz1z-nknc-syb5
|
kernel: wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change
|
CVE-2024-46860
|
|
VCID-d37x-13cg-afbb
|
kernel: cxl: Fix race of nvdimm_bus object when creating nvdimm objects
|
CVE-2026-23348
|
|
VCID-d3j1-qnve-9ydh
|
kernel: RDMA/siw: Add sendpage_ok() check to disable MSG_SPLICE_PAGES
|
CVE-2024-53094
|
|
VCID-d3yu-1y9x-1bgf
|
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure.
|
CVE-2024-39508
|
|
VCID-d47c-9xda-8fbp
|
kernel: ksmbd: add refcnt to ksmbd_conn struct
|
CVE-2024-49988
|
|
VCID-d5bp-63ex-fqbz
|
kernel: net: strparser: fix skb_head leak in strp_abort_strp()
|
CVE-2026-46102
|
|
VCID-d69t-cq15-ebb1
|
kernel: btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref()
|
CVE-2026-43308
|
|
VCID-dak7-j4ff-kqb7
|
kernel: virtio: break and reset virtio devices on device_shutdown()
|
CVE-2025-38064
|
|
VCID-dc9e-p8c9-ckcq
|
kernel: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
|
CVE-2026-46161
|
|
VCID-dcfn-6n5x-gqfn
|
In the Linux kernel, the following vulnerability has been resolved: drivers: perf: Check find_first_bit() return value We must check the return value of find_first_bit() before using the return value as an index array since it happens to overflow the array and then panic: [ 107.318430] Kernel BUG [#1] [ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2 [ 107.319465] Hardware name: riscv-virtio,qemu (DT) [ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae [ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350 [ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 [ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 [ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff [ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000 [ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55 [ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f [ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000 [ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0 [ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000 [ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000 [ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0 [ 107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36 [ 107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e [ 107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86 [ 107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96 [ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 [ 107.320585] ---[ end trace 0000000000000000 ]--- [ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt [ 107.320775] SMP: stopping secondary CPUs [ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000 [ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
|
CVE-2023-52797
|
|
VCID-ded4-9rjt-g7cf
|
kernel: ALSA: ctxfi: Check the error for index mapping
|
CVE-2026-31777
|
|
VCID-depb-y37w-s7hz
|
kernel: nvme-pci: fix race condition between reset and nvme_dev_disable()
|
CVE-2024-50135
|
|
VCID-dfvt-3g8h-c7gs
|
kernel: HID: core: clamp report_size in s32ton() to avoid undefined shift
|
CVE-2026-31624
|
|
VCID-dgwq-2fka-j7fh
|
In the Linux kernel, the following vulnerability has been resolved: leds: an30259a: Use devm_mutex_init() for mutex initialization In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callback uses mutex which was destroyed already in module's remove() so use devm API instead.
|
CVE-2024-42128
|
|
VCID-dke1-vgb6-1kdg
|
kernel: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue
|
CVE-2025-37861
|
|
VCID-dmuj-xgyz-13ey
|
kernel: net: ravb: Fix missing rtnl lock in suspend/resume path
|
CVE-2025-21801
|
|
VCID-dmvs-8yta-yfbc
|
kernel: Linux kernel: Denial of Service in ublk due to deadlock when reading partition table
|
CVE-2025-68823
|
|
VCID-dmxk-c639-wych
|
kernel: bpf: Check the helper function is valid in get_helper_proto
|
CVE-2025-39990
|
|
VCID-dn7j-n97s-bqgf
|
kernel: x86/mm/ident_map: Use gbpages only where full GB page should be mapped.
|
CVE-2024-50017
|
|
VCID-dpxa-rmkj-5ke8
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;" pipe_ctx->stream_res.tg could be NULL, it is relying on the caller to ensure the tg is not NULL.
|
CVE-2024-26661
|
|
VCID-ds5n-vc73-vqhn
|
kernel: perf/x86/intel/uncore: Fix die ID init and look up bugs
|
CVE-2026-43344
|
|
VCID-dt9j-34a1-ubdc
|
kernel: drm/amdgpu: Fix the warning division or modulo by zero
|
CVE-2024-46806
|
|
VCID-dtxs-hra2-j7gd
|
kernel: can: gs_usb: fix time stamp counter initialization
|
CVE-2023-53523
|
|
VCID-du65-8bfc-puaw
|
kernel: fs/ntfs3: Mark inode as bad as soon as error detected in mi_enum_attr()
|
CVE-2024-52560
|
|
VCID-duw6-k4ej-buha
|
kernel: ibmvnic: Use kernel helpers for hex dumps
|
CVE-2025-22104
|
|
VCID-dw2h-72a9-4fa5
|
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock with fiemap and extent locking While working on the patchset to remove extent locking I got a lockdep splat with fiemap and pagefaulting with my new extent lock replacement lock. This deadlock exists with our normal code, we just don't have lockdep annotations with the extent locking so we've never noticed it. Since we're copying the fiemap extent to user space on every iteration we have the chance of pagefaulting. Because we hold the extent lock for the entire range we could mkwrite into a range in the file that we have mmap'ed. This would deadlock with the following stack trace [<0>] lock_extent+0x28d/0x2f0 [<0>] btrfs_page_mkwrite+0x273/0x8a0 [<0>] do_page_mkwrite+0x50/0xb0 [<0>] do_fault+0xc1/0x7b0 [<0>] __handle_mm_fault+0x2fa/0x460 [<0>] handle_mm_fault+0xa4/0x330 [<0>] do_user_addr_fault+0x1f4/0x800 [<0>] exc_page_fault+0x7c/0x1e0 [<0>] asm_exc_page_fault+0x26/0x30 [<0>] rep_movs_alternative+0x33/0x70 [<0>] _copy_to_user+0x49/0x70 [<0>] fiemap_fill_next_extent+0xc8/0x120 [<0>] emit_fiemap_extent+0x4d/0xa0 [<0>] extent_fiemap+0x7f8/0xad0 [<0>] btrfs_fiemap+0x49/0x80 [<0>] __x64_sys_ioctl+0x3e1/0xb50 [<0>] do_syscall_64+0x94/0x1a0 [<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 I wrote an fstest to reproduce this deadlock without my replacement lock and verified that the deadlock exists with our existing locking. To fix this simply don't take the extent lock for the entire duration of the fiemap. This is safe in general because we keep track of where we are when we're searching the tree, so if an ordered extent updates in the middle of our fiemap call we'll still emit the correct extents because we know what offset we were on before. The only place we maintain the lock is searching delalloc. Since the delalloc stuff can change during writeback we want to lock the extent range so we have a consistent view of delalloc at the time we're checking to see if we need to set the delalloc flag. With this patch applied we no longer deadlock with my testcase.
|
CVE-2024-35784
|
|
VCID-dx7x-cpwe-dkar
|
kernel: exfat: fix out-of-bounds access of directory entries
|
CVE-2024-53147
|
|
VCID-dyen-1why-3kb3
|
kernel: md/raid10: fix deadlock with check operation and nowait requests
|
CVE-2026-46050
|
|
VCID-dykx-bvbd-bkcw
|
kernel: riscv: Fix IPIs usage in kfence_protect_page()
|
CVE-2024-53687
|
|
VCID-dzxk-k3kb-fkf6
|
kernel: iommu/amd: move wait_on_sem() out of spinlock
|
CVE-2026-43253
|
|
VCID-e145-9psd-13ct
|
kernel: spi-rockchip: Fix register out of bounds access
|
CVE-2025-38081
|
|
VCID-e1yr-dcpp-a7f8
|
kernel: vfio/mlx5: Fix an unwind issue in mlx5vf_add_migration_pages()
|
CVE-2024-56742
|
|
VCID-e2n5-kap2-k7aw
|
kernel: batman-adv: bla: prevent use-after-free when deleting claims
|
CVE-2026-46212
|
|
VCID-e3g9-hen2-13gx
|
kernel: Linux kernel: Denial of Service during UFS power down
|
CVE-2025-68236
|
|
VCID-e3ns-xur2-1qbj
|
kernel: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
|
CVE-2025-68304
|
|
VCID-e852-ubpd-abce
|
kernel: btrfs: fix double free in create_space_info_sub_group() error path
|
CVE-2026-46164
|
|
VCID-e91m-6u6r-j7f5
|
kernel: ibmveth: Disable GSO for packets with small MSS
|
CVE-2026-46273
|
|
VCID-e9ez-bvpa-bqew
|
kernel: LoongArch: Set hugetlb mmap base address aligned with pmd size
|
CVE-2025-21949
|
|
VCID-e9fj-hwxu-fkd4
|
kernel: udmabuf: fix memory leak on last export_udmabuf() error path
|
CVE-2024-56712
|
|
VCID-e9wa-pymx-vucj
|
kernel: f2fs: fix to do sanity check on node blkaddr in truncate_node()
|
CVE-2024-56692
|
|
VCID-eauv-c843-x3gx
|
kernel: Linux kernel: Denial of service due to a race condition in the TLS subsystem
|
CVE-2026-23240
|
|
VCID-ebd3-8vn9-tkaf
|
kernel: ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
|
CVE-2026-45985
|
|
VCID-ebn5-8dr8-jye1
|
In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] <TASK> [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] </TASK> The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---
|
CVE-2024-46765
|
|
VCID-ebx5-cqxk-9yfb
|
kernel: mm/vmemmap/devdax: fix kernel crash when probing devdax devices
|
CVE-2023-53706
|
|
VCID-edfe-4amw-ayaw
|
kernel: driver core: platform: use generic driver_override infrastructure
|
CVE-2026-31527
|
|
VCID-edzc-ur6n-vqdm
|
kernel: blktrace: fix __this_cpu_read/write in preemptible context
|
CVE-2026-23374
|
|
VCID-ee3k-svcr-5bgp
|
In the Linux kernel, the following vulnerability has been resolved: perf: RISCV: Fix panic on pmu overflow handler (1 << idx) of int is not desired when setting bits in unsigned long overflowed_ctrs, use BIT() instead. This panic happens when running 'perf record -e branches' on sophgo sg2042. [ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 [ 273.320851] Oops [#1] [ 273.323179] Modules linked in: [ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9 [ 273.332521] Hardware name: Sophgo Mango (DT) [ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62 [ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e [ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0 [ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978 [ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70 [ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000 [ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015 [ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a [ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0 [ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210 [ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098 [ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca [ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8 [ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d [ 273.434512] [<ffffffff80aecd98>] riscv_pmu_ctr_get_width_mask+0x8/0x62 [ 273.441169] [<ffffffff80076bd8>] handle_percpu_devid_irq+0x98/0x1ee [ 273.447562] [<ffffffff80071158>] generic_handle_domain_irq+0x28/0x36 [ 273.454151] [<ffffffff8047a99a>] riscv_intc_irq+0x36/0x4e [ 273.459659] [<ffffffff80c944de>] handle_riscv_irq+0x4a/0x74 [ 273.465442] [<ffffffff80c94c48>] do_irq+0x62/0x92 [ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783 [ 273.477921] ---[ end trace 0000000000000000 ]--- [ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt
|
CVE-2024-26902
|
|
VCID-eght-g4qm-13fx
|
kernel: mm/page_alloc: clear page->private in free_pages_prepare()
|
CVE-2026-43303
|
|
VCID-eh5h-mkpr-byeq
|
An improper input validation flaw was found in the eBPF subsystem in the Linux kernel. The issue occurs due to a lack of proper validation of dynamic pointers within user-supplied eBPF programs prior to executing them. This may allow an attacker with CAP_BPF privileges to escalate privileges and execute arbitrary code in the context of the kernel.
|
CVE-2023-39191
|
|
VCID-ehah-7sbs-yfhn
|
kernel: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
|
CVE-2025-71193
|
|
VCID-ehpc-qz9e-cqhp
|
kernel: efi: Don't map the entire mokvar table to determine its size
|
CVE-2025-21872
|
|
VCID-ehze-pf7y-vugf
|
kernel: dcache: Limit the minimal number of bucket to two
|
CVE-2026-43071
|
|
VCID-ejva-fu83-byhd
|
kernel: drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection
|
CVE-2024-47662
|
|
VCID-eknd-d1mp-jba6
|
kernel: bnxt: properly flush XDP redirect lists
|
CVE-2025-38246
|
|
VCID-em9w-ek96-qqbd
|
kernel: xfs: fix a resource leak in xfs_alloc_buftarg()
|
CVE-2026-46005
|
|
VCID-emfc-y52u-4qer
|
kernel: btrfs: ensure no dirty metadata is written back for an fs with errors
|
CVE-2025-40303
|
|
VCID-emfe-q3rh-3ygj
|
kernel: fs/ntfs3: validate rec->used in journal-replay file record check
|
CVE-2026-31716
|
|
VCID-enrj-1qnv-xbaj
|
kernel: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
|
CVE-2026-46180
|
|
VCID-enuk-3anp-5fec
|
kernel: landlock: Fix handling of disconnected directories
|
CVE-2025-68736
|
|
VCID-ept3-ap34-mfdr
|
kernel: net: ethernet: xscale: Check for PTP support properly
|
CVE-2026-43173
|
|
VCID-eq9s-xtbz-vyfb
|
kernel: bpf: Reject sleepable kprobe_multi programs at attach time
|
CVE-2026-43010
|
|
VCID-eqsv-6wku-q7ds
|
kernel: ip6_gre: Use cached t->net in ip6erspan_changelink()
|
CVE-2026-46120
|
|
VCID-er1k-29zn-3yc3
|
kernel: of: unittest: Fix memory leak in unittest_data_add()
|
CVE-2026-23137
|
|
VCID-etv1-h6u6-eqgb
|
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311
|
CVE-2024-36013
|
|
VCID-eucb-pjn6-kke3
|
kernel: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
|
CVE-2026-31626
|
|
VCID-euzq-gcd7-b7ae
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix incorrect size calculation for loop [WHY] fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is lager than the array size. [HOW] Divide byte size 20 by its element size. This fixes 2 OVERRUN issues reported by Coverity.
|
CVE-2024-46729
|
|
VCID-ev75-pfpv-dyek
|
kernel: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection
|
CVE-2025-71198
|
|
VCID-ev77-9v8z-bfcm
|
kernel: io_uring: prevent opcode speculation
|
CVE-2025-21863
|
|
VCID-evqc-b9a9-3udu
|
kernel: drm/amdgpu: Add bounds checking to ib_{get,set}_value
|
CVE-2026-46218
|
|
VCID-exmf-hgh4-ukb3
|
kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length
|
CVE-2025-39933
|
|
VCID-exxx-kjcb-tqcf
|
kernel: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
|
CVE-2025-71109
|
|
VCID-ezwm-ugha-b7gn
|
kernel: btrfs: reserve enough transaction items for qgroup ioctls
|
CVE-2026-43338
|
|
VCID-f1v8-5fwe-13d9
|
kernel: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
|
CVE-2024-50282
|
|
VCID-f3av-gjcy-wqf9
|
kernel: wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()
|
CVE-2025-71273
|
|
VCID-f487-jpka-sbgg
|
kernel: nvmet-tcp: fix race between ICReq handling and queue teardown
|
CVE-2026-46135
|
|
VCID-f53r-e69n-83bt
|
In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.
