Search for packages
| purl | pkg:deb/debian/linux@6.12.73-1 |
| Next non-vulnerable version | 6.12.74-2~bpo12+1 |
| Latest non-vulnerable version | 7.0-1~exp1 |
| Risk | 3.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-142k-7wgv-pfh6
Aliases: CVE-2026-23367 |
In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipping vendor namespaces), and syzbot points out that we later compare against this uninitialized value. Fix this by moving the rejection of unknown radiotap fields down to after the in-namespace lookup, so it will really use iterator->_next_ns_data only for vendor namespaces, even in case undefined fields are present. |
Affected by 0 other vulnerabilities. |
|
VCID-16es-2z99-a3hu
Aliases: CVE-2026-31405 |
Affected by 0 other vulnerabilities. |
|
|
VCID-17tu-a4wu-b3hv
Aliases: CVE-2026-23374 |
kernel: blktrace: fix __this_cpu_read/write in preemptible context |
Affected by 0 other vulnerabilities. |
|
VCID-1cac-quc3-2bcf
Aliases: CVE-2025-40139 |
kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set() |
Affected by 0 other vulnerabilities. |
|
VCID-1dxt-yy4z-y7cs
Aliases: CVE-2026-23298 |
kernel: can: ucan: Fix infinite loop from zero-length messages |
Affected by 0 other vulnerabilities. |
|
VCID-1g77-qwuy-nkg8
Aliases: CVE-2026-31416 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-1g8r-w5jy-6kes
Aliases: CVE-2025-39958 |
kernel: iommu/s390: Make attach succeed when the device was surprise removed |
Affected by 0 other vulnerabilities. |
|
VCID-1kgs-19ue-wbe1
Aliases: CVE-2026-31394 |
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations ieee80211_chan_bw_change() iterates all stations and accesses link->reserved.oper via sta->sdata->link[link_id]. For stations on AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to the VLAN sdata, whose link never participates in chanctx reservations. This leaves link->reserved.oper zero-initialized with chan == NULL, causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() when accessing chandef->chan->band during CSA. Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() before accessing link data. [also change sta->sdata in ARRAY_SIZE even if it doesn't matter] |
Affected by 0 other vulnerabilities. |
|
VCID-1n5v-auw6-wbcd
Aliases: CVE-2026-23420 |
Affected by 0 other vulnerabilities. |
|
|
VCID-1s77-djzb-xffp
Aliases: CVE-2026-31417 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-1xj4-m963-nkb2
Aliases: CVE-2026-23104 |
kernel: ice: fix devlink reload call trace |
Affected by 0 other vulnerabilities. |
|
VCID-1ygk-whua-gbcq
Aliases: CVE-2026-23318 |
kernel: ALSA: usb-audio: Use correct version for UAC3 header validation |
Affected by 0 other vulnerabilities. |
|
VCID-1zbm-pnj5-xqb4
Aliases: CVE-2026-23321 |
kernel: mptcp: pm: in-kernel: always mark signal+subflow endp as used |
Affected by 0 other vulnerabilities. |
|
VCID-2198-cz4u-87hu
Aliases: CVE-2026-23364 |
kernel: ksmbd: Compare MACs in constant time |
Affected by 0 other vulnerabilities. |
|
VCID-24dm-m1bk-t7fv
Aliases: CVE-2026-23463 |
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb(). |
Affected by 0 other vulnerabilities. |
|
VCID-25nt-fa4m-97fm
Aliases: CVE-2025-68239 |
kernel: binfmt_misc: restore write access before closing files opened by open_exec() |
Affected by 0 other vulnerabilities. |
|
VCID-286c-64ry-67cz
Aliases: CVE-2026-22981 |
kernel: idpf: detach and close netdevs while handling a reset |
Affected by 0 other vulnerabilities. |
|
VCID-2cxv-ay17-4kh2
Aliases: CVE-2025-38029 |
kernel: Linux kernel: Denial of Service due to sleepable page allocation in KASAN |
Affected by 0 other vulnerabilities. |
|
VCID-2k4e-em5c-m3bv
Aliases: CVE-2025-40355 |
kernel: sysfs: check visibility before changing group attribute ownership |
Affected by 0 other vulnerabilities. |
|
VCID-33re-7rh6-2bg4
Aliases: CVE-2026-23255 |
kernel: net: add proper RCU protection to /proc/net/ptype |
Affected by 0 other vulnerabilities. |
|
VCID-341t-wy9a-p7fz
Aliases: CVE-2025-71269 |
kernel: btrfs: do not free data reservation in fallback from inline due to -ENOSPC |
Affected by 0 other vulnerabilities. |
|
VCID-3453-ez2g-97ax
Aliases: CVE-2025-39830 |
kernel: net/mlx5: HWS, Fix memory leak in hws_pool_buddy_init error path |
Affected by 0 other vulnerabilities. |
|
VCID-37t1-1qg2-hqc4
Aliases: CVE-2026-23414 |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
|
VCID-3aa5-4rp5-g7h3
Aliases: CVE-2025-71202 |
kernel: Linux kernel: Memory Corruption and Kernel Crashes via IOMMU SVA coherency issue |
Affected by 0 other vulnerabilities. |
|
VCID-3btm-9twv-8kdh
Aliases: CVE-2025-40217 |
kernel: pidfs: validate extensible ioctls |
Affected by 0 other vulnerabilities. |
|
VCID-3fpy-fq8u-r3gb
Aliases: CVE-2024-58095 |
kernel: jfs: add check read-only before txBeginAnon() call |
Affected by 0 other vulnerabilities. |
|
VCID-3jmx-jfhk-yqh5
Aliases: CVE-2026-23320 |
kernel: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind |
Affected by 0 other vulnerabilities. |
|
VCID-3kg4-jbwg-zffk
Aliases: CVE-2026-23475 |
kernel: spi: fix statistics allocation |
Affected by 0 other vulnerabilities. |
|
VCID-3km6-xsxg-4bcr
Aliases: CVE-2026-31426 |
Affected by 0 other vulnerabilities. |
|
|
VCID-3ng4-wb1y-wyem
Aliases: CVE-2026-23422 |
Affected by 0 other vulnerabilities. |
|
|
VCID-3pv5-s5r1-vkdg
Aliases: CVE-2026-23397 |
Linux kernel: nfnetlink_osf: Linux kernel: Denial of Service in nfnetlink_osf via crafted network packets |
Affected by 0 other vulnerabilities. |
|
VCID-3usq-zn13-r3hx
Aliases: CVE-2026-23386 |
kernel: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL |
Affected by 0 other vulnerabilities. |
|
VCID-3yzs-sjd2-53d7
Aliases: CVE-2026-23382 |
kernel: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them |
Affected by 0 other vulnerabilities. |
|
VCID-4399-j8sn-t3b1
Aliases: CVE-2026-23310 |
kernel: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded |
Affected by 0 other vulnerabilities. |
|
VCID-4avh-yaub-uqg2
Aliases: CVE-2026-23464 |
kernel: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() |
Affected by 0 other vulnerabilities. |
|
VCID-4jvb-unxd-3qg3
Aliases: CVE-2026-31423 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-4qwu-fw8y-t7et
Aliases: CVE-2025-38203 |
kernel: jfs: Fix null-ptr-deref in jfs_ioc_trim |
Affected by 0 other vulnerabilities. |
|
VCID-4spt-a3n7-z7fu
Aliases: CVE-2025-68334 |
kernel: Linux kernel: Denial of Service due to missing power management handler for AMD Van Gogh SoC |
Affected by 0 other vulnerabilities. |
|
VCID-4tj5-m3wf-xkca
Aliases: CVE-2026-23427 |
kernel: ksmbd: fix use-after-free in durable v2 replay of active file handles |
Affected by 0 other vulnerabilities. |
|
VCID-4vs9-vhrd-zfgn
Aliases: CVE-2024-58094 |
kernel: jfs: add check read-only before truncation in jfs_truncate_nolock() |
Affected by 0 other vulnerabilities. |
|
VCID-514d-7urs-m7ge
Aliases: CVE-2026-23380 |
kernel: tracing: Fix WARN_ON in tracing_buffers_mmap_close |
Affected by 0 other vulnerabilities. |
|
VCID-5ahq-saw1-suf1
Aliases: CVE-2026-31420 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-5b4f-sket-kuge
Aliases: CVE-2025-23132 |
kernel: f2fs: quota: fix to avoid warning in dquot_writeback_dquots() |
Affected by 0 other vulnerabilities. |
|
VCID-5eks-kg2z-5ye1
Aliases: CVE-2026-23471 |
In the Linux kernel, the following vulnerability has been resolved: drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug When trying to do a rather aggressive test of igt's "xe_module_load --r reload" with a full desktop environment and game running I noticed a few OOPSes when dereferencing freed pointers, related to framebuffers and property blobs after the compositor exits. Solve this by guarding the freeing in drm_file with drm_dev_enter/exit, and immediately put the references from struct drm_file objects during drm_dev_unplug(). Related warnings for framebuffers on the subtest: [ 739.713076] ------------[ cut here ]------------ WARN_ON(!list_empty(&dev->mode_config.fb_list)) [ 739.713079] WARNING: drivers/gpu/drm/drm_mode_config.c:584 at drm_mode_config_cleanup+0x30b/0x320 [drm], CPU#12: xe_module_load/13145 .... [ 739.713328] Call Trace: [ 739.713330] <TASK> [ 739.713335] ? intel_pmdemand_destroy_state+0x11/0x20 [xe] [ 739.713574] ? intel_atomic_global_obj_cleanup+0xe4/0x1a0 [xe] [ 739.713794] intel_display_driver_remove_noirq+0x51/0xb0 [xe] [ 739.714041] xe_display_fini_early+0x33/0x50 [xe] [ 739.714284] devm_action_release+0xf/0x20 [ 739.714294] devres_release_all+0xad/0xf0 [ 739.714301] device_unbind_cleanup+0x12/0xa0 [ 739.714305] device_release_driver_internal+0x1b7/0x210 [ 739.714311] device_driver_detach+0x14/0x20 [ 739.714315] unbind_store+0xa6/0xb0 [ 739.714319] drv_attr_store+0x21/0x30 [ 739.714322] sysfs_kf_write+0x48/0x60 [ 739.714328] kernfs_fop_write_iter+0x16b/0x240 [ 739.714333] vfs_write+0x266/0x520 [ 739.714341] ksys_write+0x72/0xe0 [ 739.714345] __x64_sys_write+0x19/0x20 [ 739.714347] x64_sys_call+0xa15/0xa30 [ 739.714355] do_syscall_64+0xd8/0xab0 [ 739.714361] entry_SYSCALL_64_after_hwframe+0x4b/0x53 and [ 739.714459] ------------[ cut here ]------------ [ 739.714461] xe 0000:67:00.0: [drm] drm_WARN_ON(!list_empty(&fb->filp_head)) [ 739.714464] WARNING: drivers/gpu/drm/drm_framebuffer.c:833 at drm_framebuffer_free+0x6c/0x90 [drm], CPU#12: xe_module_load/13145 [ 739.714715] RIP: 0010:drm_framebuffer_free+0x7a/0x90 [drm] ... [ 739.714869] Call Trace: [ 739.714871] <TASK> [ 739.714876] drm_mode_config_cleanup+0x26a/0x320 [drm] [ 739.714998] ? __drm_printfn_seq_file+0x20/0x20 [drm] [ 