Search criteria
23876 vulnerabilities found for Linux by Linux
CVE-2026-46300 (GCVE-0-2026-46300)
Vulnerability from cvelistv5 – Published: 2026-05-23 11:44 – Updated: 2026-05-23 13:20
VLAI?
Title
net: skbuff: preserve shared-frag marker during coalescing
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: preserve shared-frag marker during coalescing
skb_try_coalesce() can attach paged frags from @from to @to. If @from
has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same
externally-owned or page-cache-backed frags, but the shared-frag marker
is currently lost.
That breaks the invariant relied on by later in-place writers. In
particular, ESP input checks skb_has_shared_frag() before deciding
whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP
receive coalescing has moved shared frags into an unmarked skb, ESP can
see skb_has_shared_frag() as false and decrypt in place over page-cache
backed frags.
Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged
frags. The tailroom copy path does not need the marker because it copies
bytes into @to's linear data rather than transferring frag descriptors.
Severity ?
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3599e6b3cc1ada96883d496a50a210d3afbb6987
(git)
Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 78bf6b6bb19541d19fbda6242e7cfe2c682763c0 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3bd9e113d50034db99d7ef69fd8e5242d15e414a (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 3884358a9286b17f389a72b1426fc4547c23c111 (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.10.257 , ≤ 5.10.* (semver) Unaffected: 5.15.208 , ≤ 5.15.* (semver) Unaffected: 6.1.174 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-23T12:24:19.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/11"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/12"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3599e6b3cc1ada96883d496a50a210d3afbb6987",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "9d3e5fd19fe1063bf607219e8562fbd567b8e8d5",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "78bf6b6bb19541d19fbda6242e7cfe2c682763c0",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "3bd9e113d50034db99d7ef69fd8e5242d15e414a",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "3884358a9286b17f389a72b1426fc4547c23c111",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.257",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.208",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.174",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: preserve shared-frag marker during coalescing\n\nskb_try_coalesce() can attach paged frags from @from to @to. If @from\nhas SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same\nexternally-owned or page-cache-backed frags, but the shared-frag marker\nis currently lost.\n\nThat breaks the invariant relied on by later in-place writers. In\nparticular, ESP input checks skb_has_shared_frag() before deciding\nwhether an uncloned nonlinear skb can skip skb_cow_data(). If TCP\nreceive coalescing has moved shared frags into an unmarked skb, ESP can\nsee skb_has_shared_frag() as false and decrypt in place over page-cache\nbacked frags.\n\nPropagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged\nfrags. The tailroom copy path does not need the marker because it copies\nbytes into @to\u0027s linear data rather than transferring frag descriptors."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T13:20:27.462Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987"
},
{
"url": "https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c"
},
{
"url": "https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5"
},
{
"url": "https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0"
},
{
"url": "https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e"
},
{
"url": "https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a"
},
{
"url": "https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111"
}
],
"title": "net: skbuff: preserve shared-frag marker during coalescing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46300",
"datePublished": "2026-05-23T11:44:02.231Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-05-23T13:20:27.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43503 (GCVE-0-2026-43503)
Vulnerability from cvelistv5 – Published: 2026-05-23 11:44 – Updated: 2026-05-23 13:20
VLAI?
Title
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: skbuff: propagate shared-frag marker through frag-transfer helpers
Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail
to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when
moving frags from source to destination. __pskb_copy_fclone() defers
the rest of the shinfo metadata to skb_copy_header() after copying
frag descriptors, but that helper only carries over gso_{size,segs,
type} and never touches skb_shinfo()->flags; skb_shift() moves frag
descriptors directly and leaves flags untouched. As a result, the
destination skb keeps a reference to the same externally-owned or
page-cache-backed pages while reporting skb_has_shared_frag() as
false.
The mismatch is harmful in any in-place writer that uses
skb_has_shared_frag() to decide whether shared pages must be detoured
through skb_cow_data(). ESP input is one such writer (esp4.c,
esp6.c), and a single nft 'dup to <local>' rule -- or any other
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
skb in esp_input() with the marker stripped, letting an unprivileged
user write into the page cache of a root-owned read-only file via
authencesn-ESN stray writes.
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
were actually moved from the source. skb_copy() and skb_copy_expand()
share skb_copy_header() too but linearize all paged data into freshly
allocated head storage and emerge with nr_frags == 0, so
skb_has_shared_frag() returns false on its own; they need no change.
The same omission exists in skb_gro_receive() and skb_gro_receive_list().
The former moves the incoming skb's frag descriptors into the
accumulator's last sub-skb via two paths (a direct frag-move loop and
the head_frag + memcpy path); the latter chains the incoming skb whole
onto p's frag_list. Downstream skb_segment() reads only
skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's
shinfo as the nskb -- both p and lp must carry the marker.