|
CVE-2024-25743
|
|
VCID-f5h4-a9n4-93h9
|
kernel: ksmbd: fix use-after-free in smb_break_all_levII_oplock()
|
CVE-2025-37776
|
|
VCID-f686-8585-zugv
|
kernel: scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set
|
CVE-2025-37977
|
|
VCID-f6nf-rd4s-hfcb
|
kernel: ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
|
CVE-2026-43099
|
|
VCID-f6nr-4m3u-abc8
|
kernel: rxrpc: only handle RESPONSE during service challenge
|
CVE-2026-31676
|
|
VCID-f84z-phb8-8kax
|
kernel: batman-adv: fix integer overflow on buff_pos
|
CVE-2026-46198
|
|
VCID-f9f8-g4dh-37bf
|
kernel: srcu: Use irq_work to start GP in tiny SRCU
|
CVE-2026-43115
|
|
VCID-f9n6-gkrf-aubn
|
kernel: x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
|
CVE-2024-53114
|
|
VCID-fagf-k5dj-tbeu
|
kernel: usb: dwc3: gadget: Move vbus draw to workqueue context
|
CVE-2026-43170
|
|
VCID-fahd-vt4k-v7c4
|
kernel: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware
|
CVE-2024-47664
|
|
VCID-fb3f-de71-r3c5
|
kernel: ipvs: skip ipv6 extension headers for csum checks
|
CVE-2026-45850
|
|
VCID-fd4v-5z2z-r3gj
|
kernel: crypto: hisilicon/qm - request reserved interrupt for virtual function
|
CVE-2025-40136
|
|
VCID-fdha-v3un-jbda
|
kernel: can: j1939: implement NETDEV_UNREGISTER notification handler
|
CVE-2025-39925
|
|
VCID-fgbh-wb5z-77gn
|
kernel: drm/amd/display: Check stream_status before it is used
|
CVE-2024-49893
|
|
VCID-fgsj-kk6c-gfed
|
kernel: usb: gadget: f_rndis: Fix net_device lifecycle with device_move
|
CVE-2026-31722
|
|
VCID-fguz-mrpy-qfdq
|
kernel: smb: client: validate dacloffset before building DACL pointers
|
CVE-2026-46195
|
|
VCID-fjyq-4ejv-u7cq
|
kernel: media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC
|
CVE-2026-43310
|
|
VCID-fnbx-trf8-e7bm
|
kernel: Bluetooth: hci_event: move wake reason storage into validated event handlers
|
CVE-2026-31771
|
|
VCID-fp2a-4h5e-qqfe
|
kernel: ALSA: fireworks: bound device-supplied status before string array lookup
|
CVE-2026-31619
|
|
VCID-fpjr-m7qf-5bda
|
kernel: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
|
CVE-2026-46082
|
|
VCID-fqrh-sk8b-eqam
|
kernel: wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018
|
CVE-2023-54141
|
|
VCID-frmd-ez2d-7yea
|
kernel: netfilter: nft_objref: validate objref and objrefmap expressions
|
CVE-2025-40206
|
|
VCID-fsgk-kz1z-b7ef
|
kernel: ntfs3: add buffer boundary checks to run_unpack()
|
CVE-2026-46072
|
|
VCID-fw38-1qqd-pufz
|
kernel: net/rds: Fix circular locking dependency in rds_tcp_tune
|
CVE-2026-23419
|
|
VCID-fwuv-58vm-9fhc
|
kernel: ila: serialize calls to nf_register_net_hooks()
|
CVE-2024-57900
|
|
VCID-fy33-gfnq-bbc5
|
kernel: slip: bound decode() reads against the compressed packet length
|
CVE-2026-45843
|
|
VCID-fyza-twuw-wbdz
|
kernel: nfc: s3fwrn5: allocate rx skb before consuming bytes
|
CVE-2026-43098
|
|
VCID-fz15-zw8j-dubq
|
kernel: Linux kernel: Denial of Service via unsafe requeue in rxrpc_recvmsg
|
CVE-2026-23066
|
|
VCID-fz4m-k2m2-efhr
|
kernel: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
|
CVE-2026-43103
|
|
VCID-fzgj-dtfx-pbhk
|
kernel: dm-thin: fix metadata refcount underflow
|
CVE-2026-46107
|
|
VCID-g1h8-ypta-tkg4
|
kernel: apparmor: Fix & Optimize table creation from possibly unaligned memory
|
CVE-2026-45893
|
|
VCID-g1j5-7w3h-uyfb
|
kernel: lan966x: Fix sleeping in atomic context
|
CVE-2025-68320
|
|
VCID-g1p9-dk96-tua8
|
kernel: Linux kernel: Use-after-free in bonding module can cause system crash or arbitrary code execution
|
CVE-2026-23171
|
|
VCID-g2ba-udfd-augf
|
kernel: ALSA: control: Avoid WARN() for symlink errors
|
CVE-2024-56657
|
|
VCID-g32a-ptmg-qqh5
|
kernel: dmaengine: idxd: Refactor remove call with idxd_cleanup() helper
|
CVE-2025-38014
|
|
VCID-g3md-db23-abgk
|
kernel: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
|
CVE-2026-46149
|
|
VCID-g5ag-7be1-6khu
|
kernel: ALSA: caiaq: take a reference on the USB device in create_card()
|
CVE-2026-31701
|
|
VCID-g7va-rt9d-2kca
|
kernel: mm: clear uffd-wp PTE/PMD state on mremap()
|
CVE-2025-21696
|
|
VCID-g9h7-bb5y-8fab
|
kernel: fuse: reject oversized dirents in page cache
|
CVE-2026-31694
|
|
VCID-gajs-fj4s-tkgm
|
kernel: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
|
CVE-2026-46157
|
|
VCID-gaxe-jzep-e7gf
|
kernel: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
|
CVE-2026-23310
|
|
VCID-gdun-83ce-yyb7
|
kernel: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
|
CVE-2026-45839
|
|
VCID-gdun-8zvv-mkbh
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update [Why] Coverity reports NULL_RETURN warning. [How] Add otg_master NULL check.
|
CVE-2024-46727
|
|
VCID-gftv-431a-q3gy
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer work in bpf_timer_cancel_and_free Currently, the same case as previous patch (two timer callbacks trying to cancel each other) can be invoked through bpf_map_update_elem as well, or more precisely, freeing map elements containing timers. Since this relies on hrtimer_cancel as well, it is prone to the same deadlock situation as the previous patch. It would be sufficient to use hrtimer_try_to_cancel to fix this problem, as the timer cannot be enqueued after async_cancel_and_free. Once async_cancel_and_free has been done, the timer must be reinitialized before it can be armed again. The callback running in parallel trying to arm the timer will fail, and freeing bpf_hrtimer without waiting is sufficient (given kfree_rcu), and bpf_timer_cb will return HRTIMER_NORESTART, preventing the timer from being rearmed again. However, there exists a UAF scenario where the callback arms the timer before entering this function, such that if cancellation fails (due to timer callback invoking this routine, or the target timer callback running concurrently). In such a case, if the timer expiration is significantly far in the future, the RCU grace period expiration happening before it will free the bpf_hrtimer state and along with it the struct hrtimer, that is enqueued. Hence, it is clear cancellation needs to occur after async_cancel_and_free, and yet it cannot be done inline due to deadlock issues. We thus modify bpf_timer_cancel_and_free to defer work to the global workqueue, adding a work_struct alongside rcu_head (both used at _different_ points of time, so can share space). Update existing code comments to reflect the new state of affairs.
|
CVE-2024-41045
|
|
VCID-gg31-e37h-9kcn
|
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Reload only IB representors upon lag disable/enable On lag disable, the bond IB device along with all of its representors are destroyed, and then the slaves' representors get reloaded. In case the slave IB representor load fails, the eswitch error flow unloads all representors, including ethernet representors, where the netdevs get detached and removed from lag bond. Such flow is inaccurate as the lag driver is not responsible for loading/unloading ethernet representors. Furthermore, the flow described above begins by holding lag lock to prevent bond changes during disable flow. However, when reaching the ethernet representors detachment from lag, the lag lock is required again, triggering the following deadlock: Call trace: __switch_to+0xf4/0x148 __schedule+0x2c8/0x7d0 schedule+0x50/0xe0 schedule_preempt_disabled+0x18/0x28 __mutex_lock.isra.13+0x2b8/0x570 __mutex_lock_slowpath+0x1c/0x28 mutex_lock+0x4c/0x68 mlx5_lag_remove_netdev+0x3c/0x1a0 [mlx5_core] mlx5e_uplink_rep_disable+0x70/0xa0 [mlx5_core] mlx5e_detach_netdev+0x6c/0xb0 [mlx5_core] mlx5e_netdev_change_profile+0x44/0x138 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x28/0x38 [mlx5_core] mlx5e_vport_rep_unload+0x184/0x1b8 [mlx5_core] mlx5_esw_offloads_rep_load+0xd8/0xe0 [mlx5_core] mlx5_eswitch_reload_reps+0x74/0xd0 [mlx5_core] mlx5_disable_lag+0x130/0x138 [mlx5_core] mlx5_lag_disable_change+0x6c/0x70 [mlx5_core] // hold ldev->lock mlx5_devlink_eswitch_mode_set+0xc0/0x410 [mlx5_core] devlink_nl_cmd_eswitch_set_doit+0xdc/0x180 genl_family_rcv_msg_doit.isra.17+0xe8/0x138 genl_rcv_msg+0xe4/0x220 netlink_rcv_skb+0x44/0x108 genl_rcv+0x40/0x58 netlink_unicast+0x198/0x268 netlink_sendmsg+0x1d4/0x418 sock_sendmsg+0x54/0x60 __sys_sendto+0xf4/0x120 __arm64_sys_sendto+0x30/0x40 el0_svc_common+0x8c/0x120 do_el0_svc+0x30/0xa0 el0_svc+0x20/0x30 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Thus, upon lag enable/disable, load and unload only the IB representors of the slaves preventing the deadlock mentioned above. While at it, refactor the mlx5_esw_offloads_rep_load() function to have a static helper method for its internal logic, in symmetry with the representor unload design.
|
CVE-2024-38557
|
|
VCID-ghb2-gp3u-tfaf
|
kernel: md/raid1,raid10: don't ignore IO flags
|
CVE-2025-22125
|
|
VCID-gktp-sgbk-efd5
|
kernel: drm/amd/display: Add missing NULL pointer check within dpcd_extend_address_range
|
CVE-2024-46808
|
|
VCID-gng1-yxmy-4yd5
|
An issue was discovered in the Linux kernel through 6.0.6. drivers/char/pcmcia/scr24x_cs.c has a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling open(), aka a race condition between scr24x_open() and scr24x_remove().
|
CVE-2022-44034
|
|
VCID-grm1-cg1n-3fhx
|
kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial of service
|
CVE-2025-38206
|
|
VCID-grny-x9c9-qybd
|
kernel: Linux kernel (iavf): Denial of Service due to a locking issue
|
CVE-2025-38311
|
|
VCID-gryu-gw4d-4qa2
|
kernel: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
|
CVE-2026-31605
|
|
VCID-gt2x-xg6c-vbbm
|
kernel: Linux kernel: Denial of Service in RDMA subsystem via repeated SRQ modification
|
CVE-2025-68379
|
|
VCID-gtn2-4aev-3qcw
|
kernel: drm/amdgpu: Add basic validation for RAS header
|
CVE-2025-38426
|
|
VCID-gtq6-sc4n-8bfp
|
kernel: drm: zynqmp_kms: Unplug DRM device before removal
|
CVE-2024-56538
|
|
VCID-gye3-eb4g-sqa3
|
kernel: mISDN: hfcpci: Fix warning when deleting uninitialized timer
|
CVE-2025-39833
|
|
VCID-gykn-9kz1-tqhg
|
kernel: sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
|
CVE-2024-53168
|
|
VCID-h1ru-jhwc-1fbu
|
kernel: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
|
CVE-2026-23327
|
|
VCID-h233-6w8h-nyc2
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401 When users run the command: cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log The following NULL pointer dereference happens: [ +0.000003] BUG: kernel NULL pointer dereference, address: NULL [ +0.000005] #PF: supervisor instruction fetch in kernel mode [ +0.000002] #PF: error_code(0x0010) - not-present page [ +0.000002] PGD 0 P4D 0 [ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI [ +0.000003] RIP: 0010:0x0 [ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [...] [ +0.000002] PKRU: 55555554 [ +0.000002] Call Trace: [ +0.000002] <TASK> [ +0.000003] ? show_regs+0x65/0x70 [ +0.000006] ? __die+0x24/0x70 [ +0.000004] ? page_fault_oops+0x160/0x470 [ +0.000006] ? do_user_addr_fault+0x2b5/0x690 [ +0.000003] ? prb_read_valid+0x1c/0x30 [ +0.000005] ? exc_page_fault+0x8c/0x1a0 [ +0.000005] ? asm_exc_page_fault+0x27/0x30 [ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu] [ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000003] ? vsnprintf+0x2fb/0x600 [ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu] [ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170 [ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? debug_smp_processor_id+0x17/0x20 [ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? set_ptes.isra.0+0x2b/0x90 [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? _raw_spin_unlock+0x19/0x40 [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000002] ? do_anonymous_page+0x337/0x700 [ +0.000004] dtn_log_read+0x82/0x120 [amdgpu] [ +0.000207] full_proxy_read+0x66/0x90 [ +0.000007] vfs_read+0xb0/0x340 [ +0.000005] ? __count_memcg_events+0x79/0xe0 [ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5 [ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40 [ +0.000003] ? handle_mm_fault+0xb2/0x370 [ +0.000003] ksys_read+0x6b/0xf0 [ +0.000004] __x64_sys_read+0x19/0x20 [ +0.000003] do_syscall_64+0x60/0x130 [ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ +0.000003] RIP: 0033:0x7fdf32f147e2 [...] This error happens when the color log tries to read the gamut remap information from DCN401 which is not initialized in the dcn401_dpp_funcs which leads to a null pointer dereference. This commit addresses this issue by adding a proper guard to access the gamut_remap callback in case the specific ASIC did not implement this function.
|
CVE-2024-43901
|
|
VCID-h2k4-unzm-tfa6
|
kernel: pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
|
CVE-2026-31655
|
|
VCID-h2tq-frmy-hufd
|
kernel: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
|
CVE-2026-31618
|
|
VCID-h39p-w7dq-6bb7
|
kernel: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections
|
CVE-2026-31599
|
|
VCID-h49r-g9bp-qbae
|
kernel: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
|
CVE-2026-43052
|
|
VCID-h4pc-2m8s-mudc
|
kernel: spi: tegra210-quad: Protect curr_xfer check in IRQ handler
|
CVE-2026-23207
|
|
VCID-h5y6-6csc-kua1
|
kernel: smb: server: fix active_num_conn leak on transport allocation failure
|
CVE-2026-31711
|
|
VCID-ha8p-46h6-cygd
|
kernel: ksmbd: validate response sizes in ipc_validate_msg()
|
CVE-2026-31707
|
|
VCID-hara-qajw-wye1
|
kernel: drm/amdkfd: debugfs hang_hws skip GPU with MES
|
CVE-2025-37853
|
|
VCID-havx-mt9v-8fgj
|
kernel: ALSA: aloop: Fix racy access at PCM trigger
|
CVE-2026-23191
|
|
VCID-hbzj-7tvd-rkat
|
kernel: ksmbd: fix overflow in dacloffset bounds check
|
CVE-2025-22039
|
|
VCID-hcb1-97ja-nkgg
|
kernel: ext4: validate p_idx bounds in ext4_ext_correct_indexes
|
CVE-2026-31449
|
|
VCID-hckb-k1xr-h7d9
|
kernel: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work)
|
CVE-2025-39932
|
|
VCID-hcs7-nykt-gben
|
kernel: bonding: fix type confusion in bond_setup_by_slave()
|
CVE-2026-43456
|
|
VCID-hdvs-9nv4-tqdt
|
kernel: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
|
CVE-2026-31704
|
|
VCID-hg1r-w94j-3bby
|
kernel: ksmbd: validate inherited ACE SID length
|
CVE-2026-43490
|
|
VCID-hh4e-jmav-77aw
|
kernel: smb: During unmount, ensure all cached dir instances drop their dentry
|
CVE-2024-53176
|
|
VCID-hhkj-zpkv-euf6
|
kernel: net/rds: handle zerocopy send cleanup before the message is queued
|
CVE-2026-43502
|
|
VCID-hj56-4nw3-1qgt
|
kernel: drm/amdkfd: validate SVM ioctl nattr against buffer size
|
CVE-2026-46197
|
|
VCID-hj5y-batm-rycx
|
kernel: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
|
CVE-2026-31699
|
|
VCID-hmtx-pteq-jugg
|
kernel: rxrpc: Fix memory leaks in rxkad_verify_response()
|
CVE-2026-46012
|
|
VCID-hn2z-dgfy-nugj
|
kernel: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
|
CVE-2026-46146
|
|
VCID-hn96-epsn-9bfp
|
kernel: drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()
|
CVE-2024-53056
|
|
VCID-hsvb-2tnb-wkga
|
kernel: dmaengine: lpc18xx-dmamux: fix device leak on route allocation
|
CVE-2025-71188
|
|
VCID-hvma-mz9b-pqdg
|
kernel: f2fs: don't reset unchangable mount option in f2fs_remount()
|
CVE-2023-53447
|
|
VCID-hxp3-qsyt-c3f6
|
kernel: coresight: holding cscfg_csdev_lock while removing cscfg from csdev
|
CVE-2025-38132
|
|
VCID-hz45-6mkk-9qhc
|
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values. Because of this runtime dependency, when bpf_link refcnt drops to zero there could still be active BPF programs running accessing link data. This patch adds generic support to defer bpf_link dealloc callback to after RCU GP, if requested. This is done by exposing two different deallocation callbacks, one synchronous and one deferred. If deferred one is provided, bpf_link_free() will schedule dealloc_deferred() callback to happen after RCU GP. BPF is using two flavors of RCU: "classic" non-sleepable one and RCU tasks trace one. The latter is used when sleepable BPF programs are used. bpf_link_free() accommodates that by checking underlying BPF program's sleepable flag, and goes either through normal RCU GP only for non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF program is sleepable. We use this for multi-kprobe and multi-uprobe links, which dereference link during program run. We also preventively switch raw_tp link to use deferred dealloc callback, as upcoming changes in bpf-next tree expose raw_tp link data (specifically, cookie value) to BPF program at runtime as well.