739.715115] ? drm_mode_config_cleanup+0x207/0x320 [drm] [ 739.715235] intel_display_driver_remove_noirq+0x51/0xb0 [xe] [ 739.715576] xe_display_fini_early+0x33/0x50 [xe] [ 739.715821] devm_action_release+0xf/0x20 [ 739.715828] devres_release_all+0xad/0xf0 [ 739.715843] device_unbind_cleanup+0x12/0xa0 [ 739.715850] device_release_driver_internal+0x1b7/0x210 [ 739.715856] device_driver_detach+0x14/0x20 [ 739.715860] unbind_store+0xa6/0xb0 [ 739.715865] drv_attr_store+0x21/0x30 [ 739.715868] sysfs_kf_write+0x48/0x60 [ 739.715873] kernfs_fop_write_iter+0x16b/0x240 [ 739.715878] vfs_write+0x266/0x520 [ 739.715886] ksys_write+0x72/0xe0 [ 739.715890] __x64_sys_write+0x19/0x20 [ 739.715893] x64_sys_call+0xa15/0xa30 [ 739.715900] do_syscall_64+0xd8/0xab0 [ 739.715905] entry_SYSCALL_64_after_hwframe+0x4b/0x53 and then finally file close blows up: [ 743.186530] Oops: general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP [ 743.186535] CPU: 3 UID: 1000 PID: 3453 Comm: kwin_wayland Tainted: G W 7.0.0-rc1-valkyria+ #110 PREEMPT_{RT,(lazy)} [ 743.186537] Tainted: [W]=WARN [ 743.186538] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021 [ 743.186539] RIP: 0010:drm_framebuffer_cleanup+0x55/0xc0 [drm] [ 743.186588] Code: d8 72 73 0f b6 42 05 ff c3 39 c3 72 e8 49 8d bd 50 07 00 00 31 f6 e8 3a 80 d3 e1 49 8b 44 24 10 49 8d 7c 24 08 49 8b 54 24 08 <48> 3b 38 0f 85 95 7f 02 00 48 3b 7a 08 0f 85 8b 7f 02 00 48 89 42 [ 743.186589] RSP: 0018:ffffc900085e3cf8 EFLAGS: 00 ---truncated--- |
Affected by 0 other vulnerabilities. |
|
VCID-5g2a-qj5r-uub4
Aliases: CVE-2026-23336 |
kernel: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() |
Affected by 0 other vulnerabilities. |
|
VCID-5v5u-d5mg-53bv
Aliases: CVE-2026-23284 |
kernel: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() |
Affected by 0 other vulnerabilities. |
|
VCID-63m2-phjq-kuav
Aliases: CVE-2025-40065 |
kernel: RISC-V: KVM: Write hgatp register with valid mode bits |
Affected by 0 other vulnerabilities. |
|
VCID-6cqc-um2d-1kfk
Aliases: CVE-2026-23315 |
kernel: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() |
Affected by 0 other vulnerabilities. |
|
VCID-6ggj-8ema-x7f6
Aliases: CVE-2026-23375 |
kernel: mm: thp: deny THP for files on anonymous inodes |
Affected by 0 other vulnerabilities. |
|
VCID-6hur-ug1s-83am
Aliases: CVE-2026-23472 |
In the Linux kernel, the following vulnerability has been resolved: serial: core: fix infinite loop in handle_tx() for PORT_UNKNOWN uart_write_room() and uart_write() behave inconsistently when xmit_buf is NULL (which happens for PORT_UNKNOWN ports that were never properly initialized): - uart_write_room() returns kfifo_avail() which can be > 0 - uart_write() checks xmit_buf and returns 0 if NULL This inconsistency causes an infinite loop in drivers that rely on tty_write_room() to determine if they can write: while (tty_write_room(tty) > 0) { written = tty->ops->write(...); // written is always 0, loop never exits } For example, caif_serial's handle_tx() enters an infinite loop when used with PORT_UNKNOWN serial ports, causing system hangs. Fix by making uart_write_room() also check xmit_buf and return 0 if it's NULL, consistent with uart_write(). Reproducer: https://gist.github.com/mrpre/d9a694cc0e19828ee3bc3b37983fde13 |
Affected by 0 other vulnerabilities. |
|
VCID-6pmj-r187-kqcb
Aliases: CVE-2026-23325 |
kernel: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() |
Affected by 0 other vulnerabilities. |
|
VCID-6rpd-ws7d-4qeg
Aliases: CVE-2025-38137 |
kernel: PCI/pwrctrl: Cancel outstanding rescan work when unregistering |
Affected by 0 other vulnerabilities. |
|
VCID-6wrr-yr71-xuhk
Aliases: CVE-2026-23247 |
kernel: tcp: secure_seq: add back ports to TS offset |
Affected by 0 other vulnerabilities. |
|
VCID-744r-rpqc-k3gx
Aliases: CVE-2026-23440 |
kernel: net/mlx5e: Fix race condition during IPSec ESN update |
Affected by 0 other vulnerabilities. |
|
VCID-7bmu-z2mb-cbbe
Aliases: CVE-2026-23252 |
kernel: xfs: get rid of the xchk_xfile_*_descr calls |
Affected by 0 other vulnerabilities. |
|
VCID-7dx8-ys84-zuac
Aliases: CVE-2025-38041 |
kernel: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes |
Affected by 0 other vulnerabilities. |
|
VCID-7eh9-dqkv-j3bm
Aliases: CVE-2025-38042 |
kernel: dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn |
Affected by 0 other vulnerabilities. |
|
VCID-7ey4-wrhk-zfce
Aliases: CVE-2025-38132 |
kernel: coresight: holding cscfg_csdev_lock while removing cscfg from csdev |
Affected by 0 other vulnerabilities. |
|
VCID-7gw9-7kbs-2uh2
Aliases: CVE-2025-68736 |
kernel: landlock: Fix handling of disconnected directories |
Affected by 0 other vulnerabilities. |
|
VCID-7j8j-s3am-6bgv
Aliases: CVE-2025-39764 |
kernel: Linux kernel: Denial of Service via double-increment of reference count in netfilter |
Affected by 0 other vulnerabilities. |
|
VCID-7v66-8w2u-duf9
Aliases: CVE-2026-23462 |
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(lazy) [ 97.809935] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 [ 97.809947] Call Trace: [ 97.809954] <TASK> [ 97.809961] dump_stack_lvl (lib/dump_stack.c:122) [ 97.809990] l2cap_conn_free (net/bluetooth/l2cap_core.c:1808) [ 97.810017] l2cap_conn_del (./include/linux/kref.h:66 net/bluetooth/l2cap_core.c:1821 net/bluetooth/l2cap_core.c:1798) [ 97.810055] l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7347 (discriminator 1) net/bluetooth/l2cap_core.c:7340 (discriminator 1)) [ 97.810086] ? __pfx_l2cap_disconn_cfm (net/bluetooth/l2cap_core.c:7341) [ 97.810117] hci_conn_hash_flush (./include/net/bluetooth/hci_core.h:2152 (discriminator 2) net/bluetooth/hci_conn.c:2644 (discriminator 2)) [ 97.810148] hci_dev_close_sync (net/bluetooth/hci_sync.c:5360) [ 97.810180] ? __pfx_hci_dev_close_sync (net/bluetooth/hci_sync.c:5285) [ 97.810212] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810242] ? up_write (./arch/x86/include/asm/atomic64_64.h:87 (discriminator 5) ./include/linux/atomic/atomic-arch-fallback.h:2852 (discriminator 5) ./include/linux/atomic/atomic-long.h:268 (discriminator 5) ./include/linux/atomic/atomic-instrumented.h:3391 (discriminator 5) kernel/locking/rwsem.c:1385 (discriminator 5) kernel/locking/rwsem.c:1643 (discriminator 5)) [ 97.810267] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810290] ? rcu_is_watching (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/context_tracking.h:128 kernel/rcu/tree.c:752) [ 97.810320] hci_unregister_dev (net/bluetooth/hci_core.c:504 net/bluetooth/hci_core.c:2716) [ 97.810346] vhci_release (drivers/bluetooth/hci_vhci.c:691) [ 97.810375] ? __pfx_vhci_release (drivers/bluetooth/hci_vhci.c:678) [ 97.810404] __fput (fs/file_table.c:470) [ 97.810430] task_work_run (kernel/task_work.c:235) [ 97.810451] ? __pfx_task_work_run (kernel/task_work.c:201) [ 97.810472] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810495] ? do_raw_spin_unlock (./include/asm-generic/qspinlock.h:128 (discriminator 5) kernel/locking/spinlock_debug.c:142 (discriminator 5)) [ 97.810527] do_exit (kernel/exit.c:972) [ 97.810547] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810574] ? __pfx_do_exit (kernel/exit.c:897) [ 97.810594] ? lock_acquire (kernel/locking/lockdep.c:470 (discriminator 6) kernel/locking/lockdep.c:5870 (discriminator 6) kernel/locking/lockdep.c:5825 (discriminator 6)) [ 97.810616] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810639] ? do_raw_spin_lock (kernel/locking/spinlock_debug.c:95 (discriminator 4) kernel/locking/spinlock_debug.c:118 (discriminator 4)) [ 97.810664] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810688] ? find_held_lock (kernel/locking/lockdep.c:5350 (discriminator 1)) [ 97.810721] do_group_exit (kernel/exit.c:1093) [ 97.810745] get_signal (kernel/signal.c:3007 (discriminator 1)) [ 97.810772] ? security_file_permission (./arch/x86/include/asm/jump_label.h:37 security/security.c:2366) [ 97.810803] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810826] ? vfs_read (fs/read_write.c:555) [ 97.810854] ? __pfx_get_signal (kernel/signal.c:2800) [ 97.810880] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810905] ? __pfx_vfs_read (fs/read_write.c:555) [ 97.810932] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 97.810960] arch_do_signal_or_restart (arch/ ---truncated--- |
Affected by 0 other vulnerabilities. |
|
VCID-7xah-5pdm-eqfb
Aliases: CVE-2026-23316 |
kernel: net: ipv4: fix ARM64 alignment fault in multipath hash seed |
Affected by 0 other vulnerabilities. |
|
VCID-81z1-7axu-rqep
Aliases: CVE-2026-23152 |
kernel: wifi: mac80211: correctly decode TTLM with default link map |
Affected by 0 other vulnerabilities. |
|
VCID-851j-pvmm-8yc7
Aliases: CVE-2025-22117 |
kernel: ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() |
Affected by 0 other vulnerabilities. |
|
VCID-8a31-1mz8-17cu
Aliases: CVE-2026-23347 |
kernel: can: usb: f81604: correctly anchor the urb in the read bulk callback |
Affected by 0 other vulnerabilities. |
|
VCID-8ab4-cv5e-2kff
Aliases: CVE-2026-23369 |
kernel: i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock" |
Affected by 0 other vulnerabilities. |
|
VCID-8bmx-4nbw-6qcn
Aliases: CVE-2026-23389 |
kernel: ice: Fix memory leak in ice_set_ringparam() |
Affected by 0 other vulnerabilities. |
|
VCID-8edx-kmgw-jue5
Aliases: CVE-2025-39925 |
kernel: can: j1939: implement NETDEV_UNREGISTER notification handler |
Affected by 0 other vulnerabilities. |
|
VCID-8hgk-zrmy-tbba
Aliases: CVE-2025-39822 |
kernel: io_uring/kbuf: fix signedness in this_len calculation |
Affected by 0 other vulnerabilities. |
|