The same omission also exists in tcp_clone_payload(), which builds an
MTU probe skb by moving frag descriptors from skbs on sk_write_queue
into a freshly allocated nskb. The helper falls into the same family
and warrants the same fix for consistency; no TCP TX-side in-place
writer is currently known to reach a user page through this gap, but
a future consumer depending on the marker would regress silently.
The same omission exists in skb_segment(): the per-iteration flag
merge takes only head_skb's flag, and the inner switch that rebinds
frag_skb to list_skb on head_skb-frags exhaustion does not fold the
new frag_skb's flag into nskb. Fold frag_skb's flag at both sites
so segments drawing frags from frag_list members carry the marker.
Severity ?
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fbeab9555564a1b98e8582cd106dfe46c4606991
(git)
Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 179f1852bdedc300e373e807cc102cd81feff196 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 12401fcfb01f53ccc63ab0a3246570fe8f3105ee (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 989214c66884d70716d83dc1d0bf5e16287bf349 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < ff375cc75f9167168db38e0464a482d5fbc8d81d (git) Affected: cef401de7be8c4e155c6746bfccf721a4fa5fab9 , < 9bc9d6d6967a2239aa57af2aa53554eddd640d20 (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.10.257 , ≤ 5.10.* (semver) Unaffected: 5.15.208 , ≤ 5.15.* (semver) Unaffected: 6.1.174 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbeab9555564a1b98e8582cd106dfe46c4606991",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "179f1852bdedc300e373e807cc102cd81feff196",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "12401fcfb01f53ccc63ab0a3246570fe8f3105ee",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "989214c66884d70716d83dc1d0bf5e16287bf349",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "ff375cc75f9167168db38e0464a482d5fbc8d81d",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
},
{
"lessThan": "9bc9d6d6967a2239aa57af2aa53554eddd640d20",
"status": "affected",
"version": "cef401de7be8c4e155c6746bfccf721a4fa5fab9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c",
"net/core/skbuff.c",
"net/ipv4/tcp_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.208",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.174",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.257",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.208",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.174",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: propagate shared-frag marker through frag-transfer helpers\n\nTwo frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail\nto propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()-\u003eflags when\nmoving frags from source to destination. __pskb_copy_fclone() defers\nthe rest of the shinfo metadata to skb_copy_header() after copying\nfrag descriptors, but that helper only carries over gso_{size,segs,\ntype} and never touches skb_shinfo()-\u003eflags; skb_shift() moves frag\ndescriptors directly and leaves flags untouched. As a result, the\ndestination skb keeps a reference to the same externally-owned or\npage-cache-backed pages while reporting skb_has_shared_frag() as\nfalse.\n\nThe mismatch is harmful in any in-place writer that uses\nskb_has_shared_frag() to decide whether shared pages must be detoured\nthrough skb_cow_data(). ESP input is one such writer (esp4.c,\nesp6.c), and a single nft \u0027dup to \u003clocal\u003e\u0027 rule -- or any other\nnf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()\u0027d\nskb in esp_input() with the marker stripped, letting an unprivileged\nuser write into the page cache of a root-owned read-only file via\nauthencesn-ESN stray writes.\n\nSet SKBFL_SHARED_FRAG on the destination whenever frag descriptors\nwere actually moved from the source. skb_copy() and skb_copy_expand()\nshare skb_copy_header() too but linearize all paged data into freshly\nallocated head storage and emerge with nr_frags == 0, so\nskb_has_shared_frag() returns false on its own; they need no change.\n\nThe same omission exists in skb_gro_receive() and skb_gro_receive_list().\nThe former moves the incoming skb\u0027s frag descriptors into the\naccumulator\u0027s last sub-skb via two paths (a direct frag-move loop and\nthe head_frag + memcpy path); the latter chains the incoming skb whole\nonto p\u0027s frag_list. Downstream skb_segment() reads only\nskb_shinfo(p)-\u003eflags, and skb_segment_list() reuses each sub-skb\u0027s\nshinfo as the nskb -- both p and lp must carry the marker.\n\nThe same omission also exists in tcp_clone_payload(), which builds an\nMTU probe skb by moving frag descriptors from skbs on sk_write_queue\ninto a freshly allocated nskb. The helper falls into the same family\nand warrants the same fix for consistency; no TCP TX-side in-place\nwriter is currently known to reach a user page through this gap, but\na future consumer depending on the marker would regress silently.\n\nThe same omission exists in skb_segment(): the per-iteration flag\nmerge takes only head_skb\u0027s flag, and the inner switch that rebinds\nfrag_skb to list_skb on head_skb-frags exhaustion does not fold the\nnew frag_skb\u0027s flag into nskb. Fold frag_skb\u0027s flag at both sites\nso segments drawing frags from frag_list members carry the marker."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T13:20:26.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991"
},
{
"url": "https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196"
},
{
"url": "https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee"
},
{
"url": "https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349"
},
{
"url": "https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8"
},
{
"url": "https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d"
},
{
"url": "https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20"
}
],
"title": "net: skbuff: propagate shared-frag marker through frag-transfer helpers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43503",
"datePublished": "2026-05-23T11:44:01.103Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-23T13:20:26.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43502 (GCVE-0-2026-43502)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
net/rds: handle zerocopy send cleanup before the message is queued
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: handle zerocopy send cleanup before the message is queued
A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.