|
CVE-2024-35860
|
|
VCID-j13d-v2db-nqau
|
kernel: RDMA/hns: Fix double destruction of rsv_qp
|
CVE-2025-38582
|
|
VCID-j1kv-r5nf-rybq
|
kernel: drm/vc4: Fix a memory leak in hang state error path
|
CVE-2026-43104
|
|
VCID-j2g2-vawd-wkf9
|
kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
|
CVE-2025-68183
|
|
VCID-j2jm-ctxk-fubr
|
kernel: xfrm: ah: account for ESN high bits in async callbacks
|
CVE-2026-46193
|
|
VCID-j3uc-twwp-y3c3
|
kernel: ksmbd: add chann_lock to protect ksmbd_chann_list xarray
|
CVE-2026-23226
|
|
VCID-j438-fpyd-6kf4
|
kernel: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
|
CVE-2026-23361
|
|
VCID-j4jg-bd7m-ufhj
|
kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
|
CVE-2026-46227
|
|
VCID-j4s1-rwvc-z7hr
|
kernel: Linux kernel blk-cgroup: Use-after-free vulnerability leading to denial of service
|
CVE-2023-54107
|
|
VCID-j4ur-qq7q-d7d2
|
kernel: blk-mq: fix tags leak when shrink nr_hw_queues
|
CVE-2023-54227
|
|
VCID-j4ws-js7c-w3fn
|
kernel: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
|
CVE-2026-43501
|
|
VCID-j4zb-pkp2-fka4
|
kernel: ksmbd: vfs: fix race on m_flags in vfs_cache
|
CVE-2025-68809
|
|
VCID-j6h7-2xsc-h3g3
|
kernel: perf: Fix hang while freeing sigtrap event
|
CVE-2025-37747
|
|
VCID-j7sw-qch3-huh1
|
In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are not stored in the same memory as the eDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred.
|
CVE-2024-27408
|
|
VCID-jawa-g7vv-yfeg
|
kernel: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
|
CVE-2026-46040
|
|
VCID-jccq-urqe-kkde
|
kernel: ksmbd: require minimum ACE size in smb_check_perm_dacl()
|
CVE-2026-31712
|
|
VCID-jctp-kajd-e7d1
|
kernel: drm/amd/display: fix a Null pointer dereference vulnerability
|
CVE-2025-39705
|
|
VCID-jdqn-zw7a-qkg4
|
kernel: net: mctp: ensure our nlmsg responses are initialised
|
CVE-2026-45930
|
|
VCID-jdsf-pqg6-aqcd
|
kernel: bpf, lsm: Add check for BPF LSM return value
|
CVE-2024-47703
|
|
VCID-jejs-azgt-ukev
|
kernel: sched/deadline: Fix warning in migrate_enable for boosted tasks
|
CVE-2024-56583
|
|
VCID-jetr-pjr7-aqgx
|
kernel: f2fs: fix to do sanity check on node footer in {read,write}_end_io
|
CVE-2026-23265
|
|
VCID-jfc1-ren1-pyex
|
kernel: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
|
CVE-2026-43318
|
|
VCID-jgrh-rsgb-xbhg
|
kernel: drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box
|
CVE-2024-46811
|
|
VCID-jrpx-1hzs-8bgr
|
kernel: xfrm: Duplicate SPI Handling
|
CVE-2025-39797
|
|
VCID-jsq1-3rub-ryfw
|
kernel: net: af_key: zero aligned sockaddr tail in PF_KEY exports
|
CVE-2026-43088
|
|
VCID-jsr4-hf19-23er
|
kernel: LoongArch: KVM: Mark hrtimer to expire in hard interrupt context
|
CVE-2024-53089
|
|
VCID-jsuq-w3xh-xqbz
|
kernel: s390/mm: Fix in_atomic() handling in do_secure_storage_access()
|
CVE-2025-38359
|
|
VCID-jtc1-9umn-q3gs
|
kernel: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
|
CVE-2026-46019
|
|
VCID-jtsq-tefz-5ygm
|
kernel: ksmbd: check outstanding simultaneous SMB operations
|
CVE-2024-50285
|
|
VCID-jvjt-nfaf-eqeh
|
kernel: ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
|
CVE-2026-31451
|
|
VCID-jx4t-ssnu-87hc
|
kernel: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM
|
CVE-2025-40289
|
|
VCID-jxkn-tedw-1qak
|
kernel: LoongArch: BPF: Sign extend kfunc call arguments
|
CVE-2025-71129
|
|
VCID-jxts-kn8c-mfab
|
kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service
|
CVE-2026-31419
|
|
VCID-jynw-yvgp-mydm
|
kernel: fs/ntfs3: handle attr_set_size() errors when truncating files
|
CVE-2025-71289
|
|
VCID-jyvx-nysd-bkcq
|
kernel: PCI: imx6: Fix suspend/resume support on i.MX6QDL
|
CVE-2024-57809
|
|
VCID-jztf-3qsy-87ca
|
kernel: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
|
CVE-2026-46127
|
|
VCID-k2ku-q13t-93ge
|
kernel: f2fs: fix to avoid potential deadlock
|
CVE-2025-71065
|
|
VCID-k5xd-uzcb-gbcg
|
kernel: start_kernel: Add __no_stack_protector function attribute
|
CVE-2023-53491
|
|
VCID-k69u-gtry-b3ga
|
kernel: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode()
|
CVE-2025-38237
|
|
VCID-k8xd-kuyr-ufff
|
kernel: nfc: nci: complete pending data exchange on device close
|
CVE-2026-23330
|
|
VCID-k944-a1q7-affp
|
kernel: driver core: fix potential NULL pointer dereference in dev_uevent()
|
CVE-2025-37800
|
|
VCID-k9hv-ejph-8uaz
|
In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: fix TX fifo corruption Sometimes, when a packet is received on channel A at almost the same time as a packet is about to be transmitted on channel B, we observe with a logic analyzer that the received packet on channel A is transmitted on channel B. In other words, the Tx buffer data on channel B is corrupted with data from channel A. The problem appeared since commit 4409df5866b7 ("serial: sc16is7xx: change EFR lock to operate on each channels"), which changed the EFR locking to operate on each channel instead of chip-wise. This commit has introduced a regression, because the EFR lock is used not only to protect the EFR registers access, but also, in a very obscure and undocumented way, to protect access to the data buffer, which is shared by the Tx and Rx handlers, but also by each channel of the IC. Fix this regression first by switching to kfifo_out_linear_ptr() in sc16is7xx_handle_tx() to eliminate the need for a shared Rx/Tx buffer. Secondly, replace the chip-wise Rx buffer with a separate Rx buffer for each channel.
|
CVE-2024-44951
|
|
VCID-k9uw-x14d-qkhy
|
kernel: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
|
CVE-2026-31700
|
|
VCID-kajm-et9v-3uhz
|
kernel: libceph: Fix slab-out-of-bounds access in auth message processing
|
CVE-2026-46119
|
|
VCID-kb19-r7ye-27dw
|
kernel: Linux kernel: Denial of Service due to sleepable page allocation in KASAN
|
CVE-2025-38029
|
|
VCID-kb6j-uab6-yqbv
|
kernel: RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
|
CVE-2026-46112
|
|
VCID-kbxd-r1em-zubf
|
kernel: Kernel: Race condition in espintcp can lead to denial of service
|
CVE-2026-23239
|
|
VCID-kd7c-k1g8-cqfa
|
kernel: smb: Don't leak cfid when reconnect races with open_cached_dir
|
CVE-2024-53178
|
|
VCID-kf89-k8sz-tucc
|
kernel: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
|
CVE-2026-23444
|
|
VCID-kg5h-6j7r-aqhc
|
kernel: Linux Kernel: Denial of Service in iwlwifi due to improper firmware error handling
|
CVE-2025-38096
|
|
VCID-kg7k-a1vp-2bgz
|
kernel: Linux kernel: PCI/ASPM use-after-free during hot-unplug
|
CVE-2024-58093
|
|
VCID-kgf4-n91d-fuad
|
kernel: smb: client: prevent races in ->query_interfaces()
|
CVE-2026-43239
|
|
VCID-khyy-2zaa-kfd2
|
kernel: PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
|
CVE-2026-31594
|
|
VCID-kmbg-3edp-7yhz
|
kernel: wifi: iwlwifi: fix 22000 series SMEM parsing
|
CVE-2026-43172
|
|
VCID-kpe9-8279-nkcj
|
kernel: tracing: Fix crash on synthetic stacktrace field usage
|
CVE-2026-23088
|
|
VCID-kpf6-8qdw-xfen
|
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Unmap the surface before resetting it on a plane state Switch to a new plane state requires unreferencing of all held surfaces. In the work required for mob cursors the mapped surfaces started being cached but the variable indicating whether the surface is currently mapped was not being reset. This leads to crashes as the duplicated state, incorrectly, indicates the that surface is mapped even when no surface is present. That's because after unreferencing the surface it's perfectly possible for the plane to be backed by a bo instead of a surface. Reset the surface mapped flag when unreferencing the plane state surface to fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 RIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx] Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f> RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600 RBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920 R10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000 R13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00 FS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0 Call Trace: <TASK> ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x7f/0x180 ? asm_exc_page_fault+0x26/0x30 ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx] drm_atomic_helper_cleanup_planes+0x9b/0xc0 commit_tail+0xd1/0x130 drm_atomic_helper_commit+0x11a/0x140 drm_atomic_commit+0x97/0xd0 ? __pfx___drm_printfn_info+0x10/0x10 drm_atomic_helper_update_plane+0xf5/0x160 drm_mode_cursor_universal+0x10e/0x270 drm_mode_cursor_common+0x102/0x230 ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10 drm_ioctl_kernel+0xb2/0x110 drm_ioctl+0x26d/0x4b0 ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10 ? __pfx_drm_ioctl+0x10/0x10 vmw_generic_ioctl+0xa4/0x110 [vmwgfx] __x64_sys_ioctl+0x94/0xd0 do_syscall_64+0x61/0xe0 ? __x64_sys_ioctl+0xaf/0xd0 ? syscall_exit_to_user_mode+0x2b/0x40 ? do_syscall_64+0x70/0xe0 ? __x64_sys_ioctl+0xaf/0xd0 ? syscall_exit_to_user_mode+0x2b/0x40 ? do_syscall_64+0x70/0xe0 ? exc_page_fault+0x7f/0x180 entry_SYSCALL_64_after_hwframe+0x6e/0x76 RIP: 0033:0x7f1e93f279ed Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f> RSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed RDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015 RBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007 R10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0 R13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790 </TASK> Modules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine> CR2: 0000000000000028 ---[ end trace 0000000000000000 ]--- RIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx] Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f> RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600 RBP: ffff969d4143 ---truncated---
|
CVE-2023-52648
|
|
VCID-kpgk-q2sx-nbfd
|
kernel: netfilter: reject zero shift in nft_bitwise
|
CVE-2026-46101
|
|
VCID-ktkv-x98j-tuh3
|
In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
|
CVE-2023-21264
|
|
VCID-ktrf-r84b-6ub5
|
kernel: spi: microchip-core-qspi: control built-in cs manually
|
CVE-2026-46148
|
|
VCID-ku8g-hgas-33dj
|
kernel: md/raid10: wait barrier before returning discard request with REQ_NOWAIT
|
CVE-2025-40325
|
|
VCID-kuxe-9324-euc1
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable idle reallow as part of command/gpint execution [Why] Workaroud for a race condition where DMCUB is in the process of committing to IPS1 during the handshake causing us to miss the transition into IPS2 and touch the INBOX1 RPTR causing a HW hang. [How] Disable the reallow to ensure that we have enough of a gap between entry and exit and we're not seeing back-to-back wake_and_executes.
|
CVE-2024-36024
|
|
VCID-ky7g-3phc-vbg8
|
kernel: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
|
CVE-2026-46147
|
|
VCID-kyfm-5xyk-m7hw
|
kernel: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
|
CVE-2026-31696
|
|
VCID-kyqq-4eb6-mqbq
|
In the Linux kernel, the following vulnerability has been resolved: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is:0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/
|
CVE-2024-26947
|
|
VCID-kz5y-5edk-3ya1
|
In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore suspended array in md_check_recovery() mddev_suspend() never stop sync_thread, hence it doesn't make sense to ignore suspended array in md_check_recovery(), which might cause sync_thread can't be unregistered. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) suspend the array: raid_postsuspend mddev_suspend 2) stop the array: raid_dtr md_stop __md_stop_writes stop_sync_thread set_bit(MD_RECOVERY_INTR, &mddev->recovery); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) 3) sync thread done: md_do_sync set_bit(MD_RECOVERY_DONE, &mddev->recovery); md_wakeup_thread(mddev->thread); 4) daemon thread can't unregister sync thread: md_check_recovery if (mddev->suspended) return; -> return directly md_read_sync_thread clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery); -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang; This problem is not just related to dm-raid, fix it by ignoring suspended array in md_check_recovery(). And follow up patches will improve dm-raid better to frozen sync thread during suspend.
|
CVE-2024-26758
|
|
VCID-kzpc-hk41-mqcp
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.
|
CVE-2024-46776
|
|
VCID-m21w-83w1-eqdc
|
kernel: drm/amd/display: Check null pointer before try to access it
|
CVE-2024-49906
|
|
VCID-m4mj-cjt5-a3g4
|
In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer While transmitting with rx_len == 0, the RX FIFO is not going to be emptied in the interrupt handler. A subsequent transfer could then read crap from the previous transfer out of the RX FIFO into the start RX buffer. The core provides a register that will empty the RX and TX FIFOs, so do that before each transfer.
|
CVE-2024-42279
|
|
VCID-m641-m8zm-skga
|
kernel: blk-cgroup: hold queue_lock when removing blkg->q_node
|
CVE-2023-54088
|
|
VCID-m6dq-1utf-cugr
|
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: move the EST lock to struct stmmac_priv Reinitialize the whole EST structure would also reset the mutex lock which is embedded in the EST structure, and then trigger the following warning. To address this, move the lock to struct stmmac_priv. We also need to reacquire the mutex lock when doing this initialization. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068 Modules linked in: CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0xd84/0x1068 lr : __mutex_lock+0xd84/0x1068 sp : ffffffc0864e3570 x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003 x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000 x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8 x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698 x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001 x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027 x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: __mutex_lock+0xd84/0x1068 mutex_lock_nested+0x28/0x34 tc_setup_taprio+0x118/0x68c stmmac_setup_tc+0x50/0xf0 taprio_change+0x868/0xc9c
|
CVE-2024-38594
|
|
VCID-m9cq-ejf2-mqef
|
kernel: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
|
CVE-2026-31623
|
|
VCID-mbne-4uz3-6ugp
|
kernel: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC
|
CVE-2025-21894
|
|
VCID-mc1c-8myu-uffn
|
kernel: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes
|
CVE-2025-38041
|
|
VCID-mcg6-jd93-6qgf
|
kernel: i3c: dw: Fix use-after-free in dw_i3c_master driver due to race condition
|
CVE-2024-57984
|
|
VCID-mcmh-yshq-v7f2
|
kernel: drm/amd/display: Fix dc_link NULL handling in HPD init
|
CVE-2026-46245
|
|
VCID-mdmt-exws-27hm
|
kernel: net: annotate data-races around sk->sk_{data_ready,write_space}
|
CVE-2026-23302
|
|
VCID-memc-2s8z-83bu
|
kernel: netfilter: nf_tables: avoid chain re-validation if possible
|
CVE-2025-71160
|
|
VCID-mfas-25np-hqaf
|
kernel: net: decrease cached dst counters in dst_release
|
CVE-2025-22057
|
|
VCID-mfqk-hpz6-hbb6
|
kernel: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects
|
CVE-2025-39850
|
|
VCID-mfyw-c943-y3fa
|
kernel: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
|
CVE-2026-46002
|
|
VCID-mfzm-sbhd-dkb1
|
kernel: media: em28xx: fix use-after-free in em28xx_v4l2_open()
|
CVE-2026-31583
|
|
VCID-mjhx-ymmm-qbbh
|
kernel: net: ks8851: Reinstate disabling of BHs around IRQ handler
|
CVE-2026-46031
|
|
VCID-mjmz-uzqb-63fq
|
kernel: functionfs: fix the open/removal races
|
CVE-2025-71074
|
|
VCID-mm3c-nctt-1ba2
|
kernel: net: qrtr: ns: Limit the total number of nodes
|
CVE-2026-46003
|
|
VCID-mmv3-bhb7-jka9
|
kernel: md/raid5: validate payload size before accessing journal metadata
|
CVE-2026-46070
|
|
VCID-mmzd-a7h4-aub8
|
kernel: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check()
|
CVE-2025-68188
|
|
VCID-mp6e-ezkr-kues
|
kernel: s390/ism: fix concurrency management in ism_cmd()
|
CVE-2025-39726
|
|
VCID-mp87-f54p-63hf
|
kernel: fs/ntfs3: cancle set bad inode after removing name fails
|
CVE-2025-38615
|
|
VCID-mpdm-m8sz-suh1
|
kernel: KVM: arm64: Get rid of userspace_irqchip_in_use
|
CVE-2024-53195
|
|
VCID-mrhb-gscz-pkew
|
kernel: spi: fsl: fix controller deregistration
|
CVE-2026-46226
|
|
VCID-mtwd-8t8u-e7g5
|
kernel: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry
|
CVE-2026-43114
|
|
VCID-mu6y-9t1v-1ues
|
kernel: rv: Use strings in da monitors tracepoints
|
CVE-2025-38636
|
|
VCID-mvuf-9mag-sybw
|
kernel: crypto: x86/aegis - Add missing error checks
|
CVE-2025-39789
|
|
VCID-mxx8-xbqc-uuf1
|
kernel: crypto: af_alg - limit RX SG extraction by receive buffer budget
|
CVE-2026-31677
|
|
VCID-myfv-reqe-gqfs
|
kernel: f2fs: fix to avoid overflow while left shift operation
|
CVE-2025-40077
|
|
VCID-myux-y45y-kucn
|
kernel: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object
|
CVE-2025-39851
|
|
VCID-myz4-geub-kbbj
|
kernel: ibmasm: fix OOB reads in command_file_write due to missing size checks
|
CVE-2026-45994
|
|
VCID-n1x6-a3mu-efd9
|
kernel: udp: Deal with race between UDP socket address change and rehash
|
CVE-2024-57974
|
|
VCID-n2y1-ucnb-vkea
|
kernel: xfrm_user: fix info leak in build_mapping()
|
CVE-2026-43089
|
|
VCID-n2zj-7hnv-dkem
|
kernel: f2fs: fix UAF issue in f2fs_merge_page_bio()
|
CVE-2025-40054
|
|
VCID-n3ys-23sg-qyax
|
kernel: crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
|
CVE-2026-46075
|
|
VCID-n4v2-53gf-wugg
|
kernel: Linux kernel: Memory Corruption and Kernel Crashes via IOMMU SVA coherency issue
|
CVE-2025-71202
|
|
VCID-n5ks-jcrb-e3aj
|
kernel: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1
|
CVE-2025-21831
|
|
VCID-n65w-1uwp-hka4
|
kernel: ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop()
|
CVE-2026-31531
|
|
VCID-n7bz-kduz-hyfm
|
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC syzbot reports a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/inline.c:258! CPU: 1 PID: 34 Comm: kworker/u8:2 Not tainted 6.9.0-rc6-syzkaller-00012-g9e4bc4bcae01 #0 RIP: 0010:f2fs_write_inline_data+0x781/0x790 fs/f2fs/inline.c:258 Call Trace: f2fs_write_single_data_page+0xb65/0x1d60 fs/f2fs/data.c:2834 f2fs_write_cache_pages fs/f2fs/data.c:3133 [inline] __f2fs_write_data_pages fs/f2fs/data.c:3288 [inline] f2fs_write_data_pages+0x1efe/0x3a90 fs/f2fs/data.c:3315 do_writepages+0x35b/0x870 mm/page-writeback.c:2612 __writeback_single_inode+0x165/0x10b0 fs/fs-writeback.c:1650 writeback_sb_inodes+0x905/0x1260 fs/fs-writeback.c:1941 wb_writeback+0x457/0xce0 fs/fs-writeback.c:2117 wb_do_writeback fs/fs-writeback.c:2264 [inline] wb_workfn+0x410/0x1090 fs/fs-writeback.c:2304 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0xa12/0x17c0 kernel/workqueue.c:3335 worker_thread+0x86d/0xd70 kernel/workqueue.c:3416 kthread+0x2f2/0x390 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The root cause is: inline_data inode can be fuzzed, so that there may be valid blkaddr in its direct node, once f2fs triggers background GC to migrate the block, it will hit f2fs_bug_on() during dirty page writeback. Let's add sanity check on F2FS_INLINE_DATA flag in inode during GC, so that, it can forbid migrating inline_data inode's data block for fixing.