VCID-8kug-7bk5-t3bf
Aliases: CVE-2026-23373 |
kernel: wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config |
Affected by 0 other vulnerabilities. |
|
VCID-8qua-yr2x-s7fd
Aliases: CVE-2026-23394 |
kernel: af_unix: Give up GC if MSG_PEEK intervened |
Affected by 0 other vulnerabilities. |
|
VCID-8swc-xby9-cygu
Aliases: CVE-2025-40147 |
kernel: blk-throttle: fix access race during throttle policy activation |
Affected by 0 other vulnerabilities. |
|
VCID-8vkt-e4d8-qfgn
Aliases: CVE-2025-68174 |
kernel: amd/amdkfd: enhance kfd process check in switch partition |
Affected by 0 other vulnerabilities. |
|
VCID-8xmp-5z38-1qaa
Aliases: CVE-2026-23285 |
kernel: drbd: fix null-pointer dereference on local read error |
Affected by 0 other vulnerabilities. |
|
VCID-915z-uxfx-3uh1
Aliases: CVE-2025-71239 |
kernel: audit: add fchmodat2() to change attributes class |
Affected by 0 other vulnerabilities. |
|
VCID-94ed-vp4v-mqeg
Aliases: CVE-2025-68353 |
kernel: Kernel: Denial of Service via NULL pointer dereference in VXLAN module |
Affected by 0 other vulnerabilities. |
|
VCID-94k1-ja9w-2fd2
Aliases: CVE-2026-31421 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-98mp-5h68-73eg
Aliases: CVE-2025-68236 |
kernel: Linux kernel: Denial of Service during UFS power down |
Affected by 0 other vulnerabilities. |
|
VCID-98y4-8sve-mfbz
Aliases: CVE-2025-68209 |
kernel: mlx5: Fix default values in create CQ |
Affected by 0 other vulnerabilities. |
|
VCID-9axb-sz3w-ubcx
Aliases: CVE-2026-23439 |
In the Linux kernel, the following vulnerability has been resolved: udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 (success) without actually creating a socket. Callers such as fou_create() then proceed to dereference the uninitialized socket pointer, resulting in a NULL pointer dereference. The captured NULL deref crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) [...] Call Trace: <TASK> genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) [...] netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) This patch makes udp_sock_create6 return -EPFNOSUPPORT instead, so callers correctly take their error paths. There is only one caller of the vulnerable function and only privileged users can trigger it. |
Affected by 0 other vulnerabilities. |
|
VCID-9cpj-kd98-33bz
Aliases: CVE-2026-23245 |
kernel: net/sched: act_gate: snapshot parameters with RCU on replace |
Affected by 0 other vulnerabilities. |
|
VCID-9cuj-t2sc-bbdj
Aliases: CVE-2026-23317 |
kernel: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions |
Affected by 0 other vulnerabilities. |
|
VCID-9dfd-an6h-67gp
Aliases: CVE-2026-23157 |
kernel: btrfs: do not strictly require dirty metadata threshold for metadata writepages |
Affected by 0 other vulnerabilities. |
|
VCID-9ej7-7tra-zqcm
Aliases: CVE-2026-23333 |
kernel: netfilter: nft_set_rbtree: validate open interval overlap |
Affected by 0 other vulnerabilities. |
|
VCID-9jgy-8b6j-ayfz
Aliases: CVE-2025-39834 |
kernel: net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow |
Affected by 0 other vulnerabilities. |
|
VCID-9kuz-7fag-4qhv
Aliases: CVE-2026-23231 |
kernel: kernel: Privilege escalation or denial of service via use-after-free in nf_tables_addchain() |
Affected by 0 other vulnerabilities. |
|
VCID-9m2t-y1zb-hfar
Aliases: CVE-2026-31412 |
Affected by 0 other vulnerabilities. |
|
|
VCID-9qhe-6xhk-hfhf
Aliases: CVE-2026-23289 |
kernel: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() |
Affected by 0 other vulnerabilities. |
|
VCID-9sm6-shj5-cqh5
Aliases: CVE-2026-23444 |
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc. |
Affected by 0 other vulnerabilities. |
|
VCID-9tbh-mrhu-v3am
Aliases: CVE-2025-38597 |
kernel: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port |
Affected by 0 other vulnerabilities. |
|
VCID-9ur7-ynkr-rydr
Aliases: CVE-2025-68729 |
kernel: wifi: ath12k: Fix MSDU buffer types handling in RX error path |
Affected by 0 other vulnerabilities. |
|
VCID-a1xg-dyn3-skb6
Aliases: CVE-2026-23395 |
kernel: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ |
Affected by 0 other vulnerabilities. |
|
VCID-a28q-pf9z-abdm
Aliases: CVE-2026-23377 |
kernel: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz |
Affected by 0 other vulnerabilities. |
|
VCID-a29y-u4f3-nkfk
Aliases: CVE-2025-68755 |
kernel: staging: most: remove broken i2c driver |
Affected by 0 other vulnerabilities. |
|
VCID-a36h-pqj3-9bhe
Aliases: CVE-2026-23343 |
kernel: xdp: produce a warning when calculated tailroom is negative |
Affected by 0 other vulnerabilities. |
|
VCID-a3d8-8qvy-ykdr
Aliases: CVE-2026-23371 |
kernel: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting |
Affected by 0 other vulnerabilities. |
|
VCID-a5tz-dm6g-zqch
Aliases: CVE-2026-23303 |
kernel: smb: client: Don't log plaintext credentials in cifs_set_cifscreds |
Affected by 0 other vulnerabilities. |
|
VCID-a6bg-yemv-4kcf
Aliases: CVE-2025-40098 |
kernel: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() |
Affected by 0 other vulnerabilities. |
|
VCID-abfm-ssmn-1fap
Aliases: CVE-2024-52560 |
kernel: fs/ntfs3: Mark inode as bad as soon as error detected in mi_enum_attr() |
Affected by 0 other vulnerabilities. |
|
VCID-ackw-rsbh-rubp
Aliases: CVE-2025-38187 |
kernel: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() |
Affected by 0 other vulnerabilities. |
|
VCID-ajfm-hpzg-uqck
Aliases: CVE-2026-23327 |
kernel: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() |
Affected by 0 other vulnerabilities. |
|
VCID-ajr2-wmhj-fbbj
Aliases: CVE-2026-23428 |
kernel: ksmbd: fix use-after-free of share_conf in compound request |
Affected by 0 other vulnerabilities. |
|
VCID-akq2-c6hp-tfda
Aliases: CVE-2025-40136 |
kernel: crypto: hisilicon/qm - request reserved interrupt for virtual function |
Affected by 0 other vulnerabilities. |
|
VCID-akv9-pdny-1yh6
Aliases: CVE-2025-71266 |
kernel: fs: ntfs3: check return value of indx_find to avoid infinite loop |
Affected by 0 other vulnerabilities. |
|
VCID-an5c-5rea-u3aq
Aliases: CVE-2025-23131 |
kernel: dlm: prevent NPD when writing a positive value to event_done |
Affected by 0 other vulnerabilities. |
|
VCID-ans1-wmuz-e3bw
Aliases: CVE-2024-25740 |
kernel: memory leak in ubi driver |
Affected by 0 other vulnerabilities. |
|
VCID-apfq-mqch-jkgr
Aliases: CVE-2026-23457 |
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp() sip_help_tcp() parses the SIP Content-Length header with simple_strtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINT_MAX are silently truncated before computing the SIP message boundary. For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser. Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length. |
Affected by 0 other vulnerabilities. |
|
VCID-asy4-m48b-xydu
Aliases: CVE-2026-23392 |
kernel: netfilter: nf_tables: release flowtable after rcu grace period on error |
Affected by 0 other vulnerabilities. |
|
VCID-awyz-zwdv-quaa
Aliases: CVE-2025-22108 |
kernel: bnxt_en: Mask the bd_cnt field in the TX BD properly |
Affected by 0 other vulnerabilities. |
|
VCID-aymw-na2d-bqfy
Aliases: CVE-2025-68376 |
kernel: coresight: ETR: Fix ETR buffer use-after-free issue |
Affected by 0 other vulnerabilities. |
|
VCID-azqr-xmc7-13b5
Aliases: CVE-2026-23249 |
kernel: xfs: check for deleted cursors when revalidating two btrees |
Affected by 0 other vulnerabilities. |
|
VCID-b1an-t4b8-4bd1
Aliases: CVE-2026-23290 |
kernel: net: usb: pegasus: validate USB endpoints |
Affected by 0 other vulnerabilities. |
|
VCID-b2kt-hmz5-yuhb
Aliases: CVE-2025-38207 |
kernel: mm: fix uprobe pte be overwritten when expanding vma |
Affected by 0 other vulnerabilities. |
|
VCID-b51x-3ss2-67ex
Aliases: CVE-2026-23242 |
kernel: RDMA/siw: Fix potential NULL pointer dereference in header processing |
Affected by 0 other vulnerabilities. |
|
VCID-b9uq-ggy1-eyan
Aliases: CVE-2025-68745 |
kernel: Linux kernel: Denial of Service in qla2xxx SCSI driver due to improper command handling after chip reset |
Affected by 0 other vulnerabilities. |
|
VCID-bd8g-qrbe-23hx
Aliases: CVE-2025-68251 |
kernel: Linux kernel (erofs): Denial of Service via corrupted subpage compact indexes |
Affected by 0 other vulnerabilities. |
|
VCID-bfjx-x5b3-53bg
Aliases: CVE-2026-23137 |
kernel: of: unittest: Fix memory leak in unittest_data_add() |
Affected by 0 other vulnerabilities. |
|
VCID-bkp8-m2yc-qub7
Aliases: CVE-2026-23348 |
kernel: cxl: Fix race of nvdimm_bus object when creating nvdimm objects |
Affected by 0 other vulnerabilities. |
|
VCID-bpmy-u7wr-kude
Aliases: CVE-2026-23357 |
kernel: can: mcp251x: fix deadlock in error path of mcp251x_open |
Affected by 0 other vulnerabilities. |
|
VCID-bq5a-jeg3-9ua7
Aliases: CVE-2026-23291 |
kernel: nfc: pn533: properly drop the usb interface reference on disconnect |
Affected by 0 other vulnerabilities. |
|
VCID-bv67-hyh5-j7hm
Aliases: CVE-2026-23102 |
kernel: Linux kernel: Denial of Service due to incorrect SVE context restoration |
Affected by 0 other vulnerabilities. |
|
VCID-c2me-ar1y-y7dw
Aliases: CVE-2026-23004 |
kernel: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() |
Affected by 0 other vulnerabilities. |
|
VCID-c42q-j659-e3gt
Aliases: CVE-2024-58093 |
kernel: Linux kernel: PCI/ASPM use-after-free during hot-unplug |
Affected by 0 other vulnerabilities. |
|
VCID-c49r-knse-6bc5
Aliases: CVE-2025-39933 |
kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length |
Affected by 0 other vulnerabilities. |
|
VCID-c7xf-x7d5-87gn
Aliases: CVE-2026-31418 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-c8mr-kkvc-akfv