The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.
Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.
This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 21d70744e6d3bbf9293aa1ee6fba7c53ad75275e
(git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 3abc8983b2bae3f487f77d9da5527d7d6b210d46 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 14ef6fd18db2494098b21e0471bf27a1d8e9993e (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 44b550d88b267320459d518c0743a241ab2108fa (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21d70744e6d3bbf9293aa1ee6fba7c53ad75275e",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "3abc8983b2bae3f487f77d9da5527d7d6b210d46",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "14ef6fd18db2494098b21e0471bf27a1d8e9993e",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "44b550d88b267320459d518c0743a241ab2108fa",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: handle zerocopy send cleanup before the message is queued\n\nA zerocopy send can fail after user pages have been pinned but before\nthe message is attached to the sending socket.\n\nThe purge path currently infers zerocopy state from rm-\u003em_rs, so an\nunqueued message can be cleaned up as if it owned normal payload pages.\nHowever, zerocopy ownership is really determined by the presence of\nop_mmp_znotifier, regardless of whether the message has reached the\nsocket queue.\n\nCapture op_mmp_znotifier up front in rds_message_purge() and use it as\nthe cleanup discriminator. If the message is already associated with a\nsocket, keep the existing completion path. Otherwise, drop the pinned\npage accounting directly and release the notifier before putting the\npayload pages.\n\nThis keeps early send failure cleanup consistent with the zerocopy\nlifetime rules without changing the normal queued completion path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:50.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e"
},
{
"url": "https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46"
},
{
"url": "https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e"
},
{
"url": "https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b"
},
{
"url": "https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa"
}
],
"title": "net/rds: handle zerocopy send cleanup before the message is queued",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43502",
"datePublished": "2026-05-21T12:17:50.444Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:50.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43501 (GCVE-0-2026-43501)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 8e8be63465a5e80394c70324603dfea1bfdad48f
(git)
Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 4babc2d9fda2df43823b85d08a0180b68f1b0854 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < c261d07a80576dc8ccf394ef8f074f8c67a06b37 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 7398ebefbfd4f8a31d4f665a4213302fa995494b (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 9e6bf146b55999a095bb14f73a843942456d1adc (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e8be63465a5e80394c70324603dfea1bfdad48f",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "4babc2d9fda2df43823b85d08a0180b68f1b0854",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "c261d07a80576dc8ccf394ef8f074f8c67a06b37",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "7398ebefbfd4f8a31d4f665a4213302fa995494b",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "9e6bf146b55999a095bb14f73a843942456d1adc",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr-\u003edaddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back. The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE\u003e0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom. Once skb_push() leaves\nfewer than skb-\u003emac_len bytes in front of data,\nskb_mac_header_rebuild()\u0027s call to:\n\n\tskb_set_mac_header(skb, -skb-\u003emac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb-\u003ehead.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:49.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f"
},
{
"url": "https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854"
},
{
"url": "https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37"
},
{
"url": "https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b"
},
{
"url": "https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc"
}
],
"title": "ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43501",
"datePublished": "2026-05-21T12:17:49.885Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:49.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43499 (GCVE-0-2026-43499)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
rtmutex: Use waiter::task instead of current in remove_waiter()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 8a1fc8d698ac5e5916e3082a0f74450d71f9611f
(git)
Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 6d52dfcb2a5db86e346cf51f8fcf2071b8085166 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3fb7394a837740770f0d6b4b30567e60786a63f2 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 88614876370aac8ad1050ad785a4c095ba17ac11 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a1fc8d698ac5e5916e3082a0f74450d71f9611f",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "6d52dfcb2a5db86e346cf51f8fcf2071b8085166",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3fb7394a837740770f0d6b4b30567e60786a63f2",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "88614876370aac8ad1050ad785a4c095ba17ac11",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3bfdc63936dd4773109b7b8c280c0f3b5ae7d349",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Use waiter::task instead of current in remove_waiter()\n\nremove_waiter() is used by the slowlock paths, but it is also used for\nproxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from\nfutex_requeue().\n\nIn the latter case waiter::task is not current, but remove_waiter()\noperates on current for the dequeue operation. That results in several\nproblems:\n\n 1) the rbtree dequeue happens without waiter::task::pi_lock being held\n\n 2) the waiter task\u0027s pi_blocked_on state is not cleared, which leaves a\n dangling pointer primed for UAF around.\n\n 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter\n task\n\nUse waiter::task instead of current in all related operations in\nremove_waiter() to cure those problems.\n\n[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the\n \tchangelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:49.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f"
},
{
"url": "https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166"
},
{
"url": "https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2"
},
{
"url": "https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11"
},
{
"url": "https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349"
}
],
"title": "rtmutex: Use waiter::task instead of current in remove_waiter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43499",
"datePublished": "2026-05-21T12:17:49.281Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:49.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43498 (GCVE-0-2026-43498)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
accel/ivpu: Disallow re-exporting imported GEM objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Disallow re-exporting imported GEM objects
Prevent re-exporting of imported GEM buffers by adding a custom
prime_handle_to_fd callback that checks if the object is imported
and returns -EOPNOTSUPP if so.