|
CVE-2024-44942
|
|
VCID-n9fy-6a59-ubcq
|
In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.
|
CVE-2024-25742
|
|
VCID-n9qz-8rsq-fkav
|
kernel: wifi: brcmfmac: validate bsscfg indices in IF events
|
CVE-2026-43110
|
|
VCID-nb64-jz74-a3gv
|
kernel: wifi: wl1251: validate packet IDs before indexing tx_frames
|
CVE-2026-43113
|
|
VCID-nhdf-8hnu-cygx
|
kernel: batman-adv: reject new tp_meter sessions during teardown
|
CVE-2026-46206
|
|
VCID-nhep-616e-uyfv
|
kernel: ASoC: SOF: avoid a NULL dereference with unsupported widgets
|
CVE-2023-54233
|
|
VCID-njdc-rwaz-skds
|
kernel: netfilter: ctnetlink: ensure safe access to master conntrack
|
CVE-2026-43116
|
|
VCID-nkh7-4ykm-z3cm
|
kernel: rds: sysctl: rds_tcp_{rcv,snd}buf: avoid using current->nsproxy
|
CVE-2025-21635
|
|
VCID-nm7p-s6cn-6kdf
|
kernel: Linux kernel Bluetooth: Denial of Service due to use-after-free in connection handling
|
CVE-2023-53762
|
|
VCID-nn2y-cfhe-nkh8
|
kernel: openvswitch: vport: fix self-deadlock on release of tunnel ports
|
CVE-2026-46165
|
|
VCID-nnnp-hy6b-fua7
|
kernel: ALSA: 6fire: fix use-after-free on disconnect
|
CVE-2026-31581
|
|
VCID-np7p-xgmf-ayec
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix double free err_addr pointer warnings In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages will be run many times so that double free err_addr in some special case. So set the err_addr to NULL to avoid the warnings.
|
CVE-2024-42123
|
|
VCID-nqpm-ce1e-ybg4
|
kernel: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
|
CVE-2026-31597
|
|
VCID-nrpc-rk56-mqd9
|
kernel: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
|
CVE-2026-43492
|
|
VCID-ntw3-1erb-afe2
|
kernel: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
|
CVE-2025-71285
|
|
VCID-nu94-8cqs-akgq
|
kernel: net: use dst_dev_rcu() in sk_setup_caps()
|
CVE-2025-40170
|
|
VCID-nupa-bc9a-bfgv
|
kernel: mlx5: Fix default values in create CQ
|
CVE-2025-68209
|
|
VCID-nur8-kr2v-mbb3
|
kernel: thermal: core: Fix thermal zone governor cleanup issues
|
CVE-2026-46021
|
|
VCID-nuwa-mdwd-53ep
|
kernel: net: ibmveth: make veth_pool_store stop hanging
|
CVE-2025-22053
|
|
VCID-nv3h-mzkb-jyej
|
kernel: btrfs: fix block group refcount race in btrfs_create_pending_block_groups()
|
CVE-2025-22115
|
|
VCID-nv8f-8kvf-z7fq
|
kernel: ceph: fix memory leaks in ceph_mdsc_build_path()
|
CVE-2026-43419
|
|
VCID-nvx7-gag5-effp
|
kernel: ksmbd: fix refcount leak causing resource not released
|
CVE-2025-39720
|
|
VCID-nw7f-tz7e-gkdc
|
kernel: tcp: fix potential race in tcp_v6_syn_recv_sock()
|
CVE-2026-43198
|
|
VCID-nwev-wj4e-rfgk
|
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add mutex lock in control vblank irq Add a mutex lock to control vblank irq to synchronize vblank enable/disable operations happening from different threads to prevent race conditions while registering/unregistering the vblank irq callback. v4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a parameter of dpu_encoder_phys. -Switch from atomic refcnt to a simple int counter as mutex has now been added v3: Mistakenly did not change wording in last version. It is done now. v2: Slightly changed wording of commit message Patchwork: https://patchwork.freedesktop.org/patch/571854/
|
CVE-2023-52586
|
|
VCID-nxq8-gfda-4ubt
|
kernel: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
|
CVE-2026-31586
|
|
VCID-nysd-ujaw-byds
|
kernel: xfrm: account XFRMA_IF_ID in aevent size calculation
|
CVE-2026-43107
|
|
VCID-nysg-nhqs-8ybn
|
kernel: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
|
CVE-2025-21768
|
|
VCID-nz9j-mg8z-yuf3
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: change vm->task_info handling This patch changes the handling and lifecycle of vm->task_info object. The major changes are: - vm->task_info is a dynamically allocated ptr now, and its uasge is reference counted. - introducing two new helper funcs for task_info lifecycle management - amdgpu_vm_get_task_info: reference counts up task_info before returning this info - amdgpu_vm_put_task_info: reference counts down task_info - last put to task_info() frees task_info from the vm. This patch also does logistical changes required for existing usage of vm->task_info. V2: Do not block all the prints when task_info not found (Felix) V3: Fixed review comments from Felix - Fix wrong indentation - No debug message for -ENOMEM - Add NULL check for task_info - Do not duplicate the debug messages (ti vs no ti) - Get first reference of task_info in vm_init(), put last in vm_fini() V4: Fixed review comments from Felix - fix double reference increment in create_task_info - change amdgpu_vm_get_task_info_pasid - additional changes in amdgpu_gem.c while porting
|
CVE-2024-41008
|
|
VCID-nzhw-5q3e-53bc
|
kernel: drm/amd/display: Implement bounds check for stream encoder creation in DCN401
|
CVE-2024-49970
|
|
VCID-p1rr-am53-s7ec
|
In the Linux kernel, the following vulnerability has been resolved: reiserfs: Avoid touching renamed directory if parent does not change The VFS will not be locking moved directory if its parent does not change. Change reiserfs rename code to avoid touching renamed directory if its parent does not change as without locking that can corrupt the filesystem.
|
CVE-2023-52591
|
|
VCID-p29g-wayb-p3ev
|
kernel: net: enetc: fix the deadlock of enetc_mdio_lock
|
CVE-2025-40347
|
|
VCID-p3gt-77qb-w3b2
|
kernel: media: amphion: Fix race between m2m job_abort and device_run
|
CVE-2026-46058
|
|
VCID-p4b3-j95y-97h8
|
kernel: Bluetooth: hci_conn: fix potential UAF in create_big_sync
|
CVE-2026-46111
|
|
VCID-p6y2-zt7h-qudd
|
kernel: KVM: SVM: Add missing save/restore handling of LBR MSRs
|
CVE-2026-46014
|
|
VCID-p78h-h543-mkgp
|
kernel: f2fs: fix potential deadloop in prepare_compress_overwrite()
|
CVE-2025-22127
|
|
VCID-p79x-3vjm-h7e8
|
kernel: Linux kernel: Denial of Service in rxrpc due to prealloc collision
|
CVE-2025-38544
|
|
VCID-p7n5-md78-1qf9
|
kernel: net: stmmac: fix oops when split header is enabled
|
CVE-2026-45940
|
|
VCID-p7wj-qg2x-euc1
|
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not BUG_ON() when freeing tree block after error When freeing a tree block, at btrfs_free_tree_block(), if we fail to create a delayed reference we don't deal with the error and just do a BUG_ON(). The error most likely to happen is -ENOMEM, and we have a comment mentioning that only -ENOMEM can happen, but that is not true, because in case qgroups are enabled any error returned from btrfs_qgroup_trace_extent_post() (can be -EUCLEAN or anything returned from btrfs_search_slot() for example) can be propagated back to btrfs_free_tree_block(). So stop doing a BUG_ON() and return the error to the callers and make them abort the transaction to prevent leaking space. Syzbot was triggering this, likely due to memory allocation failure injection.
|
CVE-2024-44963
|
|
VCID-p85j-rtx2-d3cm
|
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] <TASK> [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]
|
CVE-2024-27012
|
|
VCID-p9dx-t5wf-9fhb
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini() Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL before the call to dc_enable_dmub_notifications(), check beforehand to ensure there will not be a possible NULL-ptr-deref there. Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy(). Clean up by combining them all under one 'if'. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE.
|
CVE-2024-27041
|
|
VCID-pchw-wdqe-17bb
|
kernel: l2tp: Drop large packets with UDP encap
|
CVE-2026-43080
|
|
VCID-pdn6-83n5-x3d4
|
In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings Replace memzero_explicit() and kfree() with kfree_sensitive() to fix warnings reported by Coccinelle: WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643) WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)
|
CVE-2024-42158
|
|
VCID-pe4z-6gq1-pkhf
|
In the Linux kernel, the following vulnerability has been resolved: nvme: apple: fix device reference counting Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl. Split the allocation side out to make the error handling boundary easier to navigate. The apple driver had been doing this wrong, leaking the controller device memory on a tagset failure.
|
CVE-2024-43913
|
|
VCID-pens-udz3-skdp
|
kernel: smb: client: fix use-after-free of signing key
|
CVE-2024-53179
|
|
VCID-pgtt-bpyw-ckbm
|
kernel: Linux kernel KVM: Denial of Service due to uninitialized vCPU event handling
|
CVE-2025-40102
|
|
VCID-pjb3-1vrm-87en
|
kernel: drm/amdgpu: remove two invalid BUG_ON()s
|
CVE-2025-68201
|
|
VCID-pm5z-vsd8-efbg
|
kernel: spi: mpc52xx: fix use-after-free on unbind
|
CVE-2026-46219
|
|
VCID-pnza-bh9x-9kbv
|
kernel: bpf: consider that tail calls invalidate packet pointers
|
CVE-2024-58237
|
|
VCID-pp66-xz9x-rqdm
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null pointer deref in dcn20_resource.c Fixes a hang thats triggered when MPV is run on a DCN401 dGPU: mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all and then enabling fullscreen playback (double click on the video) The following calltrace will be seen: [ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 181.843997] #PF: supervisor instruction fetch in kernel mode [ 181.844003] #PF: error_code(0x0010) - not-present page [ 181.844009] PGD 0 P4D 0 [ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI [ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018 [ 181.844044] RIP: 0010:0x0 [ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6. [ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246 [ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 [ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400 [ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c [ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8 [ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005 [ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000 [ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0 [ 181.844141] Call Trace: [ 181.844146] <TASK> [ 181.844153] ? show_regs+0x6d/0x80 [ 181.844167] ? __die+0x24/0x80 [ 181.844179] ? page_fault_oops+0x99/0x1b0 [ 181.844192] ? do_user_addr_fault+0x31d/0x6b0 [ 181.844204] ? exc_page_fault+0x83/0x1b0 [ 181.844216] ? asm_exc_page_fault+0x27/0x30 [ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu] [ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu] [ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu] [ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu] [ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu] [ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu] [ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]
|
CVE-2024-43899
|
|
VCID-ppd8-6zj5-xuew
|
kernel: ocfs2: handle invalid dinode in ocfs2_group_extend
|
CVE-2026-31596
|
|
VCID-ppq2-1p6u-h7gb
|
kernel: fs: quota: create dedicated workqueue for quota_release_work
|
CVE-2025-40196
|
|
VCID-pr8b-krvb-z7gw
|
kernel: hwrng: core - use RCU and work_struct to fix race condition
|
CVE-2026-45949
|
|
VCID-przv-eskx-nbfg
|
kernel: afs: Fix lock recursion
|
CVE-2024-53090
|
|
VCID-pt17-5xvc-27ar
|
kernel: xfrm: prevent policy_hthresh.work from racing with netns teardown
|
CVE-2026-31516
|
|
VCID-pv7b-6a56-mkge
|
kernel: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak
|
CVE-2026-46159
|
|
VCID-pvgy-4uc1-2ucy
|
kernel: btrfs: do proper folio cleanup when run_delalloc_nocow() failed
|
CVE-2024-57975
|
|
VCID-pvk8-ufgp-aug8
|
kernel: openvswitch: cap upcall PID array size and pre-size vport replies
|
CVE-2026-45840
|
|
VCID-pxrz-q3ep-wyc4
|
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix NULL domain on device release In the kdump kernel, the IOMMU operates in deferred_attach mode. In this mode, info->domain may not yet be assigned by the time the release_device function is called. It leads to the following crash in the crash kernel: BUG: kernel NULL pointer dereference, address: 000000000000003c ... RIP: 0010:do_raw_spin_lock+0xa/0xa0 ... _raw_spin_lock_irqsave+0x1b/0x30 intel_iommu_release_device+0x96/0x170 iommu_deinit_device+0x39/0xf0 __iommu_group_remove_device+0xa0/0xd0 iommu_bus_notifier+0x55/0xb0 notifier_call_chain+0x5a/0xd0 blocking_notifier_call_chain+0x41/0x60 bus_notify+0x34/0x50 device_del+0x269/0x3d0 pci_remove_bus_device+0x77/0x100 p2sb_bar+0xae/0x1d0 ... i801_probe+0x423/0x740 Use the release_domain mechanism to fix it. The scalable mode context entry which is not part of release domain should be cleared in release_device().