Aliases: CVE-2026-23363 |
kernel: wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() |
Affected by 0 other vulnerabilities. |
|
VCID-cayc-j15f-ekdv
Aliases: CVE-2026-23279 |
kernel: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() |
Affected by 0 other vulnerabilities. |
|
VCID-cepf-zr64-zyab
Aliases: CVE-2026-22986 |
kernel: Linux kernel: Denial of Service due to a race condition in gpiolib |
Affected by 0 other vulnerabilities. |
|
VCID-cfms-gd2h-v7gd
Aliases: CVE-2025-40025 |
kernel: f2fs: fix to do sanity check on node footer for non inode dnode |
Affected by 0 other vulnerabilities. |
|
VCID-cjnk-7asz-zuhp
Aliases: CVE-2026-23383 |
kernel: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing |
Affected by 0 other vulnerabilities. |
|
VCID-cpg7-6nst-gkfn
Aliases: CVE-2025-71117 |
kernel: Linux kernel: Denial of Service via deadlock in block layer sysfs store callbacks |
Affected by 0 other vulnerabilities. |
|
VCID-cqrs-uu2s-affj
Aliases: CVE-2026-23306 |
kernel: scsi: pm8001: Fix use-after-free in pm8001_queue_command() |
Affected by 0 other vulnerabilities. |
|
VCID-cwd1-xgzd-xyb5
Aliases: CVE-2026-23417 |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
|
VCID-d4u6-bzuu-dubz
Aliases: CVE-2025-71188 |
kernel: dmaengine: lpc18xx-dmamux: fix device leak on route allocation |
Affected by 0 other vulnerabilities. |
|
VCID-d8tr-usd8-6yca
Aliases: CVE-2025-40219 |
kernel: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV |
Affected by 0 other vulnerabilities. |
|
VCID-dq8r-defv-hbg6
Aliases: CVE-2023-6238 |
kernel: nvme: memory corruption via unprivileged user passthrough |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dsrd-nv6n-5ygq
Aliases: CVE-2026-23296 |
kernel: scsi: core: Fix refcount leak for tagset_refcnt |
Affected by 0 other vulnerabilities. |
|
VCID-dxt9-x347-pufy
Aliases: CVE-2026-22985 |
kernel: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations |
Affected by 0 other vulnerabilities. |
|
VCID-ecc5-64vs-ekgr
Aliases: CVE-2026-31391 |
In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix OOM ->tfm_count leak If memory allocation fails, decrement ->tfm_count to avoid blocking future reads. |
Affected by 0 other vulnerabilities. |
|
VCID-ed3p-sm1w-33am
Aliases: CVE-2026-23293 |
kernel: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled |
Affected by 0 other vulnerabilities. |
|
VCID-edst-7exd-zud8
Aliases: CVE-2025-40168 |
kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match() |
Affected by 0 other vulnerabilities. |
|
VCID-es8r-wvmz-gfe6
Aliases: CVE-2025-39677 |
kernel: net/sched: Fix backlog accounting in qdisc_dequeue_internal |
Affected by 0 other vulnerabilities. |
|
VCID-ex4p-ftap-h7fe
Aliases: CVE-2026-23302 |
kernel: net: annotate data-races around sk->sk_{data_ready,write_space} |
Affected by 0 other vulnerabilities. |
|
VCID-ex8u-z3r8-cycq
Aliases: CVE-2026-23442 |
In the Linux kernel, the following vulnerability has been resolved: ipv6: add NULL checks for idev in SRv6 paths __in6_dev_get() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). Add NULL checks for idev returned by __in6_dev_get() in both seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL pointer dereferences. |
Affected by 0 other vulnerabilities. |
|
VCID-exhn-kypt-2fbd
Aliases: CVE-2025-38204 |
kernel: jfs: fix array-index-out-of-bounds read in add_missing_indices |
Affected by 0 other vulnerabilities. |
|
VCID-exkr-nw4y-guf2
Aliases: CVE-2026-31406 |
kernel: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-ezn1-bgny-1qdv
Aliases: CVE-2026-23259 |
kernel: io_uring/rw: free potentially allocated iovec on cache put failure |
Affected by 0 other vulnerabilities. |
|
VCID-f3sv-pbfs-cqcc
Aliases: CVE-2025-37880 |
kernel: um: work around sched_yield not yielding in time-travel mode |
Affected by 0 other vulnerabilities. |
|
VCID-f76c-qhke-3bag
Aliases: CVE-2026-23307 |
kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message |
Affected by 0 other vulnerabilities. |
|
VCID-ffdb-88yu-3be1
Aliases: CVE-2026-23356 |
kernel: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() |
Affected by 0 other vulnerabilities. |
|
VCID-fq82-zz54-kuc6
Aliases: CVE-2026-23246 |
kernel: Linux kernel: Denial of Service in mac80211 Wi-Fi due to out-of-bounds write |
Affected by 0 other vulnerabilities. |
|
VCID-fvvb-p7r7-zkbk
Aliases: CVE-2026-31422 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-fx2q-84en-qyah
Aliases: CVE-2026-23362 |
kernel: can: bcm: fix locking for bcm_op runtime updates |
Affected by 0 other vulnerabilities. |
|
VCID-g162-81ms-93g7
Aliases: CVE-2025-40158 |
kernel: ipv6: use RCU in ip6_output() |
Affected by 0 other vulnerabilities. |
|
VCID-g3ku-5npc-v7gc
Aliases: CVE-2026-23368 |
kernel: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock |
Affected by 0 other vulnerabilities. |
|
VCID-g48f-w2gu-s7c3
Aliases: CVE-2025-68318 |
kernel: clk: thead: th1520-ap: set all AXI clocks to CLK_IS_CRITICAL |
Affected by 0 other vulnerabilities. |
|
VCID-g5sa-v8nq-gqge
Aliases: CVE-2025-68368 |
kernel: Kernel: Denial of Service in md driver via uninitialized bioset |
Affected by 0 other vulnerabilities. |
|
VCID-g737-aj6x-r3bd
Aliases: CVE-2025-68319 |
kernel: netconsole: Acquire su_mutex before navigating configs hierarchy |
Affected by 0 other vulnerabilities. |
|
VCID-g77j-7yap-qkgw
Aliases: CVE-2026-23387 |
kernel: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() |
Affected by 0 other vulnerabilities. |
|
VCID-g7k7-e2h7-a7f6
Aliases: CVE-2025-71265 |
kernel: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata |
Affected by 0 other vulnerabilities. |
|
VCID-gfq9-z9p8-kqhk
Aliases: CVE-2026-23413 |
Affected by 0 other vulnerabilities. |
|
|
VCID-gkap-5jhj-tbff
Aliases: CVE-2026-23378 |
kernel: net/sched: act_ife: Fix metalist update behavior |
Affected by 0 other vulnerabilities. |
|
VCID-gpcp-4y8w-fka1
Aliases: CVE-2026-23330 |
kernel: nfc: nci: complete pending data exchange on device close |
Affected by 0 other vulnerabilities. |
|
VCID-gtjv-ut7g-hqhv
Aliases: CVE-2026-23207 |
kernel: spi: tegra210-quad: Protect curr_xfer check in IRQ handler |
Affected by 0 other vulnerabilities. |
|
VCID-gtwd-5z2r-6ue9
Aliases: CVE-2025-23135 |
kernel: RISC-V: KVM: Teardown riscv specific bits after kvm_exit |
Affected by 0 other vulnerabilities. |
|
VCID-gu84-p4ru-b7gj
Aliases: CVE-2025-38627 |
kernel: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic |
Affected by 0 other vulnerabilities. |
|
VCID-gyhz-a9pm-zqav
Aliases: CVE-2026-31788 |
Linux privcmd driver can circumvent kernel lockdown |
Affected by 0 other vulnerabilities. |
|
VCID-h31q-rcq3-7ud3
Aliases: CVE-2026-31389 |
kernel: spi: fix use-after-free on controller registration failure |
Affected by 0 other vulnerabilities. |
|
VCID-h3e8-fux5-3fe2
Aliases: CVE-2026-31393 |
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled. |
Affected by 0 other vulnerabilities. |
|
VCID-h57h-xt8g-y3f5
Aliases: CVE-2025-38605 |
kernel: wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() |
Affected by 0 other vulnerabilities. |
|
VCID-h7pm-dyef-1fan
Aliases: CVE-2026-31409 |
Affected by 0 other vulnerabilities. |
|
|
VCID-hbn4-nw7h-abg1
Aliases: CVE-2026-23251 |
kernel: xfs: only call xf{array,blob}_destroy if we have a valid pointer |
Affected by 0 other vulnerabilities. |
|
VCID-hbzk-b7gn-9bgz
Aliases: CVE-2025-38261 |
kernel: riscv: save the SR_SUM status over switches |
Affected by 0 other vulnerabilities. |
|
VCID-hh8s-8fc8-pkgq
Aliases: CVE-2026-23351 |
kernel: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase |
Affected by 0 other vulnerabilities. |
|
VCID-hjf7-23wz-1qeg
Aliases: CVE-2026-23438 |
kernel: net: mvpp2: guard flow control update with global_tx_fc in buffer switching |
Affected by 0 other vulnerabilities. |
|
VCID-j7ng-yctd-3kc4
Aliases: CVE-2025-21807 |
kernel: block: fix queue freeze vs limits lock order in sysfs store methods |
Affected by 0 other vulnerabilities. |
|
VCID-j87e-taah-ubbv
Aliases: CVE-2026-23370 |
kernel: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data |
Affected by 0 other vulnerabilities. |
|
VCID-j8yy-3tn1-63b5
Aliases: CVE-2025-40338 |
kernel: ASoC: Intel: avs: Do not share the name pointer between components |
Affected by 0 other vulnerabilities. |
|
VCID-jamx-hf6t-bfcd
Aliases: CVE-2026-23243 |
kernel: Linux kernel: Denial of service and memory corruption in RDMA umad |
Affected by 0 other vulnerabilities. |
|
VCID-jr94-175s-s7cy
Aliases: CVE-2025-37746 |
kernel: perf/dwc_pcie: fix duplicate pci_dev devices |
Affected by 0 other vulnerabilities. |
|
VCID-jtnv-mefv-qqff
Aliases: CVE-2026-23319 |
kernel: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim |
Affected by 0 other vulnerabilities. |
|
VCID-jx72-vpup-p3gk
Aliases: CVE-2025-22127 |
kernel: f2fs: fix potential deadloop in prepare_compress_overwrite() |
Affected by 0 other vulnerabilities. |
|
VCID-jxkv-jbh3-9fhj
Aliases: CVE-2025-39762 |
kernel: drm/amd/display: add null check |
Affected by 0 other vulnerabilities. |
|
VCID-k1eg-sz6t-skg8
Aliases: CVE-2025-68304 |
kernel: Bluetooth: hci_core: lookup hci_conn on RX path on protocol side |
Affected by 0 other vulnerabilities. |
|
VCID-k1v3-945q-47eh
Aliases: CVE-2026-23273 |
kernel: macvlan: observe an RCU grace period in macvlan_common_newlink() error path |
Affected by 0 other vulnerabilities. |
|
VCID-k3na-q9p9-4kbh
Aliases: CVE-2026-23469 |
kernel: drm/imagination: Synchronize interrupts before suspending the GPU |
Affected by 0 other vulnerabilities. |
|
VCID-k4wz-r6rn-rkfs
Aliases: CVE-2025-40150 |