Re-exporting imported GEM buffers causes loss of buffer flags settings,
leading to incorrect device access and data corruption.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
57557964b582238d5ee4b8538d1c4694f91c2186 , < 3756043dd695bba34cc728cdc5688dcb49ac8043
(git)
Affected: 57557964b582238d5ee4b8538d1c4694f91c2186 , < 7dd57d7a6350770dfc283287125c409e995200e0 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3756043dd695bba34cc728cdc5688dcb49ac8043",
"status": "affected",
"version": "57557964b582238d5ee4b8538d1c4694f91c2186",
"versionType": "git"
},
{
"lessThan": "7dd57d7a6350770dfc283287125c409e995200e0",
"status": "affected",
"version": "57557964b582238d5ee4b8538d1c4694f91c2186",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Disallow re-exporting imported GEM objects\n\nPrevent re-exporting of imported GEM buffers by adding a custom\nprime_handle_to_fd callback that checks if the object is imported\nand returns -EOPNOTSUPP if so.\n\nRe-exporting imported GEM buffers causes loss of buffer flags settings,\nleading to incorrect device access and data corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:48.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3756043dd695bba34cc728cdc5688dcb49ac8043"
},
{
"url": "https://git.kernel.org/stable/c/7dd57d7a6350770dfc283287125c409e995200e0"
}
],
"title": "accel/ivpu: Disallow re-exporting imported GEM objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43498",
"datePublished": "2026-05-21T12:17:48.550Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:48.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43497 (GCVE-0-2026-43497)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:12 – Updated: 2026-05-22 07:32
VLAI?
Title
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7433914efd584b22bb49d3e1eee001f5d0525ecd , < 4f312c30f0368e8d2a76aa650dff73f23490b5e7
(git)
Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < 18dd358de72d57993422cbb5dfb29ccd74efe192 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < da9b065cedfd3b574f229d5be594e6aa47a27ae6 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < a2c53a3822ee26e8d758071815b9ed3bf6669fc1 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < 8de779dc40d35d39fa07387b6f921eb11df0f511 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c",
"include/video/udlfb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f312c30f0368e8d2a76aa650dff73f23490b5e7",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "18dd358de72d57993422cbb5dfb29ccd74efe192",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "da9b065cedfd3b574f229d5be594e6aa47a27ae6",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "a2c53a3822ee26e8d758071815b9ed3bf6669fc1",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "8de779dc40d35d39fa07387b6f921eb11df0f511",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c",
"include/video/udlfb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free\n\ndlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages\nto userspace but sets no vm_ops on the VMA. This means the kernel cannot\ntrack active mmaps. When dlfb_realloc_framebuffer() replaces the backing\nbuffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.\nOn USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages\nwhile userspace PTEs still reference them, resulting in a use-after-free:\nthe process retains read/write access to freed kernel pages.\n\nAdd vm_operations_struct with open/close callbacks that maintain an\natomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),\ncheck mmap_count and return -EBUSY if the buffer is currently mapped,\npreventing buffer replacement while userspace holds stale PTEs.\n\nTested with PoC using dummy_hcd + raw_gadget USB device emulation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T07:32:48.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7"
},
{
"url": "https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192"
},
{
"url": "https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6"
},
{
"url": "https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1"
},
{
"url": "https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511"
}
],
"title": "fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43497",
"datePublished": "2026-05-21T12:12:47.150Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-22T07:32:48.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43496 (GCVE-0-2026-43496)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:12 – Updated: 2026-05-21 12:12
VLAI?