|
CVE-2024-27079
|
|
VCID-q11g-qkne-1ffb
|
In the Linux kernel, the following vulnerability has been resolved: dm-raid: really frozen sync_thread during suspend 1) commit f52f5c71f3d4 ("md: fix stopping sync thread") remove MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that dm-raid relies on __md_stop_writes() to frozen sync_thread indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in md_stop_writes(), and since stop_sync_thread() is only used for dm-raid in this case, also move stop_sync_thread() to md_stop_writes(). 2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen, it only prevent new sync_thread to start, and it can't stop the running sync thread; In order to frozen sync_thread, after seting the flag, stop_sync_thread() should be used. 3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use it as condition for md_stop_writes() in raid_postsuspend() doesn't look correct. Consider that reentrant stop_sync_thread() do nothing, always call md_stop_writes() in raid_postsuspend(). 4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime, and if MD_RECOVERY_FROZEN is cleared while the array is suspended, new sync_thread can start unexpected. Fix this by disallow raid_message() to change sync_thread status during suspend. Note that after commit f52f5c71f3d4 ("md: fix stopping sync thread"), the test shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(), and with previous fixes, the test won't hang there anymore, however, the test will still fail and complain that ext4 is corrupted. And with this patch, the test won't hang due to stop_sync_thread() or fail due to ext4 is corrupted anymore. However, there is still a deadlock related to dm-raid456 that will be fixed in following patches.
|
CVE-2024-35794
|
|
VCID-q1mq-7s3x-kkdc
|
kernel: drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs
|
CVE-2024-49901
|
|
VCID-q1pp-ak8w-k3b6
|
kernel: wifi: ath10k: shutdown driver when hardware is unreliable
|
CVE-2025-39746
|
|
VCID-q266-vw2w-4qbe
|
kernel: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN
|
CVE-2026-23472
|
|
VCID-q4td-fnf4-5kfn
|
kernel: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
|
CVE-2026-43075
|
|
VCID-q8bk-wd96-fkcb
|
kernel: HID: nintendo: avoid bluetooth suspend/resume stalls
|
CVE-2025-38507
|
|
VCID-q8pn-a6a2-vye5
|
kernel: xsk: tighten UMEM headroom validation to account for tailroom and min frame
|
CVE-2026-43093
|
|
VCID-q8se-h3bh-aqb5
|
In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.
|
CVE-2023-23005
|
|
VCID-q8w9-mm3d-jug3
|
kernel: ipv6: use RCU in ip6_output()
|
CVE-2025-40158
|
|
VCID-qaks-mvfq-rqhs
|
kernel: bpf: Call free_htab_elem() after htab_unlock_bucket()
|
CVE-2024-56592
|
|
VCID-qb5u-abf3-cubv
|
kernel: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
|
CVE-2026-46043
|
|
VCID-qcjc-x1a3-xfdf
|
kernel: workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker
|
CVE-2024-57888
|
|
VCID-qcnk-s35k-77e2
|
kernel: drm/amdgpu: prevent immediate PASID reuse case
|
CVE-2026-31462
|
|
VCID-qd3j-xttx-3bg7
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Ensure array index tg_inst won't be -1 [WHY & HOW] tg_inst will be a negative if timing_generator_count equals 0, which should be checked before used. This fixes 2 OVERRUN issues reported by Coverity.
|
CVE-2024-46730
|
|
VCID-qjty-7djt-43bf
|
kernel: spi: mpc52xx: fix controller deregistration
|
CVE-2026-46200
|
|
VCID-qkeu-rz4s-53a1
|
kernel: xfrm: state: fix out-of-bounds read during lookup
|
CVE-2024-57982
|
|
VCID-qmcz-sdmu-nfcu
|
In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix password opcode ordering for workstations The Lenovo workstations require the password opcode to be run before the attribute value is changed (if Admin password is enabled). Tested on some Thinkpads to confirm they are OK with this order too.
|
CVE-2024-26836
|
|
VCID-qmkt-912x-9yfb
|
kernel: rxrpc: proc: size address buffers for %pISpc output
|
CVE-2026-31630
|
|
VCID-qmpc-u417-hqfu
|
kernel: ice: fix Tx scheduler error handling in XDP callback
|
CVE-2025-38127
|
|
VCID-qncn-y5be-gudr
|
kernel: accel/habanalabs: postpone mem_mgr IDR destruction to hpriv_release()
|
CVE-2023-53353
|
|
VCID-qrsy-spn3-g7du
|
kernel: xfrm: hold dev ref until after transport_finish NF_HOOK
|
CVE-2026-31663
|
|
VCID-qts1-r78p-4fgg
|
In the Linux kernel, the following vulnerability has been resolved: mm/shmem: disable PMD-sized page cache if needed For shmem files, it's possible that PMD-sized page cache can't be supported by xarray. For example, 512MB page cache on ARM64 when the base page size is 64KB can't be supported by xarray. It leads to errors as the following messages indicate when this sort of xarray entry is split. WARNING: CPU: 34 PID: 7578 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 \ nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject \ nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm fuse xfs \ libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_net \ net_failover virtio_console virtio_blk failover dimlib virtio_mmio CPU: 34 PID: 7578 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff8000882af5f0 x29: ffff8000882af5f0 x28: ffff8000882af650 x27: ffff8000882af768 x26: 0000000000000cc0 x25: 000000000000000d x24: ffff00010625b858 x23: ffff8000882af650 x22: ffffffdfc0900000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0900000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000018000000000 x15: 52f8004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 52f8000000000000 x10: 52f8e1c0ffff6000 x9 : ffffbeb9619a681c x8 : 0000000000000003 x7 : 0000000000000000 x6 : ffff00010b02ddb0 x5 : ffffbeb96395e378 x4 : 0000000000000000 x3 : 0000000000000cc0 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 shmem_undo_range+0x2bc/0x6a8 shmem_fallocate+0x134/0x430 vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by disabling PMD-sized page cache when HPAGE_PMD_ORDER is larger than MAX_PAGECACHE_ORDER. As Matthew Wilcox pointed, the page cache in a shmem file isn't represented by a multi-index entry and doesn't have this limitation when the xarry entry is split until commit 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache").
|
CVE-2024-42241
|
|
VCID-qu4s-g667-4uhg
|
kernel: fs/ntfs3: Keep write operations atomic
|
CVE-2025-37806
|
|
VCID-qwfq-k94h-q7hx
|
kernel: erofs: fix the out-of-bounds nameoff handling for trailing dirents
|
CVE-2026-46078
|
|
VCID-qwkq-f23k-zqgu
|
kernel: ata: libata-scsi: avoid Non-NCQ command starvation
|
CVE-2026-45855
|
|
VCID-qy34-242d-2ffw
|
kernel: ksmbd: fix WARNING "do not call blocking ops when !TASK_RUNNING"
|
CVE-2025-37802
|
|
VCID-r1z1-zffy-3kem
|
kernel: rtnetlink: add missing netlink_ns_capable() check for peer netns
|
CVE-2026-31692
|
|
VCID-r4g1-h5c5-8kdh
|
kernel: f2fs: fix to avoid panic once fallocation fails for pinfile
|
CVE-2025-23130
|
|
VCID-r5m7-c2ex-c3av
|
kernel: btrfs: do proper folio cleanup when cow_file_range() failed
|
CVE-2024-57976
|
|
VCID-r5v2-jywv-skch
|
kernel: net/smc: check v2_ext_offset/eid_cnt/ism_gid_cnt when receiving proposal msg
|
CVE-2024-49568
|
|
VCID-r648-kgz5-vfds
|
kernel: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names()
|
CVE-2026-46088
|
|
VCID-r7ke-mzra-23dk
|
kernel: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
|
CVE-2026-46189
|
|
VCID-r87e-mkqz-gfd2
|
kernel: ima: verify the previous kernel's IMA buffer lies in addressable RAM
|
CVE-2026-43129
|
|
VCID-r8wv-tuh8-t7bp
|
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix netif state handling mlx5e_suspend cleans resources only if netif_device_present() returns true. However, mlx5e_resume changes the state of netif, via mlx5e_nic_enable, only if reg_state == NETREG_REGISTERED. In the below case, the above leads to NULL-ptr Oops[1] and memory leaks: mlx5e_probe _mlx5e_resume mlx5e_attach_netdev mlx5e_nic_enable <-- netdev not reg, not calling netif_device_attach() register_netdev <-- failed for some reason. ERROR_FLOW: _mlx5e_suspend <-- netif_device_present return false, resources aren't freed :( Hence, clean resources in this case as well. [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0010 [#1] SMP CPU: 2 PID: 9345 Comm: test-ovs-ct-gen Not tainted 6.5.0_for_upstream_min_debug_2023_09_05_16_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at0xffffffffffffffd6. RSP: 0018:ffff888178aaf758 EFLAGS: 00010246 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x14c/0x3c0 ? exc_page_fault+0x75/0x140 ? asm_exc_page_fault+0x22/0x30 notifier_call_chain+0x35/0xb0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_uplink_netdev_event_replay+0x3e/0x60 [mlx5_core] mlx5_mdev_netdev_track+0x53/0x60 [mlx5_ib] mlx5_ib_roce_init+0xc3/0x340 [mlx5_ib] __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe1/0x210 [mlx5_ib] ? auxiliary_match_id+0x6a/0x90 auxiliary_bus_probe+0x38/0x80 ? driver_sysfs_add+0x51/0x80 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x637/0x840 __auxiliary_device_add+0x3b/0xa0 add_adev+0xc9/0x140 [mlx5_core] mlx5_rescan_drivers_locked+0x22a/0x310 [mlx5_core] mlx5_register_device+0x53/0xa0 [mlx5_core] mlx5_init_one_devl_locked+0x5c4/0x9c0 [mlx5_core] mlx5_init_one+0x3b/0x60 [mlx5_core] probe_one+0x44c/0x730 [mlx5_core] local_pci_probe+0x3e/0x90 pci_device_probe+0xbf/0x210 ? kernfs_create_link+0x5d/0xa0 ? sysfs_do_create_link_sd+0x60/0xc0 really_probe+0xc9/0x3e0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 pci_bus_add_device+0x54/0x80 pci_iov_add_virtfn+0x2e6/0x320 sriov_enable+0x208/0x420 mlx5_core_sriov_configure+0x9e/0x200 [mlx5_core] sriov_numvfs_store+0xae/0x1a0 kernfs_fop_write_iter+0x10c/0x1a0 vfs_write+0x291/0x3c0 ksys_write+0x5f/0xe0 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CR2: 0000000000000000 ---[ end trace 0000000000000000 ]---
|
CVE-2024-38608
|
|
VCID-r9ss-tp65-cybb
|
kernel: arm64: io: Extract user memory type in ioremap_prot()
|
CVE-2026-23346
|
|
VCID-ra5g-vte5-q7h7
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check index for aux_rd_interval before using aux_rd_interval has size of 7 and should be checked. This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.
|
CVE-2024-46728
|
|
VCID-racz-vt1y-gyd9
|
kernel: usb: usblp: fix heap leak in IEEE 1284 device ID via short response
|
CVE-2026-46151
|
|
VCID-rc8q-ynf7-hqgz
|
kernel: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION
|
CVE-2026-31410
|
|
VCID-rdxm-d4wd-9yfe
|
kernel: RDMA/efa: Fix use of completion ctx after free
|
CVE-2026-31493
|
|
VCID-rgx7-4z44-kyh5
|
kernel: wifi: rtw88: delete timer and free skb queue when unloading
|
CVE-2023-53574
|
|
VCID-rhqv-2x19-a7dq
|
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Use device rbtree in iopf reporting path The existing I/O page fault handler currently locates the PCI device by calling pci_get_domain_bus_and_slot(). This function searches the list of all PCI devices until the desired device is found. To improve lookup efficiency, replace it with device_rbtree_find() to search the device within the probed device rbtree. The I/O page fault is initiated by the device, which does not have any synchronization mechanism with the software to ensure that the device stays in the probed device tree. Theoretically, a device could be released by the IOMMU subsystem after device_rbtree_find() and before iopf_get_dev_fault_param(), which would cause a use-after-free problem. Add a mutex to synchronize the I/O page fault reporting path and the IOMMU release device path. This lock doesn't introduce any performance overhead, as the conflict between I/O page fault reporting and device releasing is very rare.
|
CVE-2024-35843
|
|
VCID-rhrh-3par-r3e3
|
kernel: smb/client: fix out-of-bounds read in symlink_data()
|
CVE-2026-46185
|
|
VCID-rhug-fukr-bqb9
|
kernel: mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
|
CVE-2026-31458
|
|
VCID-rjnt-2xg5-yfe8
|
kernel: f2fs: fix fsck inconsistency caused by FGGC of node block
|
CVE-2026-46175
|
|
VCID-rjtc-rpmu-fba1
|
kernel: ksmbd: fix use-after-free in __smb2_lease_break_noti()
|
CVE-2025-37777
|
|
VCID-rkhz-mwuw-tqeq
|
kernel: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path
|
CVE-2025-23129
|
|
VCID-rkwy-a2uy-nfhw
|
kernel: smc: Fix use-after-free in tcp_write_timer_handler()
|
CVE-2023-53781
|
|
VCID-rm6u-t2c7-2bcw
|
kernel: Linux kernel: Denial of Service in amd-pstate cpufreq driver via deadlock
|
CVE-2025-38038
|
|
VCID-rn67-9us1-n7bf
|
kernel: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure()
|
CVE-2026-43299
|
|
VCID-rnnc-wjw5-vue4
|
kernel: drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities
|
CVE-2025-39707
|
|
VCID-rpqv-pszk-8kdz
|
kernel: nvmet: move async event work off nvmet-wq
|
CVE-2026-31557
|
|
VCID-rq8c-8qhc-kkf4
|
kernel: riscv: save the SR_SUM status over switches
|
CVE-2025-38261
|
|
VCID-rqgr-g51n-1ubt
|
kernel: HID: roccat: fix use-after-free in roccat_report_event
|
CVE-2026-43111
|
|
VCID-rqnm-wx74-vqcs
|
kernel: bridge: cfm: Fix race condition in peer_mep deletion
|
CVE-2026-23393
|
|
VCID-rqwe-7t22-vkek
|
kernel: LoongArch: Optimize module load time by optimizing PLT/GOT counting
|
CVE-2025-39767
|
|
VCID-rtv1-xjgr-ckew
|
kernel: staging: sm750fb: fix division by zero in ps_to_hz()
|
CVE-2026-31603
|
|
VCID-ruch-ye3j-2bek
|
kernel: scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list
|
CVE-2023-53627
|
|
VCID-rwqy-5r5a-jbc4
|
kernel: KVM: arm64: Check the untrusted offset in FF-A memory share
|
CVE-2025-40266
|
|
VCID-s356-6r9v-5ud3
|
kernel: bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready()
|
CVE-2026-43016
|
|
VCID-s4c8-vnm3-bbeb
|
kernel: cifs: Fix locking usage for tcon fields
|
CVE-2026-43215
|
|
VCID-s5sk-j3na-5uf2
|
kernel: f2fs: fix to do sanity check on node footer for non inode dnode
|
CVE-2025-40025
|
|
VCID-s76c-q3zh-k3a3
|
kernel: drm/amd/display: Check null pointers before multiple uses
|
CVE-2024-49920
|
|
VCID-s7rv-a3xe-zkht
|
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_mirred: use the backlog for mirred ingress The test Davide added in commit ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress") hangs our testing VMs every 10 or so runs, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by lockdep. The problem as previously described by Davide (see Link) is that if we reverse flow of traffic with the redirect (egress -> ingress) we may reach the same socket which generated the packet. And we may still be holding its socket lock. The common solution to such deadlocks is to put the packet in the Rx backlog, rather than run the Rx path inline. Do that for all egress -> ingress reversals, not just once we started to nest mirred calls. In the past there was a concern that the backlog indirection will lead to loss of error reporting / less accurate stats. But the current workaround does not seem to address the issue.