kernel: f2fs: fix to avoid migrating empty section |
Affected by 0 other vulnerabilities. |
|
VCID-k5ww-5ut8-pfg7
Aliases: CVE-2025-68360 |
kernel: wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks |
Affected by 0 other vulnerabilities. |
|
VCID-k68k-tnns-mkga
Aliases: CVE-2025-40074 |
kernel: ipv4: start using dst_dev_rcu() |
Affected by 0 other vulnerabilities. |
|
VCID-k6tp-a2zd-2bc1
Aliases: CVE-2026-23360 |
kernel: nvme: fix admin queue leak on controller reset |
Affected by 0 other vulnerabilities. |
|
VCID-kcmk-1zxh-2yhv
Aliases: CVE-2026-23340 |
kernel: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs |
Affected by 0 other vulnerabilities. |
|
VCID-kd3n-3han-k7dm
Aliases: CVE-2025-68175 |
kernel: media: nxp: imx8-isi: Fix streaming cleanup on release |
Affected by 0 other vulnerabilities. |
|
VCID-kdmz-w6db-7ue2
Aliases: CVE-2026-23448 |
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: if ((ndpoffset + sizeof(struct usb_cdc_ncm_ndp16)) > skb_in->len) but the second check omits it: if ((sizeof(struct usb_cdc_ncm_ndp16) + ret * (sizeof(struct usb_cdc_ncm_dpe16))) > skb_in->len) This validates the DPE array size against the total skb length as if the NDP were at offset 0, rather than at ndpoffset. When the NDP is placed near the end of the NTB (large wNdpIndex), the DPE entries can extend past the skb data buffer even though the check passes. cdc_ncm_rx_fixup() then reads out-of-bounds memory when iterating the DPE array. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. |
Affected by 0 other vulnerabilities. |
|
VCID-kgsv-ke1m-xkg5
Aliases: CVE-2025-21949 |
kernel: LoongArch: Set hugetlb mmap base address aligned with pmd size |
Affected by 0 other vulnerabilities. |
|
VCID-kgv3-f25s-ckd5
Aliases: CVE-2025-40102 |
kernel: Linux kernel KVM: Denial of Service due to uninitialized vCPU event handling |
Affected by 0 other vulnerabilities. |
|
VCID-kn32-aqhq-k7c5
Aliases: CVE-2026-23434 |
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nand_lock() and nand_unlock() call into chip->ops.lock_area/unlock_area without holding the NAND device lock. On controllers that implement SET_FEATURES via multiple low-level PIO commands, these can race with concurrent UBI/UBIFS background erase/write operations that hold the device lock, resulting in cmd_pending conflicts on the NAND controller. Add nand_get_device()/nand_release_device() around the lock/unlock operations to serialize them against all other NAND controller access. |
Affected by 0 other vulnerabilities. |
|
VCID-kns4-65da-v3bc
Aliases: CVE-2026-31400 |
In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix cache_request leak in cache_release When a reader's file descriptor is closed while in the middle of reading a cache_request (rp->offset != 0), cache_release() decrements the request's readers count but never checks whether it should free the request. In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the cache_request is removed from the queue and freed along with its buffer and cache_head reference. cache_release() lacks this cleanup. The only other path that frees requests with readers == 0 is cache_dequeue(), but it runs only when CACHE_PENDING transitions from set to clear. If that transition already happened while readers was still non-zero, cache_dequeue() will have skipped the request, and no subsequent call will clean it up. Add the same cleanup logic from cache_read() to cache_release(): after decrementing readers, check if it reached 0 with CACHE_PENDING clear, and if so, dequeue and free the cache_request. |
Affected by 0 other vulnerabilities. |
|
VCID-kp79-ejb3-u3ew
Aliases: CVE-2026-23007 |
kernel: block: zero non-PI portion of auto integrity buffer |
Affected by 0 other vulnerabilities. |
|
VCID-kpkx-qwue-bff4
Aliases: CVE-2026-23458 |
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfct_help(ct), leading to a use-after-free on ct->ext. The bug is that the netlink_dump_control has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlink_get_conntrack) properly use .start/.done callbacks for this purpose. Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily. BUG: KASAN: slab-use-after-free in ctnetlink_exp_ct_dump_table+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133 CPU: 1 UID: 0 PID: 133 Comm: ctnetlink_poc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlink_exp_ct_dump_table+0x4f/0x2e0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 ? aa_sk_perm+0x184/0x450 sock_recvmsg+0xde/0xf0 Allocated by task 133: kmem_cache_alloc_noprof+0x134/0x440 __nf_conntrack_alloc+0xa8/0x2b0 ctnetlink_create_conntrack+0xa1/0x900 ctnetlink_new_conntrack+0x3cf/0x7d0 nfnetlink_rcv_msg+0x48e/0x510 netlink_rcv_skb+0xc9/0x1f0 nfnetlink_rcv+0xdb/0x220 netlink_unicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 __sys_sendmsg+0xf4/0x180 Freed by task 0: slab_free_after_rcu_debug+0xad/0x1e0 rcu_core+0x5c3/0x9c0 |
Affected by 0 other vulnerabilities. |
|
VCID-kus3-1ds4-8qfb
Aliases: CVE-2026-23217 |
kernel: riscv: trace: fix snapshot deadlock with sbi ecall |
Affected by 0 other vulnerabilities. |
|
VCID-kvbv-df49-gyaj
Aliases: CVE-2026-31402 |
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request. |
Affected by 0 other vulnerabilities. |
|
VCID-kx5p-87fs-9kgw
Aliases: CVE-2025-38426 |
kernel: drm/amdgpu: Add basic validation for RAS header |
Affected by 0 other vulnerabilities. |
|
VCID-m21d-1mj4-3bbn
Aliases: CVE-2025-40247 |
kernel: drm/msm: Fix pgtable prealloc error path |
Affected by 0 other vulnerabilities. |
|
VCID-m35k-ahnu-abh1
Aliases: CVE-2026-23450 |
kernel: net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock() |
Affected by 0 other vulnerabilities. |
|
VCID-m995-b8rn-tkgk
Aliases: CVE-2026-23455 |
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read. Add a check to ensure len is positive after the decrement. |
Affected by 0 other vulnerabilities. |
|
VCID-m9u8-d7gp-37bk
Aliases: CVE-2026-23313 |
kernel: i40e: Fix preempt count leak in napi poll tracepoint |
Affected by 0 other vulnerabilities. |
|
VCID-meqx-5s5k-j3f7
Aliases: CVE-2024-14027 |
kernel: xattr: switch to CLASS(fd) |
Affected by 0 other vulnerabilities. |
|
VCID-mgjc-55mm-kffq
Aliases: CVE-2025-39833 |
kernel: mISDN: hfcpci: Fix warning when deleting uninitialized timer |
Affected by 0 other vulnerabilities. |
|
VCID-mjbb-q1nx-8fgj
Aliases: CVE-2025-38311 |
kernel: Linux kernel (iavf): Denial of Service due to a locking issue |
Affected by 0 other vulnerabilities. |
|
VCID-mkjm-756w-5ygt
Aliases: CVE-2026-23270 |
kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation |
Affected by 0 other vulnerabilities. |
|
VCID-mkw6-9tye-x3fb
Aliases: CVE-2026-23399 |
kernel: nf_tables: nft_dynset: fix possible stateful expression memleak in error path |
Affected by 0 other vulnerabilities. |
|
VCID-mmj7-dk1d-yuga
Aliases: CVE-2025-38284 |
kernel: wifi: rtw89: pci: configure manual DAC mode via PCI config API only |
Affected by 0 other vulnerabilities. |
|
VCID-mmsk-j6bt-wuh1
Aliases: CVE-2026-23419 |
Affected by 0 other vulnerabilities. |
|
|
VCID-mrj8-hhte-77a4
Aliases: CVE-2025-39859 |
kernel: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog |
Affected by 0 other vulnerabilities. |
|
VCID-n1tb-u9us-57bv
Aliases: CVE-2026-23239 |
kernel: Kernel: Race condition in espintcp can lead to denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-n2ac-dtm2-sqa9
Aliases: CVE-2026-23271 |
kernel: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race |
Affected by 0 other vulnerabilities. |
|
VCID-n59e-jkf6-13bf
Aliases: CVE-2022-3238 |
kernel: ntfs3 local privledge escalation if NTFS character set and remount and umount called simultaneously |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n791-nrre-9qfv
Aliases: CVE-2025-21752 |
kernel: btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents |
Affected by 0 other vulnerabilities. |
|
VCID-n8y5-74xq-f7ft
Aliases: CVE-2026-23324 |
kernel: can: usb: etas_es58x: correctly anchor the urb in the read bulk callback |
Affected by 0 other vulnerabilities. |
|
VCID-nb89-27n1-73e5
Aliases: CVE-2025-38036 |
kernel: Linux kernel: Denial of Service due to null pointer dereference in GT MMIO initialization for VFs |
Affected by 0 other vulnerabilities. |
|
VCID-nc6z-qvqq-pbc8
Aliases: CVE-2026-23297 |
kernel: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit() |
Affected by 0 other vulnerabilities. |
|
VCID-ncy9-6whk-ckep
Aliases: CVE-2026-23208 |
kernel: ALSA: usb-audio: Prevent excessive number of frames |
Affected by 0 other vulnerabilities. |
|
VCID-nm9q-qfj8-4bb4
Aliases: CVE-2026-23070 |
kernel: Octeontx2-af: Add proper checks for fwdata |
Affected by 0 other vulnerabilities. |
|
VCID-nnwa-29v5-jub3
Aliases: CVE-2026-22993 |
kernel: idpf: Fix RSS LUT NULL ptr issue after soft reset |
Affected by 0 other vulnerabilities. |
|
VCID-nsbf-fkcw-cbed
Aliases: CVE-2026-31407 |
Affected by 0 other vulnerabilities. |
|
|
VCID-nuhs-4sjq-dkcb
Aliases: CVE-2025-68768 |
kernel: inet: frags: flush pending skbs in fqdir_pre_exit() |
Affected by 0 other vulnerabilities. |
|
VCID-p1cz-e94f-57c2
Aliases: CVE-2025-39789 |
kernel: crypto: x86/aegis - Add missing error checks |
Affected by 0 other vulnerabilities. |
|
VCID-p2ng-3bek-d3b6
Aliases: CVE-2025-71267 |
kernel: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST |
Affected by 0 other vulnerabilities. |
|
VCID-p3s4-ha6m-bber
Aliases: CVE-2026-23470 |
kernel: drm/imagination: Fix deadlock in soft reset sequence |
Affected by 0 other vulnerabilities. |
|
VCID-p3vt-v7gj-gqbc
Aliases: CVE-2024-56709 |
kernel: io_uring: check if iowq is killed before queuing |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-p4by-fm53-yybk
Aliases: CVE-2026-31425 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-p595-1qtr-tuae
Aliases: CVE-2026-23381 |
kernel: net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled |
Affected by 0 other vulnerabilities. |
|
VCID-p9x5-syxd-fufc
Aliases: CVE-2026-23473 |
kernel: io_uring/poll: fix multishot recv missing EOF on wakeup race |
Affected by 0 other vulnerabilities. |
|
VCID-pbtm-mu23-9qat
Aliases: CVE-2026-23445 |
kernel: igc: fix page fault in XDP TX timestamps handling |
Affected by 0 other vulnerabilities. |
|
VCID-pepq-cqcb-dkdm
Aliases: CVE-2026-23276 |
kernel: net: add xmit recursion limit to tunnel xmit functions |
Affected by 0 other vulnerabilities. |
|
VCID-pnfa-xm28-w3bk
Aliases: CVE-2026-23304 |
kernel: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() |
Affected by 0 other vulnerabilities. |
|
VCID-pr3c-sy9g-t3f5
Aliases: CVE-2025-71141 |
kernel: drm/tilcdc: Fix removal actions in case of failed probe |
Affected by 0 other vulnerabilities. |
|
VCID-psbr-e3ym-tyfv
Aliases: CVE-2025-37906 |
kernel: Linux kernel: ublk race condition causes kernel crash |
Affected by 0 other vulnerabilities. |
|
VCID-ptyj-1y6d-dud1
Aliases: CVE-2026-23066 |
kernel: Linux kernel: Denial of Service via unsafe requeue in rxrpc_recvmsg |
Affected by 0 other vulnerabilities. |
|
VCID-pva7-b7rk-ykam
Aliases: CVE-2026-31410 |
Affected by 0 other vulnerabilities. |
|
|
VCID-pwd1-juze-77bx
Aliases: CVE-2026-23346 |
kernel: arm64: io: Extract user memory type in ioremap_prot() |
Affected by 0 other vulnerabilities. |
|
VCID-q1cz-abcx-myc2
Aliases: CVE-2025-68359 |
kernel: btrfs: fix double free of qgroup record after failure to add delayed ref head |
Affected by 0 other vulnerabilities. |
|
VCID-q567-ceh3-4bdq
Aliases: CVE-2026-23308 |
kernel: pinctrl: equilibrium: fix warning trace on load |
Affected by 0 other vulnerabilities. |
|
VCID-q7a3-cm2m-ayga
Aliases: CVE-2025-40064 |
kernel: smc: Fix use-after-free in __pnet_find_base_ndev() |
Affected by 0 other vulnerabilities. |
|
VCID-q8fu-8mce-7ue6
Aliases: CVE-2025-38421 |
kernel: platform/x86/amd: pmf: Use device managed allocations |
Affected by 0 other vulnerabilities. |
|
VCID-qa1s-pr21-cycs
Aliases: CVE-2026-23253 |
kernel: Kernel: Denial of Service via DVB DVR ringbuffer reinitialization flaw |
Affected by 0 other vulnerabilities. |
|
VCID-qefy-64um-sqh7
Aliases: CVE-2026-23210 |
kernel: Linux kernel: Denial of Service in ice driver due to race condition during VSI rebuild |
Affected by 0 other vulnerabilities. |
|
VCID-qffu-7n92-bbhy
Aliases: CVE-2026-23474 |
In the Linux kernel, the following vulnerability has been resolved: mtd: Avoid boot crash in RedBoot partition table parser Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when available") produces the warning below and an oops. Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 ------------[ cut here ]------------ WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 memcmp: detected buffer overflow: 15 byte read of buffer size 14 Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE As Kees said, "'names' is pointing to the final 'namelen' many bytes of the allocation ... 'namelen' could be basically any length at all. This fortify warning looks legit to me -- this code used to be reading beyond the end of the allocation." Since the size of the dynamic allocation is calculated with strlen() we can use strcmp() instead of memcmp() and remain within bounds. |
Affected by 0 other vulnerabilities. |
|
VCID-qmuk-1txu-z3da
Aliases: CVE-2026-23388 |
kernel: Squashfs: check metadata block offset is within range |
Affected by 0 other vulnerabilities. |
|
VCID-qsdm-cyzs-aufy
Aliases: CVE-2026-31414 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-qx21-w7wn-tqap
Aliases: CVE-2026-23265 |
kernel: f2fs: fix to do sanity check on node footer in {read,write}_end_io |
Affected by 0 other vulnerabilities. |
|
VCID-qxd4-7ack-dkaf
Aliases: CVE-2025-39910 |
kernel: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() |
Affected by 0 other vulnerabilities. |
|
VCID-qyxy-uh9d-fqhr
Aliases: CVE-2026-23335 |
kernel: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() |
Affected by 0 other vulnerabilities. |
|
VCID-qz4v-xapc-nqh9
Aliases: CVE-2025-39862 |
kernel: wifi: mt76: mt7915: fix list corruption after hardware restart |
Affected by 0 other vulnerabilities. |
|
VCID-r1fj-r1mn-83fr
Aliases: CVE-2026-23412 |
Affected by 0 other vulnerabilities. |
|
|
VCID-r76g-d7px-hqff
Aliases: CVE-2026-23379 |
kernel: net/sched: ets: fix divide by zero in the offload path |
Affected by 0 other vulnerabilities. |
|
VCID-r7fp-rb7m-b7gs
Aliases: CVE-2026-31427 |
Affected by 0 other vulnerabilities. |
|
|
VCID-rfzp-v6r1-aqae
Aliases: CVE-2025-38199 |
kernel: wifi: ath12k: Fix memory leak due to multiple rx_stats allocation |
Affected by 0 other vulnerabilities. |
|
VCID-rh4e-sbew-nkbm
Aliases: CVE-2025-38064 |
kernel: virtio: break and reset virtio devices on device_shutdown() |
Affected by 0 other vulnerabilities. |
|
VCID-rkqz-erqh-dfh4
Aliases: CVE-2026-23465 |
In the Linux kernel, the following vulnerability has been resolved: btrfs: log new dentries when logging parent dir of a conflicting inode If we log the parent directory of a conflicting inode, we are not logging the new dentries of the directory, so when we finish we have the parent directory's inode marked as logged but we did not log its new dentries. As a consequence if the parent directory is explicitly fsynced later and it does not have any new changes since we logged it, the fsync is a no-op and after a power failure the new dentries are missing. Example scenario: $ mkdir foo $ sync $rmdir foo $ mkdir dir1 $ mkdir dir2 # A file with the same name and parent as the directory we just deleted # and was persisted in a past transaction. So the deleted directory's # inode is a conflicting inode of this new file's inode. $ touch foo $ ln foo dir2/link # The fsync on dir2 will log the parent directory (".") because the # conflicting inode (deleted directory) does not exists anymore, but it # it does not log its new dentries (dir1). $ xfs_io -c "fsync" dir2 # This fsync on the parent directory is no-op, since the previous fsync # logged it (but without logging its new dentries). $ xfs_io -c "fsync" . <power failure> # After log replay dir1 is missing. Fix this by ensuring we log new dir dentries whenever we log the parent directory of a no longer existing conflicting inode. A test case for fstests will follow soon. |
Affected by 0 other vulnerabilities. |
|
VCID-rmuw-t9j1-sygw
Aliases: CVE-2025-40146 |
kernel: blk-mq: fix potential deadlock while nr_requests grown |
Affected by 0 other vulnerabilities. |
|
VCID-rsz5-e5fc-syh2
Aliases: CVE-2025-22109 |
kernel: ax25: Remove broken autobind |
Affected by 0 other vulnerabilities. |
|
VCID-rtdx-733f-4qcq
Aliases: CVE-2025-38205 |
kernel: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 |
Affected by 0 other vulnerabilities. |
|
VCID-s81d-vavh-fudh
Aliases: CVE-2025-40086 |
kernel: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds |
Affected by 0 other vulnerabilities. |
|
VCID-se4d-mkta-c3dg
Aliases: CVE-2026-23385 |
kernel: netfilter: nf_tables: clone set on flush only |
Affected by 0 other vulnerabilities. |
|
VCID-sjam-bp41-27f4
Aliases: CVE-2026-23365 |
kernel: net: usb: kalmia: validate USB endpoints |
Affected by 0 other vulnerabilities. |
|
VCID-sm3v-84rs-nyem
Aliases: CVE-2026-23460 |
In the Linux kernel, the following vulnerability has been resolved: net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect syzkaller reported a bug [1], and the reproducer is available at [2]. ROSE sockets use four sk->sk_state values: TCP_CLOSE, TCP_LISTEN, TCP_SYN_SENT, and TCP_ESTABLISHED. rose_connect() already rejects calls for TCP_ESTABLISHED (-EISCONN) and TCP_CLOSE with SS_CONNECTING (-ECONNREFUSED), but lacks a check for TCP_SYN_SENT. When rose_connect() is called a second time while the first connection attempt is still in progress (TCP_SYN_SENT), it overwrites rose->neighbour via rose_get_neigh(). If that returns NULL, the socket is left with rose->state == ROSE_STATE_1 but rose->neighbour == NULL. When the socket is subsequently closed, rose_release() sees ROSE_STATE_1 and calls rose_write_internal() -> rose_transmit_link(skb, NULL), causing a NULL pointer dereference. Per connect(2), a second connect() while a connection is already in progress should return -EALREADY. Add this missing check for TCP_SYN_SENT to complete the state validation in rose_connect(). [1] https://syzkaller.appspot.com/bug?extid=d00f90e0af54102fb271 [2] https://gist.github.com/mrpre/9e6779e0d13e2c66779b1653fef80516 |
Affected by 0 other vulnerabilities. |
|
VCID-sne8-13hq-mqan
Aliases: CVE-2026-23272 |
kernel: netfilter: nf_tables: unconditionally bump set->nelems before insertion |
Affected by 0 other vulnerabilities. |
|
VCID-spab-qnhh-vqap
Aliases: CVE-2026-23287 |
kernel: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting |
Affected by 0 other vulnerabilities. |
|
VCID-sqf7-4e8r-7ken
Aliases: CVE-2026-23396 |
kernel: wifi: mac80211: fix NULL deref in mesh_matches_local() |
Affected by 0 other vulnerabilities. |
|
VCID-sv2x-sud7-9fcv
Aliases: CVE-2026-23468 |
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times. Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance. Return -EINVAL if the requested entry count exceeds the limit (cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332) |