|
CVE-2024-26740
|
|
VCID-s95n-xw95-ebdr
|
kernel: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT
|
CVE-2025-21825
|
|
VCID-s9nf-ezdw-mbcg
|
kernel: usb: typec: ucsi: validate connector number in ucsi_notify_common()
|
CVE-2026-31729
|
|
VCID-saze-95c3-fub5
|
kernel: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
|
CVE-2026-46181
|
|
VCID-saze-qk8p-47gf
|
kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params
|
CVE-2024-58012
|
|
VCID-sdnw-pa3z-8ybs
|
In the Linux kernel, the following vulnerability has been resolved: bpf: support non-r10 register spill/fill to/from stack in precision tracking Use instruction (jump) history to record instructions that performed register spill/fill to/from stack, regardless if this was done through read-only r10 register, or any other register after copying r10 into it *and* potentially adjusting offset. To make this work reliably, we push extra per-instruction flags into instruction history, encoding stack slot index (spi) and stack frame number in extra 10 bit flags we take away from prev_idx in instruction history. We don't touch idx field for maximum performance, as it's checked most frequently during backtracking. This change removes basically the last remaining practical limitation of precision backtracking logic in BPF verifier. It fixes known deficiencies, but also opens up new opportunities to reduce number of verified states, explored in the subsequent patches. There are only three differences in selftests' BPF object files according to veristat, all in the positive direction (less states). File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF) -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- ------------- test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%) xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%) xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%) Note, I avoided renaming jmp_history to more generic insn_hist to minimize number of lines changed and potential merge conflicts between bpf and bpf-next trees. Notice also cur_hist_entry pointer reset to NULL at the beginning of instruction verification loop. This pointer avoids the problem of relying on last jump history entry's insn_idx to determine whether we already have entry for current instruction or not. It can happen that we added jump history entry because current instruction is_jmp_point(), but also we need to add instruction flags for stack access. In this case, we don't want to entries, so we need to reuse last added entry, if it is present. Relying on insn_idx comparison has the same ambiguity problem as the one that was fixed recently in [0], so we avoid that. [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
|
CVE-2023-52920
|
|
VCID-sdpu-jraw-k3g4
|
kernel: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops
|
CVE-2025-38069
|
|
VCID-se3s-sb7k-m7hj
|
kernel: Linux kernel: Denial of Service due to missing power management handler for AMD Van Gogh SoC
|
CVE-2025-68334
|
|
VCID-sepw-z3rs-t3gh
|
kernel: 8021q: delete cleared egress QoS mappings
|
CVE-2026-46153
|
|
VCID-sgqq-76jn-wkev
|
kernel: fs/ntfs3: Return error for inconsistent extended attributes
|
CVE-2023-54125
|
|
VCID-sjwj-f5pz-ykds
|
kernel: vsock: fix buffer size clamping order
|
CVE-2026-46234
|
|
VCID-sjxu-aw3t-5qap
|
kernel: media: vidtv: fix pass-by-value structs causing MSAN warnings
|
CVE-2026-43058
|
|
VCID-sngd-6zmp-hugh
|
kernel: md: suspend array while updating raid_disks via sysfs
|
CVE-2025-71225
|
|
VCID-spdf-vba4-xyhx
|
kernel: net: mctp: unshare packets when reassembling
|
CVE-2025-21972
|
|
VCID-sqcm-ktmn-xyfx
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix hang/underflow when transitioning to ODM4:1 [Why] Under some circumstances, disabling an OPTC and attempting to reclaim its OPP(s) for a different OPTC could cause a hang/underflow due to OPPs not being properly disconnected from the disabled OPTC. [How] Ensure that all OPPs are unassigned from an OPTC when it gets disabled.
|
CVE-2023-52671
|
|
VCID-sr63-jeky-sbc7
|
kernel: drm/amd/pm: Disable MMIO access during SMU Mode 1 reset
|
CVE-2026-23213
|
|
VCID-srpw-dehg-pqf5
|
A double-free flaw was found in the Linux kernel’s NTFS3 subsystem in how a user triggers remount and umount simultaneously. This flaw allows a local user to crash or potentially escalate their privileges on the system.
|
CVE-2022-3238
|
|
VCID-ss63-xq4f-87bv
|
kernel: bpf: Fix kmemleak warning for percpu hashmap
|
CVE-2025-37807
|
|
VCID-sst2-r5h8-pbbv
|
kernel: mm: fix deferred split queue races during migration
|
CVE-2026-46017
|
|
VCID-sttr-rjhm-7bfs
|
kernel: btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()
|
CVE-2024-50217
|
|
VCID-svmx-mb3s-quc3
|
kernel: ipmi: Check event message buffer response for bad data
|
CVE-2026-46128
|
|
VCID-swmd-davs-yffw
|
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable() For cases where the crtc's connectors_changed was set without enable/active getting toggled , there is an atomic_enable() call followed by an atomic_disable() but without an atomic_mode_set(). This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in the atomic_enable() as the dpu_encoder's connector was cleared in the atomic_disable() but not re-assigned as there was no atomic_mode_set() call. Fix the NULL ptr access by moving the assignment for atomic_enable() and also use drm_atomic_get_new_connector_for_encoder() to get the connector from the atomic_state. Patchwork: https://patchwork.freedesktop.org/patch/606729/
|
CVE-2024-45015
|
|
VCID-szpd-7znx-77e5
|
kernel: ixgbevf: add missing negotiate_features op to Hyper-V ops table
|
CVE-2026-43094
|
|
VCID-t14j-bmzh-ykgt
|
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.
|
CVE-2024-38570
|
|
VCID-t317-vs3c-b3gm
|
kernel: f2fs: fix infinite loop in __insert_extent_tree()
|
CVE-2025-40333
|
|
VCID-t6d9-tf1n-hkhb
|
kernel: RDMA/mlx5: Fix the recovery flow of the UMR QP
|
CVE-2025-21892
|
|
VCID-t6n8-hjyb-6ucr
|
kernel: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
|
CVE-2025-40311
|
|
VCID-t8d3-n3xj-5fb6
|
kernel: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
|
CVE-2026-31617
|
|
VCID-t9vv-6jgv-m7a6
|
kernel: spi: fix resource leaks on device setup failure
|
CVE-2026-46083
|
|
VCID-tb8j-jbar-tqfe
|
kernel: iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode
|
CVE-2026-43161
|
|
VCID-tdnv-mdkf-7ubm
|
kernel: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
|
CVE-2026-46190
|
|
VCID-tdqr-yt8c-u7cu
|
kernel: kcm: fix zero-frag skb in frag_list on partial sendmsg error
|
CVE-2026-43244
|
|
VCID-tdut-5rgt-v3dp
|
In the Linux kernel, the following vulnerability has been resolved: kvm: s390: Reject memory region operations for ucontrol VMs This change rejects the KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2 ioctls when called on a ucontrol VM. This is necessary since ucontrol VMs have kvm->arch.gmap set to 0 and would thus result in a null pointer dereference further in. Memory management needs to be performed in userspace and using the ioctls KVM_S390_UCAS_MAP and KVM_S390_UCAS_UNMAP. Also improve s390 specific documentation for KVM_SET_USER_MEMORY_REGION and KVM_SET_USER_MEMORY_REGION2. [frankja@linux.ibm.com: commit message spelling fix, subject prefix fix]
|
CVE-2024-43819
|
|
VCID-tdz5-t67u-p3e5
|
kernel: jfs: add check read-only before txBeginAnon() call
|
CVE-2024-58095
|
|
VCID-tfh9-kxje-tfdg
|
kernel: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
|
CVE-2026-31702
|
|
VCID-tgcn-6geq-97az
|
kernel: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
|
CVE-2026-46099
|
|
VCID-thbx-gu1n-ykaz
|
kernel: ice: Fix memory leak in ice_set_ringparam()
|
CVE-2026-23389
|
|
VCID-thkm-9ben-buhh
|
kernel: media: mediatek: vcodec: Fix H264 stateless decoder smatch warning
|
CVE-2024-47752
|
|
VCID-tmys-j77f-9bev
|
kernel: nvme-tcp: sanitize request list handling
|
CVE-2025-38264
|
|
VCID-tnkz-amtf-sfgy
|
kernel: bpf: track changes_pkt_data property for global functions
|
CVE-2024-58098
|
|
VCID-tnm2-t55t-myb3
|
kernel: ipv4: start using dst_dev_rcu()
|
CVE-2025-40074
|
|
VCID-tnps-zvhq-4qff
|
kernel: f2fs: fix race in concurrent f2fs_stop_gc_thread
|
CVE-2024-53218
|
|
VCID-tnq8-e5p8-sbef
|
kernel: net: Drop the lock in skb_may_tx_timestamp()
|
CVE-2026-43216
|
|
VCID-tpxk-adfg-suba
|
In the Linux kernel, the following vulnerability has been resolved: mm/filemap: skip to create PMD-sized page cache if needed On ARM64, HPAGE_PMD_ORDER is 13 when the base page size is 64KB. The PMD-sized page cache can't be supported by xarray as the following error messages indicate. ------------[ cut here ]------------ WARNING: CPU: 35 PID: 7484 at lib/xarray.c:1025 xas_split_alloc+0xf8/0x128 Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib \ nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct \ nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 \ ip_set rfkill nf_tables nfnetlink vfat fat virtio_balloon drm \ fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 \ sha1_ce virtio_net net_failover virtio_console virtio_blk failover \ dimlib virtio_mmio CPU: 35 PID: 7484 Comm: test Kdump: loaded Tainted: G W 6.10.0-rc5-gavin+ #9 Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-1.el9 05/24/2024 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : xas_split_alloc+0xf8/0x128 lr : split_huge_page_to_list_to_order+0x1c4/0x720 sp : ffff800087a4f6c0 x29: ffff800087a4f6c0 x28: ffff800087a4f720 x27: 000000001fffffff x26: 0000000000000c40 x25: 000000000000000d x24: ffff00010625b858 x23: ffff800087a4f720 x22: ffffffdfc0780000 x21: 0000000000000000 x20: 0000000000000000 x19: ffffffdfc0780000 x18: 000000001ff40000 x17: 00000000ffffffff x16: 0000018000000000 x15: 51ec004000000000 x14: 0000e00000000000 x13: 0000000000002000 x12: 0000000000000020 x11: 51ec000000000000 x10: 51ece1c0ffff8000 x9 : ffffbeb961a44d28 x8 : 0000000000000003 x7 : ffffffdfc0456420 x6 : ffff0000e1aa6eb8 x5 : 20bf08b4fe778fca x4 : ffffffdfc0456420 x3 : 0000000000000c40 x2 : 000000000000000d x1 : 000000000000000c x0 : 0000000000000000 Call trace: xas_split_alloc+0xf8/0x128 split_huge_page_to_list_to_order+0x1c4/0x720 truncate_inode_partial_folio+0xdc/0x160 truncate_inode_pages_range+0x1b4/0x4a8 truncate_pagecache_range+0x84/0xa0 xfs_flush_unmap_range+0x70/0x90 [xfs] xfs_file_fallocate+0xfc/0x4d8 [xfs] vfs_fallocate+0x124/0x2e8 ksys_fallocate+0x4c/0xa0 __arm64_sys_fallocate+0x24/0x38 invoke_syscall.constprop.0+0x7c/0xd8 do_el0_svc+0xb4/0xd0 el0_svc+0x44/0x1d8 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Fix it by skipping to allocate PMD-sized page cache when its size is larger than MAX_PAGECACHE_ORDER. For this specific case, we will fall to regular path where the readahead window is determined by BDI's sysfs file (read_ahead_kb).
|
CVE-2024-41031
|
|
VCID-tsys-hcgy-uffj
|
kernel: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()
|
CVE-2025-68190
|
|
VCID-tt8h-rvkq-qkbp
|
kernel: f2fs: fix to truncate first page in error path of f2fs_truncate()
|
CVE-2025-40137
|
|
VCID-tudw-p4k5-j7c2
|
kernel: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
|
CVE-2026-31615
|
|
VCID-tuqr-c13z-uqhz
|
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip do PCI error slot reset during RAS recovery Why: The PCI error slot reset maybe triggered after inject ue to UMC multi times, this caused system hang. [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume [ 557.373718] [drm] PCIE GART of 512M enabled. [ 557.373722] [drm] PTB located at 0x0000031FED700000 [ 557.373788] [drm] VRAM is lost due to GPU reset! [ 557.373789] [drm] PSP is resuming... [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset [ 557.547067] [drm] PCI error: detected callback, state(1)!! [ 557.547069] [drm] No support for XGMI hive yet... [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered [ 557.610492] [drm] PCI error: slot reset callback!! ... [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded! [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded! [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023 [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu] [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu] [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00 [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202 [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0 [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010 [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08 [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000 [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000 [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000 [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0 [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 560.843444] PKRU: 55555554 [ 560.846480] Call Trace: [ 560.849225] <TASK> [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu] [ 560.867778] ? show_regs.part.0+0x23/0x29 [ 560.872293] ? __die_body.cold+0x8/0xd [ 560.876502] ? die_addr+0x3e/0x60 [ 560.880238] ? exc_general_protection+0x1c5/0x410 [ 560.885532] ? asm_exc_general_protection+0x27/0x30 [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu] [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu] [ 560.904520] process_one_work+0x228/0x3d0 How: In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.
|
CVE-2024-35931
|
|
VCID-tusm-2aba-t7gv
|
kernel: drm/vc4: platform_get_irq_byname() returns an int
|
CVE-2026-43072
|
|
VCID-ty32-3hfp-huhn
|
kernel: virtiofs: use pages instead of pointer for kernel direct IO
|
CVE-2024-53219
|
|
VCID-tztf-egsc-xkeu
|
kernel: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo
|
CVE-2026-46132
|
|
VCID-u16s-zp3n-1fhx
|
kernel: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()
|
CVE-2025-39910
|
|
VCID-u3fh-85v8-qff5
|
kernel: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
|
CVE-2026-46229
|
|
VCID-u73h-etb9-xbet
|
kernel: net/mlx5e: Remove skb secpath if xfrm state is not found
|
CVE-2025-38590
|
|
VCID-u82w-cmnp-8uhf
|
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't quite right, as it is supposed to be applied after the last explicit memory access, but is immediately followed by an LDR. The ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to handle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295, which are described in: * https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en * https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en In both cases the workaround is described as: | If pagetable isolation is disabled, the context switch logic in the | kernel can be updated to execute the following sequence on affected | cores before exiting to EL0, and after all explicit memory accesses: | | 1. A non-shareable TLBI to any context and/or address, including | unused contexts or addresses, such as a `TLBI VALE1 Xzr`. | | 2. A DSB NSH to guarantee completion of the TLBI. The important part being that the TLBI+DSB must be placed "after all explicit memory accesses". Unfortunately, as-implemented, the TLBI+DSB is immediately followed by an LDR, as we have: | alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD | tlbi vale1, xzr | dsb nsh | alternative_else_nop_endif | alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 | ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE // restore sp | eret | alternative_else_nop_endif | | [ ... KPTI exception return path ... ] This patch fixes this by reworking the logic to place the TLBI+DSB immediately before the ERET, after all explicit memory accesses. The ERET is currently in a separate alternative block, and alternatives cannot be nested. To account for this, the alternative block for ARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch to skip the KPTI logic, with the new shape of the logic being: | alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0 | [ ... KPTI exception return path ... ] | .L_skip_tramp_exit_\@: | | ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE // restore sp | | alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD | tlbi vale1, xzr | dsb nsh | alternative_else_nop_endif | eret The new structure means that the workaround is only applied when KPTI is not in use; this is fine as noted in the documented implications of the erratum: | Pagetable isolation between EL0 and higher level ELs prevents the | issue from occurring. ... and as per the workaround description quoted above, the workaround is only necessary "If pagetable isolation is disabled".
|
CVE-2024-26670
|
|
VCID-u8sv-fdhk-3qfj
|
kernel: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()
|
CVE-2026-43101
|
|
VCID-uapt-u8g5-jffn
|
kernel: batman-adv: bla: only purge non-released claims
|
CVE-2026-46233
|
|
VCID-uc6h-awgm-t7hz
|
kernel: netfilter: conntrack: add missing netlink policy validations
|
CVE-2026-31407
|
|
VCID-ucs5-zx42-euhb
|
kernel: wifi: ath11k: update channel list in reg notifier instead reg worker
|
CVE-2025-23133
|
|
VCID-ud16-vns8-yyh6
|
kernel: wifi: rtw88: Fix memory leak in rtw88_usb
|
CVE-2023-53529
|
|
VCID-udgb-mc24-wug4
|
kernel: scsi: hisi_sas: Fix NULL pointer exception during user_scan()
|
CVE-2026-43413
|
|
VCID-uesd-nu7f-vbbk
|
In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the first device will call kfd_suspend_all_processes() to evict all processes on all devices, this call takes time to finish. other device will start reset and recover without waiting. if the process has not been evicted before doing recover, it will be restored, then caused page fault.
|
CVE-2024-36949
|
|
VCID-uh5z-1p5r-gfbx
|
kernel: rxrpc: Make it so that a waiting process can be aborted
|
CVE-2023-53218
|
|
VCID-uhyw-91t1-qybw
|
kernel: spi: imx: fix use-after-free on unbind
|
CVE-2026-45996
|
|
VCID-uj56-zg83-subf
|
kernel: net/smc: avoid early lgr access in smc_clc_wait_msg
|
CVE-2026-46027
|
|
VCID-umbu-gykh-ubgx
|
kernel: PCI: dwc: ep: Prevent changing BAR size/flags in pci_epc_set_bar()
|
CVE-2024-58006
|
|
VCID-un22-d3z3-1ye5
|
kernel: f2fs: fix to drop all discards after creating snapshot on lvm device
|
CVE-2024-56565
|
|
VCID-uuf3-av98-ukbk
|
kernel: ext4: avoid journaling sb update on error if journal is destroying
|
CVE-2025-22113
|
|
VCID-uwkb-k8xy-7uh1
|
kernel: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
|
CVE-2026-46065
|
|
VCID-uwtm-s61u-cbca
|
kernel: Linux kernel: Denial of Service in qla2xxx SCSI driver due to improper command handling after chip reset
|
CVE-2025-68745
|
|
VCID-uxbe-1b96-bfag
|
kernel: ksmbd: prevent connection release during oplock break notification
|
CVE-2025-21955
|
|
VCID-uxsm-hqct-u3cw
|
kernel: HID: alps: fix NULL pointer dereference in alps_raw_event()
|
CVE-2026-31625
|
|
VCID-uxu2-3kzv-dya3
|
kernel: net: sched: act_csum: validate nested VLAN headers
|
CVE-2026-31684
|
|
VCID-v1kp-gtk5-5yfw
|
kernel: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
|
CVE-2026-43496
|
|
VCID-v277-e9vg-3baz
|
kernel: drm/amdgpu: fix nullptr err of vm_handle_moved
|
CVE-2025-40339
|
|
VCID-v297-7pf9-dyc5
|
kernel: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation
|
CVE-2026-45859
|
|
VCID-v4ek-txkx-27fp
|
In the Linux kernel, the following vulnerability has been resolved: dm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape For raid456, if reshape is still in progress, then IO across reshape position will wait for reshape to make progress. However, for dm-raid, in following cases reshape will never make progress hence IO will hang: 1) the array is read-only; 2) MD_RECOVERY_WAIT is set; 3) MD_RECOVERY_FROZEN is set; After commit c467e97f079f ("md/raid6: use valid sector values to determine if an I/O should wait on the reshape") fix the problem that IO across reshape position doesn't wait for reshape, the dm-raid test shell/lvconvert-raid-reshape.sh start to hang: [root@fedora ~]# cat /proc/979/stack [<0>] wait_woken+0x7d/0x90 [<0>] raid5_make_request+0x929/0x1d70 [raid456] [<0>] md_handle_request+0xc2/0x3b0 [md_mod] [<0>] raid_map+0x2c/0x50 [dm_raid] [<0>] __map_bio+0x251/0x380 [dm_mod] [<0>] dm_submit_bio+0x1f0/0x760 [dm_mod] [<0>] __submit_bio+0xc2/0x1c0 [<0>] submit_bio_noacct_nocheck+0x17f/0x450 [<0>] submit_bio_noacct+0x2bc/0x780 [<0>] submit_bio+0x70/0xc0 [<0>] mpage_readahead+0x169/0x1f0 [<0>] blkdev_readahead+0x18/0x30 [<0>] read_pages+0x7c/0x3b0 [<0>] page_cache_ra_unbounded+0x1ab/0x280 [<0>] force_page_cache_ra+0x9e/0x130 [<0>] page_cache_sync_ra+0x3b/0x110 [<0>] filemap_get_pages+0x143/0xa30 [<0>] filemap_read+0xdc/0x4b0 [<0>] blkdev_read_iter+0x75/0x200 [<0>] vfs_read+0x272/0x460 [<0>] ksys_read+0x7a/0x170 [<0>] __x64_sys_read+0x1c/0x30 [<0>] do_syscall_64+0xc6/0x230 [<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74 This is because reshape can't make progress. For md/raid, the problem doesn't exist because register new sync_thread doesn't rely on the IO to be done any more: 1) If array is read-only, it can switch to read-write by ioctl/sysfs; 2) md/raid never set MD_RECOVERY_WAIT; 3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold 'reconfig_mutex', hence it can be cleared and reshape can continue by sysfs api 'sync_action'. However, I'm not sure yet how to avoid the problem in dm-raid yet. This patch on the one hand make sure raid_message() can't change sync_thread() through raid_message() after presuspend(), on the other hand detect the above 3 cases before wait for IO do be done in dm_suspend(), and let dm-raid requeue those IO.
|
CVE-2024-26962
|
|
VCID-v4n5-uda1-k3fe
|
kernel: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
|
CVE-2026-45892
|
|
VCID-v5w6-xu2n-jqcp
|
kernel: xfs: close crash window in attr dabtree inactivation
|
CVE-2026-43053
|
|
VCID-v6mb-3c6d-b7fd
|
kernel: bcache: fix cached_dev.sb_bio use-after-free and crash
|
CVE-2026-31580
|
|
VCID-v6p9-myq9-xbhu
|
kernel: alpha: fix user-space corruption during memory compaction
|
CVE-2026-43258
|
|
VCID-v7ny-qksb-6yh6
|
kernel: cifs: fix potential race when tree connecting ipc
|
CVE-2023-54280
|
|
VCID-v85b-dta7-8uau
|
kernel: drm/msm/dp: Drop aux devices together with DP controller
|
CVE-2023-53851
|
|
VCID-v94w-zmmh-87bh
|
kernel: tcp_metrics: use dst_dev_net_rcu()
|
CVE-2025-40075
|
|
VCID-vbxz-h9yj-vqd2
|
kernel: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
|
CVE-2026-43250
|
|
VCID-vcfa-9ta7-jkhe
|
kernel: smb: server: make use of smbdirect_socket.send_io.bcredits
|
CVE-2026-31537
|
|
VCID-vcpu-7cvd-xqeq
|
kernel: spi: rspi: fix controller deregistration
|
CVE-2026-46225
|
|
VCID-vdga-7xy4-67aq
|
kernel: wifi: b43legacy: enforce bounds check on firmware key index in RX path
|
CVE-2026-46163
|
|
VCID-veku-5eej-h3f3
|
kernel: ksmbd: fix OOB write in QUERY_INFO for compound requests
|
CVE-2026-31432
|
|
VCID-vh4f-zmhj-ykg8
|
kernel: LoongArch: Add spectre boundry for syscall dispatch table
|
CVE-2026-45993
|
|
VCID-vkt4-bbnd-4bbm
|
kernel: regulator: core: fix locking in regulator_resolve_supply() error path
|
CVE-2026-46252
|
|
VCID-vn83-vb44-zyfj
|
kernel: ext4: fix e4b bitmap inconsistency reports
|
CVE-2026-45942
|
|
VCID-vnzt-fkhv-f7ez
|
kernel: ipvs: do not keep dest_dst if dev is going down
|
CVE-2026-45917
|
|
VCID-vpdg-6g9g-puhe
|
kernel: ipv6: add NULL checks for idev in SRv6 paths
|
CVE-2026-23442
|
|
VCID-vpjh-yy9v-ebb7
|
kernel: netfilter: arp_tables: fix IEEE1394 ARP payload parsing
|
CVE-2026-45844
|
|
VCID-vpu6-z81t-tfaw
|
kernel: tpm: Lock TPM chip in tpm_pm_suspend() first
|
CVE-2024-53085
|
|
VCID-vq9d-8a8p-tkdx
|
kernel: Linux kernel: Denial of Service due to memory leak in mlx5e driver
|
CVE-2023-53999
|
|
VCID-vqkf-4a3h-kug1
|
kernel: nvme-rdma: unquiesce admin_q before destroy it
|
CVE-2024-49569
|
|
VCID-vsge-v2gk-skfu
|
kernel: tracing: Add recursion protection in kernel stack trace recording
|
CVE-2026-23138
|
|
VCID-vsxr-2ttx-ube4
|
kernel: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
|
CVE-2026-23447
|
|
VCID-vut8-7ehr-43bz
|
kernel: parisc: Avoid crash due to unaligned access in unwinder
|
CVE-2025-68322
|
|
VCID-vw21-vpu7-qfav
|
kernel: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
|
CVE-2026-46143
|
|
VCID-vw9h-h8sv-mydq
|
kernel: cxl/port: Fix use-after-free, permit out-of-order decoder shutdown
|
CVE-2024-50226
|
|
VCID-vxpa-m3jt-8uet
|
kernel: bpf: fix end-of-list detection in cgroup_storage_get_next_key()
|
CVE-2026-45838
|
|
VCID-w3nj-xu1p-bfe4
|
kernel: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
|
CVE-2026-45836
|
|
VCID-w43a-kbdu-3bhm
|
kernel: xfrm: Wait for RCU readers during policy netns exit
|
CVE-2026-43091
|
|
VCID-w5qj-6h74-r3hs
|
kernel: xen: fix UAF in dmabuf_exp_from_pages()
|
CVE-2025-38595
|
|
VCID-w5uk-j54e-gqau
|
kernel: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
|
CVE-2026-46000
|
|
VCID-w6gh-84bp-n3hg
|
kernel: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
|
CVE-2026-43112
|
|
VCID-w9p2-je5u-4bca
|
In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series "userfaultfd: fix races around pmd_trans_huge() check", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ <zap PMD> pmdp_get_lockless() [reads none pmd] <bail if trans_huge> <if none:> <pagefault creates transhuge zeropage> __pte_alloc [no-op] <zap PMD> <bail if pmd_trans_huge(*dst_pmd)> BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b ("mm/pgtable: allow pte_offset_map[_lock]() to fail"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no "struct page" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding "struct page" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.
|
CVE-2024-46787
|
|
VCID-wadr-eufn-bubc
|
kernel: btrfs: fix missing last_unlink_trans update when removing a directory
|
CVE-2026-46160
|
|
VCID-watw-4f4a-qyaz
|
kernel: exfat: validate cluster allocation bits of the allocation bitmap
|
CVE-2025-40307
|
|
VCID-we1y-vsvr-juay
|
kernel: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
|
CVE-2026-31715
|
|
VCID-wg3f-jmt7-qyfp
|
kernel: drm/amd/display: Do not skip unrelated mode changes in DSC validation
|
CVE-2026-31488
|
|
VCID-wgwg-y47h-7bcr
|
kernel: ksmbd: fix null pointer dereference in alloc_preauth_hash()
|
CVE-2025-22037
|
|
VCID-wja7-ck89-5fah
|
kernel: net: caif: clear client service pointer on teardown
|
CVE-2026-46098
|
|
VCID-wjmf-7b1n-efdx
|
kernel: ALSA: usb-audio: Prevent excessive number of frames
|
CVE-2026-23208
|
|
VCID-wmnr-2y1j-2ucw
|
kernel: xen/events: Return -EEXIST for bound VIRQs
|
CVE-2025-40160
|
|
VCID-wrmn-5spt-mbcs
|
kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug
|
CVE-2025-21693
|
|
VCID-wrwn-x7h3-gbaa
|
kernel: media: rc: igorplugusb: heed coherency rules
|
CVE-2026-46091
|
|
VCID-ws99-py3q-2qd6
|
kernel: drm/amd/display: Check link_index before accessing dc->links[]
|
CVE-2024-46813
|
|
VCID-wsxw-e2r6-xueg
|
kernel: ipv4: icmp: validate reply type before using icmp_pointers
|
CVE-2026-46037
|
|
VCID-wtj8-faym-skhw
|
kernel: bus: mhi: ep: Update read pointer only after buffer is written
|
CVE-2025-38429
|
|
VCID-wtkv-vjxz-u7a3
|
kernel: smb: client: fix potential UAF in smb2_close_cached_fid()
|
CVE-2025-40328
|
|
VCID-wtnv-de29-cke3
|
kernel: s390/mm: Add missing secure storage access fixups for donated memory
|
CVE-2026-31568
|
|
VCID-wtyc-u6n5-gbff
|
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.
|
CVE-2024-26677
|
|
VCID-wyky-zzga-v7de
|
kernel: powerpc, perf: Check that current->mm is alive before getting user callchain
|
CVE-2026-43416
|
|
VCID-wz95-xy37-uufq
|
kernel: drm/amd/display: Check null pointers before using them
|
CVE-2024-49922
|
|
VCID-wzvy-jd7j-nyf7
|
kernel: AppArmor: Allow apparmor to handle unaligned dfa tables
|
CVE-2026-46254
|
|
VCID-x2qq-4sqz-wqf3
|
kernel: thermal: core: Reference count the zone in thermal_zone_get_by_id()
|
CVE-2024-50028
|
|
VCID-x33g-g8fg-q3e7
|
kernel: rcu: Fix rcu_read_unlock() deadloop due to IRQ work
|
CVE-2025-39744
|
|
VCID-x3wm-zjms-1kem
|
kernel: scsi: qla2xxx: Completely fix fcport double free
|
CVE-2026-43414
|
|
VCID-x49m-zec2-nycs
|
kernel: ksmbd: add bounds check for durable handle context
|
CVE-2025-22043
|
|
VCID-x4gk-8nz5-bkh6
|
kernel: drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
|
CVE-2026-31767
|
|
VCID-x4q6-jsjv-zbh7
|
kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set()
|
CVE-2025-40139
|
|
VCID-x7ne-v3zs-gka9
|
kernel: net/smc: initialize close_work early to avoid warning
|
CVE-2024-56641
|
|
VCID-x9jq-hs51-nfhb
|
kernel: Bluetooth: hci_conn: Use disable_delayed_work_sync
|
CVE-2024-56591
|
|
VCID-x9us-prwz-cua2
|
kernel: scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs
|
CVE-2024-57804
|
|
VCID-xb29-w8fj-gug9
|
kernel: ksmbd: prevent rename with empty string
|
CVE-2025-37956
|
|
VCID-xb48-p8sf-sbfd
|
In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce proper attach type for BPF_PROG_TYPE_CGROUP_SKB. link_create uses bpf_prog_get and relies on bpf_prog_attach_check_attach_type to properly verify prog_type <> attach_type association. Add missing attach_type enforcement for the link_create case. Otherwise, it's currently possible to attach cgroup_skb prog types to other cgroup hooks.
|
CVE-2024-38564
|
|
VCID-xbjr-1gre-fufw
|
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in pci_epf_test_core_init() Instead of getting the epc_features from pci_epc_get_features() API, use the cached pci_epf_test::epc_features value to avoid the NULL check. Since the NULL check is already performed in pci_epf_test_bind(), having one more check in pci_epf_test_core_init() is redundant and it is not possible to hit the NULL pointer dereference. Also with commit a01e7214bef9 ("PCI: endpoint: Remove "core_init_notifier" flag"), 'epc_features' got dereferenced without the NULL check, leading to the following false positive Smatch warning: drivers/pci/endpoint/functions/pci-epf-test.c:784 pci_epf_test_core_init() error: we previously assumed 'epc_features' could be null (see line 747) Thus, remove the redundant NULL check and also use the epc_features:: {msix_capable/msi_capable} flags directly to avoid local variables. [kwilczynski: commit log]
|
CVE-2024-43824
|
|
VCID-xcrc-fk1y-1fc2
|
kernel: net/sched: sch_netem: fix out-of-bounds access in packet corruption
|
CVE-2026-31675
|
|
VCID-xeae-yzuj-t3gy
|
kernel: net: kcm: Fix race condition in kcm_unattach()
|
CVE-2025-38717
|
|
VCID-xegy-tsah-5kf3
|
kernel: btrfs: fix double accounting race when btrfs_run_delalloc_range() failed
|
CVE-2024-58089
|
|
VCID-xfyb-b49z-33hp
|
kernel: drm/msm: Fix pgtable prealloc error path
|
CVE-2025-40247
|
|
VCID-xgqt-yrgv-fyhq
|
kernel: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
|
CVE-2026-45834
|
|
VCID-xmbu-t186-cqgw
|
kernel: drm/amd/display: Avoid overflow from uint32_t to uint8_t
|
CVE-2024-47661
|
|
VCID-xmh8-sgwc-g7bd
|
kernel: smb: client: fix double free of TCP_Server_Info::hostname
|
CVE-2025-21673
|
|
VCID-xmnf-7qdc-2ua2
|
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in smb2_query_info_compound() The following UAF was triggered when running fstests generic/072 with KASAN enabled against Windows Server 2022 and mount options 'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm' BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs] Read of size 8 at addr ffff888014941048 by task xfs_io/27534 CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x4a/0x80 print_report+0xcf/0x650 ? srso_alias_return_thunk+0x5/0x7f ? srso_alias_return_thunk+0x5/0x7f ? __phys_addr+0x46/0x90 kasan_report+0xda/0x110 ? smb2_query_info_compound+0x423/0x6d0 [cifs] ? smb2_query_info_compound+0x423/0x6d0 [cifs] smb2_query_info_compound+0x423/0x6d0 [cifs] ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __stack_depot_save+0x39/0x480 ? kasan_save_stack+0x33/0x60 ? kasan_set_track+0x25/0x30 ? ____kasan_slab_free+0x126/0x170 smb2_queryfs+0xc2/0x2c0 [cifs] ? __pfx_smb2_queryfs+0x10/0x10 [cifs] ? __pfx___lock_acquire+0x10/0x10 smb311_queryfs+0x210/0x220 [cifs] ? __pfx_smb311_queryfs+0x10/0x10 [cifs] ? srso_alias_return_thunk+0x5/0x7f ? __lock_acquire+0x480/0x26c0 ? lock_release+0x1ed/0x640 ? srso_alias_return_thunk+0x5/0x7f ? do_raw_spin_unlock+0x9b/0x100 cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 ? __pfx___do_sys_fstatfs+0x10/0x10 ? srso_alias_return_thunk+0x5/0x7f ? lockdep_hardirqs_on_prepare+0x136/0x200 ? srso_alias_return_thunk+0x5/0x7f do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Allocated by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 open_cached_dir+0x71b/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] smb311_queryfs+0x210/0x220 [cifs] cifs_statfs+0x18c/0x4b0 [cifs] statfs_by_dentry+0x9b/0xf0 fd_statfs+0x4e/0xb0 __do_sys_fstatfs+0x7f/0xe0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 27534: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 ____kasan_slab_free+0x126/0x170 slab_free_freelist_hook+0xd0/0x1e0 __kmem_cache_free+0x9d/0x1b0 open_cached_dir+0xff5/0x1240 [cifs] smb2_query_info_compound+0x5c3/0x6d0 [cifs] smb2_queryfs+0xc2/0x2c0 [cifs] This is a race between open_cached_dir() and cached_dir_lease_break() where the cache entry for the open directory handle receives a lease break while creating it. And before returning from open_cached_dir(), we put the last reference of the new @cfid because of !@cfid->has_lease. Besides the UAF, while running xfstests a lot of missed lease breaks have been noticed in tests that run several concurrent statfs(2) calls on those cached fids CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108 CIFS: VFS: Dump pending requests: CIFS: VFS: \\w22-root1.gandalf.test No task to wake, unknown frame... CIFS: VFS: \\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1... CIFS: VFS: \\w22-root1.gandalf.test smb buf 000000005aa7316e len 108 ... To fix both, in open_cached_dir() ensure that @cfid->has_lease is set right before sending out compounded request so that any potential lease break will be get processed by demultiplex thread while we're still caching @cfid. And, if open failed for some reason, re-check @cfid->has_lease to decide whether or not put lease reference.