Affected by 0 other vulnerabilities. |
|
VCID-svm7-nyr5-kfa3
Aliases: CVE-2026-23286 |
kernel: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs |
Affected by 0 other vulnerabilities. |
|
VCID-sy3c-f5q7-qygm
Aliases: CVE-2026-23398 |
kernel: icmp: fix NULL pointer dereference in icmp_tag_validation() |
Affected by 0 other vulnerabilities. |
|
VCID-szdg-jd74-r7g1
Aliases: CVE-2025-71227 |
kernel: wifi: mac80211: don't WARN for connections on invalid channels |
Affected by 0 other vulnerabilities. |
|
VCID-t2sv-vqq2-q7av
Aliases: CVE-2026-23278 |
kernel: netfilter: nf_tables: always walk all pending catchall elements |
Affected by 0 other vulnerabilities. |
|
VCID-t4n5-xvuu-uba1
Aliases: CVE-2026-23017 |
kernel: idpf: fix error handling in the init_task on load |
Affected by 0 other vulnerabilities. |
|
VCID-td5e-4c6y-cyc9
Aliases: CVE-2026-23312 |
kernel: net: usb: kaweth: validate USB endpoints |
Affected by 0 other vulnerabilities. |
|
VCID-texr-5weq-v3dw
Aliases: CVE-2026-31424 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-tqmr-q8w3-cyg2
Aliases: CVE-2025-22116 |
kernel: idpf: check error for register_netdev() on init |
Affected by 0 other vulnerabilities. |
|
VCID-tt18-fh9r-57c9
Aliases: CVE-2026-23339 |
kernel: nfc: nci: free skb on nci_transceive early error paths |
Affected by 0 other vulnerabilities. |
|
VCID-twwm-48md-yybs
Aliases: CVE-2026-23250 |
kernel: xfs: check return value of xchk_scrub_create_subord |
Affected by 0 other vulnerabilities. |
|
VCID-tzdq-wy6d-xbbx
Aliases: CVE-2026-23361 |
kernel: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry |
Affected by 0 other vulnerabilities. |
|
VCID-u6nn-wr8u-qqdj
Aliases: CVE-2026-23171 |
kernel: Linux kernel: Use-after-free in bonding module can cause system crash or arbitrary code execution |
Affected by 0 other vulnerabilities. |
|
VCID-ub6v-vb3r-83eh
Aliases: CVE-2026-23352 |
kernel: x86/efi: defer freeing of boot services memory |
Affected by 0 other vulnerabilities. |
|
VCID-ucab-wj54-hyey
Aliases: CVE-2025-38140 |
kernel: Linux kernel: Local denial of service in device mapper |
Affected by 0 other vulnerabilities. |
|
VCID-uhng-dru9-7yht
Aliases: CVE-2026-23446 |
In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants |
Affected by 0 other vulnerabilities. |
|
VCID-ukr2-rp6y-rkf1
Aliases: CVE-2026-23274 |
kernel: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels |
Affected by 0 other vulnerabilities. |
|
VCID-up76-yp3d-5kaj
Aliases: CVE-2026-23244 |
kernel: nvme: fix memory allocation in nvme_pr_read_keys() |
Affected by 0 other vulnerabilities. |
|
VCID-upcd-ngpy-ekeu
Aliases: CVE-2026-31411 |
Affected by 0 other vulnerabilities. |
|
|
VCID-uywc-57rt-7ue6
Aliases: CVE-2025-39775 |
kernel: Linux kernel: mremap local denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-uzfu-ke47-1qaq
Aliases: CVE-2026-23426 |
Affected by 0 other vulnerabilities. |
|
|
VCID-v13n-b9vm-3yej
Aliases: CVE-2026-23354 |
kernel: x86/fred: Correct speculative safety in fred_extint() |
Affected by 0 other vulnerabilities. |
|
VCID-v2rb-s1g7-1ub4
Aliases: CVE-2026-31403 |
In the Linux kernel, the following vulnerability has been resolved: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd The /proc/fs/nfs/exports proc entry is created at module init and persists for the module's lifetime. exports_proc_open() captures the caller's current network namespace and stores its svc_export_cache in seq->private, but takes no reference on the namespace. If the namespace is subsequently torn down (e.g. container destruction after the opener does setns() to a different namespace), nfsd_net_exit() calls nfsd_export_shutdown() which frees the cache. Subsequent reads on the still-open fd dereference the freed cache_detail, walking a freed hash table. Hold a reference on the struct net for the lifetime of the open file descriptor. This prevents nfsd_net_exit() from running -- and thus prevents nfsd_export_shutdown() from freeing the cache -- while any exports fd is open. cache_detail already stores its net pointer (cd->net, set by cache_create_net()), so exports_release() can retrieve it without additional per-file storage. |
Affected by 0 other vulnerabilities. |
|
VCID-v3ba-uvsy-ybfv
Aliases: CVE-2025-71221 |
kernel: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() |
Affected by 0 other vulnerabilities. |
|
VCID-v3m5-xj2s-5yef
Aliases: CVE-2025-38359 |
kernel: s390/mm: Fix in_atomic() handling in do_secure_storage_access() |
Affected by 0 other vulnerabilities. |
|
VCID-v4eq-5uts-e7es
Aliases: CVE-2026-23334 |
kernel: can: usb: f81604: handle short interrupt urb messages properly |
Affected by 0 other vulnerabilities. |
|
VCID-v9bm-48ec-9fc2
Aliases: CVE-2026-23454 |
kernel: net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering teardown |
Affected by 0 other vulnerabilities. |
|
VCID-v9p4-t339-t3g4
Aliases: CVE-2025-71152 |
kernel: net: dsa: properly keep track of conduit reference |
Affected by 0 other vulnerabilities. |
|
VCID-vccj-gtv8-kug3
Aliases: CVE-2026-23359 |
kernel: bpf: Fix stack-out-of-bounds write in devmap |
Affected by 0 other vulnerabilities. |
|
VCID-vdnv-8h83-7kfs
Aliases: CVE-2025-40135 |
kernel: ipv6: use RCU in ip6_xmit() |
Affected by 0 other vulnerabilities. |
|
VCID-vgze-rbc5-bbc6
Aliases: CVE-2026-23391 |
kernel: netfilter: xt_CT: drop pending enqueued packets on template removal |
Affected by 0 other vulnerabilities. |
|
VCID-vr91-8n9z-dfh2
Aliases: CVE-2025-68730 |
kernel: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() |
Affected by 0 other vulnerabilities. |
|
VCID-vtwb-e5mq-6bgq
Aliases: CVE-2026-23277 |
kernel: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit |
Affected by 0 other vulnerabilities. |
|
VCID-vw6j-sby6-dbh3
Aliases: CVE-2026-23449 |
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so may cause crashes like the following: [ 238.028993][ T318] BUG: KASAN: double-free in skb_release_data (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task poc_teql_uaf_ke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: poc_teql_ke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dump_stack_lvl (lib/dump_stack.c:122) [ 238.029928][ T318] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029969][ T318] kasan_report_invalid_free (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skb_release_data (net/core/skbuff.c:1139) [ 238.029989][ T318] check_slab_allocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmem_cache_free (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skb_release_data (net/core/skbuff.c:1139) ... [ 238.030025][ T318] sk_skb_reason_drop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifo_fast_reset (./include/linux/ptr_ring.h:171 ./include/linux/ptr_ring.h:309 ./include/linux/skb_array.h:98 net/sched/sch_generic.c:827) [ 238.030039][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdisc_reset (net/sched/sch_generic.c:1034) [ 238.030062][ T318] teql_destroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdisc_destroy (./include/net/pkt_sched.h:328 net/sched/sch_generic.c:1077) [ 238.030077][ T318] qdisc_graft (net/sched/sch_api.c:1062 net/sched/sch_api.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfx_qdisc_graft (net/sched/sch_api.c:1091) [ 238.030095][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tc_get_qdisc (net/sched/sch_api.c:1529 net/sched/sch_api.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.073884][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasan_slab_alloc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cache_alloc_node_noprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmalloc_reserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __alloc_skb (net/core/skbuff.c:713) [ 238.076834][ T318] alloc_skb_with_frags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sock_alloc_send_pskb (net/core/sock.c:2997) [ 238.077520][ T318] packet_sendmsg (net/packet/af_packet.c:2926 net/packet/af_packet.c:3019 net/packet/af_packet.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasan_save_stack (mm/kasan/common.c:58) [ 238.083481][ T318] kasan_save_track (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasan_save_free_info (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasan_slab_free (mm/ ---truncated--- |
Affected by 0 other vulnerabilities. |
|
VCID-vz73-y2va-5kbw
Aliases: CVE-2026-23447 |
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB. Add ndpoffset to the nframes bounds check and use struct_size_t() to express the NDP-plus-DPE-array size more clearly. Compile-tested only. |
Affected by 0 other vulnerabilities. |
|
VCID-vzkt-5648-ukh7
Aliases: CVE-2026-31415 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-w53c-hafw-6kbb
Aliases: CVE-2026-23456 |
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint(). |
Affected by 0 other vulnerabilities. |
|
VCID-w93w-cj1t-cqcj
Aliases: CVE-2025-40113 |
kernel: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E |
Affected by 0 other vulnerabilities. |
|
VCID-wanj-gu4w-2qaz
Aliases: CVE-2025-38584 |
kernel: padata: Fix pd UAF once and for all |
Affected by 0 other vulnerabilities. |
|
VCID-wcu7-me4d-bugc
Aliases: CVE-2026-23226 |
kernel: ksmbd: add chann_lock to protect ksmbd_chann_list xarray |
Affected by 0 other vulnerabilities. |
|
VCID-wdmm-5qwk-w7dv
Aliases: CVE-2025-40130 |
kernel: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling |
Affected by 0 other vulnerabilities. |
|
VCID-wk3t-3jvn-quf1
Aliases: CVE-2025-38237 |
kernel: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() |