|
CVE-2023-52751
|
|
VCID-xmy4-ksbp-h7b4
|
kernel: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
|
CVE-2026-45835
|
|
VCID-xmyh-av2e-tyew
|
kernel: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads
|
CVE-2025-37833
|
|
VCID-xn1z-quwh-fufe
|
kernel: rxrpc: reject undecryptable rxkad response tickets
|
CVE-2026-31637
|
|
VCID-xpkm-ggp9-9yea
|
In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.
|
CVE-2024-46681
|
|
VCID-xr5q-fqrz-6bcd
|
In the Linux kernel, the following vulnerability has been resolved: f2fs: split initial and dynamic conditions for extent_cache Let's allocate the extent_cache tree without dynamic conditions to avoid a missing condition causing a panic as below. # create a file w/ a compressed flag # disable the compression # panic while updating extent_cache F2FS-fs (dm-64): Swapfile: last extent is not aligned to section F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N) Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 Write of size 4 at addr 0000000000000030 by task syz-executor154/3327 CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1 Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023 Call Trace: __dump_stack out/common/lib/dump_stack.c:77 [inline] dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118 __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415 kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428 kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186 __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37 instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline] atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline] queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline] __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline] _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295 __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155 f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172 f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline] f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764 vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310 ksys_fallocate out/common/fs/open.c:333 [inline] __do_sys_fallocate out/common/fs/open.c:341 [inline] __se_sys_fallocate out/common/fs/open.c:339 [inline] __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339 do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46
|
CVE-2023-52770
|
|
VCID-xs18-kayp-juad
|
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix null pointer access when abort scan During cancel scan we might use vif that weren't scanning. Fix this by using the actual scanning vif.
|
CVE-2024-35946
|
|
VCID-xs33-rcgt-vqff
|
kernel: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
|
CVE-2026-45987
|
|
VCID-xskm-jne3-tbc8
|
kernel: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
|
CVE-2026-31706
|
|
VCID-xuuc-qjfb-bbgg
|
kernel: tcp: call sk_data_ready() after listener migration
|
CVE-2026-46015
|
|
VCID-xuvj-rasz-yqgy
|
kernel: usb: gadget: f_eem: Fix net_device lifecycle with device_move
|
CVE-2026-31724
|
|
VCID-xvfk-rjbz-q7en
|
kernel: RDMA/rxe: Remove the direct link to net_device
|
CVE-2024-57795
|
|
VCID-xvw6-tjz9-rbbk
|
kernel: Bluetooth: MGMT: Protect mgmt_pending list with its own lock
|
CVE-2025-38117
|
|
VCID-xwxf-z5wk-43b9
|
kernel: net: qrtr: ns: Free the node during ctrl_cmd_bye()
|
CVE-2026-46038
|
|
VCID-xx64-m5k1-eff1
|
kernel: driver core: enforce device_lock for driver_match_device()
|
CVE-2026-31688
|
|
VCID-xx65-dxjz-qkex
|
kernel: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.
|
CVE-2025-38438
|
|
VCID-xxxh-jg91-n7ex
|
kernel: wifi: mac80211: remove station if connection prep fails
|
CVE-2026-46125
|
|
VCID-xy77-71w6-ekeg
|
kernel: Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync
|
CVE-2024-50029
|
|
VCID-xzy4-ghsd-s7aq
|
kernel: dlm: validate length in dlm_search_rsb_tree
|
CVE-2026-43125
|
|
VCID-y3sk-2pd5-kfhy
|
kernel: Bluetooth: virtio_bt: clamp rx length before skb_put
|
CVE-2026-46123
|
|
VCID-y48j-qk87-3fab
|
kernel: Bluetooth: hci_sync: hci_cmd_sync_queue_once() return -EEXIST if exists
|
CVE-2026-43022
|
|
VCID-y5gz-zw7d-n3fr
|
kernel: net: stmmac: Correctly handle Rx checksum offload errors
|
CVE-2025-40337
|
|
VCID-y62r-p9ef-zfgs
|
A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.
|
CVE-2023-4133
|
|
VCID-y77f-ut9w-buaq
|
kernel: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW
|
CVE-2024-57999
|
|
VCID-y9ts-kt1y-p3ab
|
kernel: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients
|
CVE-2026-45877
|
|
VCID-yc9z-ujg6-d3f5
|
kernel: bnxt_en: Fix memory corruption when FW resources change during ifdown
|
CVE-2025-39810
|
|
VCID-ycbs-pdfw-2yfr
|
kernel: scsi: mpi3mr: Fix possible crash when setting up bsg fails
|
CVE-2025-21723
|
|
VCID-ycsr-5nkd-s3dh
|
kernel: net/ncsi: Disable the ncsi work before freeing the associated structure
|
CVE-2024-49945
|
|
VCID-ydeb-aq4j-uyc6
|
kernel: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
|
CVE-2026-46024
|
|
VCID-yg68-zptc-muba
|
kernel: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()
|
CVE-2025-38585
|
|
VCID-yh7g-67g7-a3er
|
kernel: Linux kernel: Local denial of service in device mapper
|
CVE-2025-38140
|
|
VCID-yhqu-64fu-jkap
|
kernel: team: avoid NETDEV_CHANGEMTU event when unregistering slave
|
CVE-2026-43234
|
|
VCID-yhyk-gm7w-f7b8
|
kernel: wifi: rtw88: fix memory leak in rtw_usb_probe()
|
CVE-2023-53460
|
|
VCID-yjzg-x64u-b3aa
|
kernel: Linux kernel: Denial of Service due to race condition in fbcon setup
|
CVE-2025-68296
|
|
VCID-ymwr-msjt-sbd6
|
kernel: f2fs: quota: fix to avoid warning in dquot_writeback_dquots()
|
CVE-2025-23132
|
|
VCID-yn8x-2eqt-2bfh
|
kernel: staging: media: atomisp: Disallow all private IOCTLs
|
CVE-2026-46205
|
|
VCID-ynn5-zn67-83gd
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' 'panel_cntl' structure used to control the display panel could be null, dereferencing it could lead to a null pointer access. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)
|
CVE-2024-26662
|
|
VCID-yq3g-yxng-hygt
|
kernel: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
|
CVE-2026-31590
|
|
VCID-yqem-376w-33ge
|
kernel: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
|
CVE-2026-46266
|
|
VCID-yst4-7gg3-s3dz
|
kernel: RDMA/mlx5: Fix implicit ODP use after free
|
CVE-2025-21714
|
|
VCID-ysyd-nt3k-xbcd
|
kernel: drm/amd/display: Check null pointers before used
|
CVE-2024-49921
|
|
VCID-ywe3-m2ra-jkgy
|
kernel: smb: Initialize cfid->tcon before performing network ops
|
CVE-2024-56729
|
|
VCID-yzq7-q5qm-ybfy
|
kernel: Input: lkkbd - disable pending work before freeing device
|
CVE-2025-71073
|
|
VCID-z13c-pza3-9uaa
|
kernel: xfrm: always flush state and policy upon NETDEV_UNREGISTER event
|
CVE-2026-43167
|
|
VCID-z3fj-53sy-jqgn
|
kernel: KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception
|
CVE-2025-37957
|
|
VCID-z58g-jmy1-nucf
|
kernel: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
|
CVE-2024-53091
|
|
VCID-z6m8-rw4a-w7aj
|
kernel: ksmbd: require 3 sub-authorities before reading sub_auth[2]
|
CVE-2026-31611
|
|
VCID-z6st-wx3k-8kcs
|
kernel: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
|
CVE-2026-46220
|
|
VCID-z7uh-avjr-augj
|
kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
|
CVE-2025-38059
|
|
VCID-z8x2-y92m-ybh4
|
kernel: LoongArch: BPF: Fix off-by-one error in build_prologue()
|
CVE-2025-37893
|
|
VCID-z9jk-1zsf-ybbs
|
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Refactor DMCUB enter/exit idle interface [Why] We can hang in place trying to send commands when the DMCUB isn't powered on. [How] We need to exit out of the idle state prior to sending a command, but the process that performs the exit also invokes a command itself. Fixing this issue involves the following: 1. Using a software state to track whether or not we need to start the process to exit idle or notify idle. It's possible for the hardware to have exited an idle state without driver knowledge, but entering one is always restricted to a driver allow - which makes the SW state vs HW state mismatch issue purely one of optimization, which should seldomly be hit, if at all. 2. Refactor any instances of exit/notify idle to use a single wrapper that maintains this SW state. This works simialr to dc_allow_idle_optimizations, but works at the DMCUB level and makes sure the state is marked prior to any notify/exit idle so we don't enter an infinite loop. 3. Make sure we exit out of idle prior to sending any commands or waiting for DMCUB idle. This patch takes care of 1/2. A future patch will take care of wrapping DMCUB command submission with calls to this new interface.
|
CVE-2023-52625
|
|
VCID-zbwg-n1vp-affw
|
kernel: smb: client: validate the whole DACL before rewriting it in cifsacl
|
CVE-2026-31709
|
|
VCID-zcn5-uyym-nfdx
|
kernel: ibmasm: fix heap over-read in ibmasm_send_i2o_message()
|
CVE-2026-46064
|
|
VCID-zdb5-yqsu-eqhs
|
kernel: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
|
CVE-2026-45997
|
|
VCID-zdcv-5u23-6bcm
|
kernel: media: av7110: fix a spectre vulnerability
|
CVE-2024-50289
|
|
VCID-zde8-8w83-uye6
|
kernel: spi: meson-spicc: Fix double-put in remove path
|
CVE-2026-31489
|
|
VCID-ze7r-91vz-xkgx
|
kernel: ethtool: fail closed if we can't get max channel used in indirection tables
|
CVE-2024-46834
|
|
VCID-zej7-fnqf-4kgw
|
kernel: usb: gadget: f_ncm: Fix net_device lifecycle with device_move
|
CVE-2026-43421
|
|
VCID-zg5n-u3t2-nkfp
|
kernel: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
|
CVE-2025-38627
|
|
VCID-zgnq-1rb8-kbb1
|
kernel: crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
|
CVE-2026-46068
|
|
VCID-zhpz-13aa-3ubu
|
kernel: bpf: Fix incorrect pruning due to atomic fetch precision tracking
|
CVE-2026-43009
|
|
VCID-zj8c-cyr7-n7de
|
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HCI: Remove HCI_AMP support Since BT_HS has been remove HCI_AMP controllers no longer has any use so remove it along with the capability of creating AMP controllers. Since we no longer need to differentiate between AMP and Primary controllers, as only HCI_PRIMARY is left, this also remove hdev->dev_type altogether.
|
CVE-2024-38620
|
|
VCID-zk89-tk5x-8ffs
|
kernel: crypto: pcrypt - Fix handling of MAY_BACKLOG requests
|
CVE-2026-43493
|
|
VCID-zmst-4w7q-qya8
|
kernel: LoongArch: Enable IRQ if do_ale() triggered in irq-enabled context
|
CVE-2024-50111
|
|
VCID-znex-venv-jugz
|
kernel: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
|
CVE-2026-46167
|
|
VCID-zpkv-xd42-abge
|
kernel: sysfs: check visibility before changing group attribute ownership
|
CVE-2025-40355
|
|
VCID-zpzg-caty-8ffa
|
kernel: btrfs: subpage: keep TOWRITE tag until folio is cleaned
|
CVE-2025-39779
|
|
VCID-zsex-4d2z-pqea
|
kernel: rbd: fix null-ptr-deref when device_add_disk() fails
|
CVE-2026-46079
|
|
VCID-zt77-2zhc-r7ch
|
kernel: f2fs: fix to shrink read extent node in batches
|
CVE-2024-41935
|
|
VCID-ztfu-xfwb-mbeu
|
kernel: ublk: santizize the arguments from userspace when adding a device
|
CVE-2025-38182
|
|
VCID-ztmn-qjdw-jqa3
|
kernel: ALSA: caiaq: Handle probe errors properly
|
CVE-2026-46004
|
|
VCID-ztn3-cxpr-vqes
|
kernel: smb: client: fix OOB reads parsing symlink error response
|
CVE-2026-31613
|
|
VCID-zu5z-s9tf-tqg7
|
kernel: staging: most: remove broken i2c driver
|
CVE-2025-68755
|
|
VCID-zuf7-p8px-eff7
|
In the Linux kernel, the following vulnerability has been resolved: md: Don't ignore read-only array in md_check_recovery() Usually if the array is not read-write, md_check_recovery() won't register new sync_thread in the first place. And if the array is read-write and sync_thread is registered, md_set_readonly() will unregister sync_thread before setting the array read-only. md/raid follow this behavior hence there is no problem. After commit f52f5c71f3d4 ("md: fix stopping sync thread"), following hang can be triggered by test shell/integrity-caching.sh: 1) array is read-only. dm-raid update super block: rs_update_sbs ro = mddev->ro mddev->ro = 0 -> set array read-write md_update_sb 2) register new sync thread concurrently. 3) dm-raid set array back to read-only: rs_update_sbs mddev->ro = ro 4) stop the array: raid_dtr md_stop stop_sync_thread set_bit(MD_RECOVERY_INTR, &mddev->recovery); md_wakeup_thread_directly(mddev->sync_thread); wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery)) 5) sync thread done: md_do_sync set_bit(MD_RECOVERY_DONE, &mddev->recovery); md_wakeup_thread(mddev->thread); 6) daemon thread can't unregister sync thread: md_check_recovery if (!md_is_rdwr(mddev) && !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery)) return; -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang; The root cause is that dm-raid manipulate 'mddev->ro' by itself, however, dm-raid really should stop sync thread before setting the array read-only. Unfortunately, I need to read more code before I can refacter the handler of 'mddev->ro' in dm-raid, hence let's fix the problem the easy way for now to prevent dm-raid regression.
|
CVE-2024-26757
|
|
VCID-zv37-z9rq-g3ab
|
kernel: wifi: ath11k: fix RCU stall while reaping monitor destination ring
|
CVE-2024-58097
|
|
VCID-zx6r-brw5-yuex
|
kernel: tty: n_gsm: Don't block input queue by waiting MSC
|
CVE-2025-40071
|
|
VCID-zxtt-dggp-pyby
|
kernel: media: as102: fix to not free memory after the device is registered in as102_usb_probe()
|
CVE-2026-31578
|
|
VCID-zy4a-wzbs-8fa7
|
kernel: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog
|
CVE-2025-39859
|
|
VCID-zy9z-qgfm-4uhv
|
kernel: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
|
CVE-2023-53292
|
|
VCID-zyed-py3j-gqe6
|
kernel: media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
|
CVE-2026-31576
|
|
VCID-zyhz-n7b9-bkfh
|
kernel: drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer
|
CVE-2024-49918
|
|
VCID-zzaq-dtnw-83dt
|
kernel: block/rq_qos: protect rq_qos apis with a new lock
|
CVE-2023-53823
|
|
VCID-zzxy-vnwh-y7h6
|
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC] With default config, the value of NR_CPUS is 64. When HW platform has more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC is the maximum cpu number in MADT table (max physical number) which can exceed the supported maximum cpu number (NR_CPUS, max logical number), but kernel should not crash. Kernel should boot cpus with NR_CPUS, let the remainder cpus stay in BIOS. The potential crash reason is that the array acpi_core_pic[NR_CPUS] can be overflowed when parsing MADT table, and it is obvious that CORE_PIC should be corresponding to physical core rather than logical core, so it is better to define the array as acpi_core_pic[MAX_CORE_PIC]. With the patch, system can boot up 64 vcpus with qemu parameter -smp 128, otherwise system will crash with the following message. [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192 [ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60 [ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8 [ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005 [ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001 [ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063 [ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98 [ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90 [ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330 [ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250 [ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94 [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 0.000000] BADV: 0000420000004259 [ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 0.000000] Modules linked in: [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____)) [ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec [ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60 [ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000 [ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c [ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08 [ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018 [ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000 [ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000 [ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94 [ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250 [ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c [ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670 [ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc
|
CVE-2024-26768
|