Affected by 0 other vulnerabilities. |
|
VCID-wp6e-yac6-t7fj
Aliases: CVE-2025-68193 |
kernel: drm/xe/guc: Add devm release action to safely tear down CT |
Affected by 0 other vulnerabilities. |
|
VCID-wpd8-35bc-dka3
Aliases: CVE-2024-58015 |
kernel: wifi: ath12k: Fix for out-of bound access error |
Affected by 0 other vulnerabilities. |
|
VCID-wq4h-q7vt-23ex
Aliases: CVE-2026-31399 |
In the Linux kernel, the following vulnerability has been resolved: nvdimm/bus: Fix potential use after free in asynchronous initialization Dingisoul with KASAN reports a use after free if device_add() fails in nd_async_device_register(). Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") correctly added a reference on the parent device to be held until asynchronous initialization was complete. However, if device_add() results in an allocation failure the ref count of the device drops to 0 prior to the parent pointer being accessed. Thus resulting in use after free. The bug bot AI correctly identified the fix. Save a reference to the parent pointer to be used to drop the parent reference regardless of the outcome of device_add(). |
Affected by 0 other vulnerabilities. |
|
VCID-wwax-w4gg-cuhy
Aliases: CVE-2025-71074 |
kernel: functionfs: fix the open/removal races |
Affected by 0 other vulnerabilities. |
|
VCID-wxx7-3a43-h7gh
Aliases: CVE-2026-31408 |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
|
VCID-wzwn-qk64-h3e9
Aliases: CVE-2026-23441 |
kernel: net/mlx5e: Prevent concurrent access to IPSec ASO context |
Affected by 0 other vulnerabilities. |
|
VCID-x1m4-hf24-27hq
Aliases: CVE-2026-23292 |
kernel: scsi: target: Fix recursive locking in __configfs_open_file() |
Affected by 0 other vulnerabilities. |
|
VCID-x5jd-ruv2-1qac
Aliases: CVE-2026-31428 |
Affected by 0 other vulnerabilities. |
|
|
VCID-xafq-y8ca-hkhe
Aliases: CVE-2025-38636 |
kernel: rv: Use strings in da monitors tracepoints |
Affected by 0 other vulnerabilities. |
|
VCID-xdde-euh1-dqfv
Aliases: CVE-2025-40005 |
kernel: spi: cadence-quadspi: Implement refcount to handle unbind during busy |
Affected by 0 other vulnerabilities. |
|
VCID-xhfy-gkwq-afbr
Aliases: CVE-2026-23281 |
kernel: wifi: libertas: fix use-after-free in lbs_free_adapter() |
Affected by 0 other vulnerabilities. |
|
VCID-xjyz-ptu2-jyc5
Aliases: CVE-2026-23461 |
kernel: Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user |
Affected by 0 other vulnerabilities. |
|
VCID-xqpe-25bd-vygx
Aliases: CVE-2026-23401 |
Affected by 0 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
|
VCID-xs4a-ha3z-2bej
Aliases: CVE-2026-23138 |
kernel: tracing: Add recursion protection in kernel stack trace recording |
Affected by 0 other vulnerabilities. |
|
VCID-xsc7-awsw-33fq
Aliases: CVE-2024-58074 |
kernel: drm/i915: Grab intel_display from the encoder to avoid potential oopsies |
Affected by 0 other vulnerabilities. |
|
VCID-xyz6-bu7n-a7ha
Aliases: CVE-2026-23466 |
kernel: drm/xe: Open-code GGTT MMIO access protection |
Affected by 0 other vulnerabilities. |
|
VCID-y439-52f2-rfck
Aliases: CVE-2026-23300 |
kernel: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop |
Affected by 0 other vulnerabilities. |
|
VCID-y4w2-qru6-p3g4
Aliases: CVE-2026-31392 |
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix krb5 mount with username option Customer reported that some of their krb5 mounts were failing against a single server as the client was trying to mount the shares with wrong credentials. It turned out the client was reusing SMB session from first mount to try mounting the other shares, even though a different username= option had been specified to the other mounts. By using username mount option along with sec=krb5 to search for principals from keytab is supported by cifs.upcall(8) since cifs-utils-4.8. So fix this by matching username mount option in match_session() even with Kerberos. For example, the second mount below should fail with -ENOKEY as there is no 'foobar' principal in keytab (/etc/krb5.keytab). The client ends up reusing SMB session from first mount to perform the second one, which is wrong. ``` $ ktutil ktutil: add_entry -password -p testuser -k 1 -e aes256-cts Password for testuser@ZELDA.TEST: ktutil: write_kt /etc/krb5.keytab ktutil: quit $ klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ---------------------------------------------------------------- 1 testuser@ZELDA.TEST (aes256-cts-hmac-sha1-96) $ mount.cifs //w22-root2/scratch /mnt/1 -o sec=krb5,username=testuser $ mount.cifs //w22-root2/scratch /mnt/2 -o sec=krb5,username=foobar $ mount -t cifs | grep -Po 'username=\K\w+' testuser testuser ``` |
Affected by 0 other vulnerabilities. |
|
VCID-ya2f-awge-mfae
Aliases: CVE-2025-68735 |
kernel: drm/panthor: Prevent potential UAF in group creation |
Affected by 0 other vulnerabilities. |
|
VCID-yaz4-szyc-afg8
Aliases: CVE-2026-23227 |
kernel: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free |
Affected by 0 other vulnerabilities. |
|
VCID-ycev-sqxs-13da
Aliases: CVE-2025-38206 |
kernel: Kernel: Double free vulnerability in exFAT filesystem can lead to denial of service |
Affected by 0 other vulnerabilities. |
|
VCID-yehk-tjrt-rbbe
Aliases: CVE-2025-71161 |
kernel: dm-verity: disable recursive forward error correction |
Affected by 0 other vulnerabilities. |
|
VCID-ygbb-8ebm-pydv
Aliases: CVE-2026-31401 |
kernel: HID: bpf: prevent buffer overflow in hid_hw_request |
Affected by 0 other vulnerabilities. |
|
VCID-yj3z-hvs9-47hj
Aliases: CVE-2026-23452 |
In the Linux kernel, the following vulnerability has been resolved: PM: runtime: Fix a race condition related to device removal The following code in pm_runtime_work() may dereference the dev->parent pointer after the parent device has been freed: /* Maybe the parent is now able to suspend. */ if (parent && !parent->power.ignore_children) { spin_unlock(&dev->power.lock); spin_lock(&parent->power.lock); rpm_idle(parent, RPM_ASYNC); spin_unlock(&parent->power.lock); spin_lock(&dev->power.lock); } Fix this by inserting a flush_work() call in pm_runtime_remove(). Without this patch blktest block/001 triggers the following complaint sporadically: BUG: KASAN: slab-use-after-free in lock_acquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pm_runtime_work Call Trace: <TASK> dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x8b/0x310 print_report+0xfd/0x1d7 kasan_report+0xd8/0x1d0 __kasan_check_byte+0x42/0x60 lock_acquire.part.0+0x38/0x230 lock_acquire+0x70/0x160 _raw_spin_lock+0x36/0x50 rpm_suspend+0xc6a/0xfe0 rpm_idle+0x578/0x770 pm_runtime_work+0xee/0x120 process_one_work+0xde3/0x1410 worker_thread+0x5eb/0xfe0 kthread+0x37b/0x480 ret_from_fork+0x6cb/0x920 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_alloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmalloc_noprof+0x311/0x990 scsi_alloc_target+0x122/0xb60 [scsi_mod] __scsi_scan_target+0x101/0x460 [scsi_mod] scsi_scan_channel+0x179/0x1c0 [scsi_mod] scsi_scan_host_selected+0x259/0x2d0 [scsi_mod] store_scan+0x2d2/0x390 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 do_syscall_64+0xee/0xfc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4314: kasan_save_stack+0x2a/0x50 kasan_save_track+0x18/0x40 kasan_save_free_info+0x3f/0x50 __kasan_slab_free+0x67/0x80 kfree+0x225/0x6c0 scsi_target_dev_release+0x3d/0x60 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_dev_release+0xacf/0x12c0 [scsi_mod] device_release+0xa3/0x220 kobject_cleanup+0x105/0x3a0 kobject_put+0x72/0xd0 put_device+0x17/0x20 scsi_device_put+0x7f/0xc0 [scsi_mod] sdev_store_delete+0xa5/0x120 [scsi_mod] dev_attr_store+0x43/0x80 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3ef/0x670 vfs_write+0x506/0x1470 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x213/0x1810 |
Affected by 0 other vulnerabilities. |
|
VCID-yjuh-uacz-xfhm
Aliases: CVE-2025-38621 |
kernel: md: make rdev_addable usable for rcu mode |
Affected by 0 other vulnerabilities. |
|
VCID-yp8m-zttt-ffdt
Aliases: CVE-2026-23240 |
kernel: Linux kernel: Denial of service due to a race condition in the TLS subsystem |
Affected by 0 other vulnerabilities. |
|
VCID-yqcj-27j2-tqb8
Aliases: CVE-2026-31419 |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-yr2z-pe4g-8yhu
Aliases: CVE-2026-23372 |
kernel: nfc: rawsock: cancel tx_work before socket teardown |
Affected by 0 other vulnerabilities. |
|
VCID-ytfc-yqtw-4yhb
Aliases: CVE-2026-23393 |
kernel: bridge: cfm: Fix race condition in peer_mep deletion |
Affected by 0 other vulnerabilities. |
|
VCID-yumk-yrcg-7qet
Aliases: CVE-2025-37743 |
kernel: wifi: ath12k: Avoid memory leak while enabling statistics |
Affected by 0 other vulnerabilities. |
|
VCID-z1gu-rwfd-7yfa
Aliases: CVE-2025-40054 |
kernel: f2fs: fix UAF issue in f2fs_merge_page_bio() |
Affected by 0 other vulnerabilities. |
|
VCID-z22s-ebq4-y7a4
Aliases: CVE-2025-68751 |
kernel: s390/fpu: Fix false-positive kmsan report in fpu_vstl() |
Affected by 0 other vulnerabilities. |
|
VCID-z35d-gch3-1uct
Aliases: CVE-2025-21709 |
kernel: kernel: be more careful about dup_mmap() failures and uprobe registering |
Affected by 0 other vulnerabilities. |
|
VCID-zhaf-5de2-tycd
Aliases: CVE-2026-31396 |
In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel. BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 </TASK> Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl ---truncated--- |
Affected by 0 other vulnerabilities. |
|
VCID-zs1j-hpbv-7qbz
Aliases: CVE-2025-22104 |
kernel: ibmvnic: Use kernel helpers for hex dumps |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||