Title
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 36aa34f42cb6842cf371f3a2d3e855d24fd57a50
(git)
Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < ce051eede433f876d322ac3550a36a3c6fc4c231 (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 8d09618840b99ef00154d3e731ce9b11e096196d (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 587dcf970a525f543d8b5855d9f37a4ca97b76ef (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 458d5615272d3de535748342eb68ca492343048c (git) |
|
| Linux | Linux |
Affected:
2.6.29
Unaffected: 0 , < 2.6.29 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_red.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36aa34f42cb6842cf371f3a2d3e855d24fd57a50",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "ce051eede433f876d322ac3550a36a3c6fc4c231",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "8d09618840b99ef00154d3e731ce9b11e096196d",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "587dcf970a525f543d8b5855d9f37a4ca97b76ef",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "458d5615272d3de535748342eb68ca492343048c",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_red.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked\n\nWhen red qdisc has children (eg qfq qdisc) whose peek() callback is\nqdisc_peek_dequeued(), we could get a kernel panic. When the parent of such\nqdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from\nits child (red in this case), it will do the following:\n 1a. do a peek() - and when sensing there\u0027s an skb the child can offer, then\n - the child in this case(red) calls its child\u0027s (qfq) peek.\n qfq does the right thing and will return the gso_skb queue packet.\n Note: if there wasnt a gso_skb entry then qfq will store it there.\n 1b. invoke a dequeue() on the child (red). And herein lies the problem.\n - red will call the child\u0027s dequeue() which will essentially just\n try to grab something of qfq\u0027s queue.\n\n[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)\n[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]\n[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 \u003c80\u003e 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d\n[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216\n[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048\n[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078\n[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000\n[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200\n[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000\n[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0\n[ 78.671585][ T363] PKRU: 55555554\n[ 78.671713][ T363] Call Trace:\n[ 78.671843][ T363] \u003cTASK\u003e\n[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]\n[ 78.672148][ T363] ? __pfx__printk+0x10/0x10\n[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0\n[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0\n[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]\n[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]\n[ 78.673566][ T363] __qdisc_run+0x169/0x1900\n\nThe right thing to do in #1b is to grab the skb off gso_skb queue.\nThis patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()\nmethod instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:12:46.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50"
},
{
"url": "https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231"
},
{
"url": "https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d"
},
{
"url": "https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef"
},
{
"url": "https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c"
}
],
"title": "net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43496",
"datePublished": "2026-05-21T12:12:46.584Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-21T12:12:46.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43495 (GCVE-0-2026-43495)
Vulnerability from cvelistv5 – Published: 2026-05-21 12:12 – Updated: 2026-05-21 12:12
VLAI?
Title
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.
Add a struct_size() check after extracting port_count and before the loop.
In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.
Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < f94450ce5053b36002995b72d1fa1db3bb08c5bf
(git)
Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 9855e063e063158cc5bded576382599dc3133202 (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 2b56d7903ab804481f5233a259d5f341e9fd513c (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < dd4f4c93c1488d7100b9964f2da4c8b3c29652f1 (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_modem_ops.c",
"drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c",
"drivers/net/wwan/t7xx/t7xx_port_proxy.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f94450ce5053b36002995b72d1fa1db3bb08c5bf",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "9855e063e063158cc5bded576382599dc3133202",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "2b56d7903ab804481f5233a259d5f341e9fd513c",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "dd4f4c93c1488d7100b9964f2da4c8b3c29652f1",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "0e7c074cfcd9bd93765505f9eb8b42f03ed2a744",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_modem_ops.c",
"drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c",
"drivers/net/wwan/t7xx/t7xx_port_proxy.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\n\nt7xx_port_enum_msg_handler() uses the modem-supplied port_count field as\na loop bound over port_msg-\u003edata[] without checking that the message buffer\ncontains sufficient data. A modem sending port_count=65535 in a 12-byte\nbuffer triggers a slab-out-of-bounds read of up to 262140 bytes.\n\nAdd a sizeof(*port_msg) check before accessing the port message header\nfields to guard against undersized messages.\n\nAdd a struct_size() check after extracting port_count and before the loop.\n\nIn t7xx_parse_host_rt_data(), guard the rt_feature header read with a\nremaining-buffer check before accessing data_len, validate feat_data_len\nagainst the actual remaining buffer to prevent OOB reads and signed\ninteger overflow on offset.\n\nPass msg_len from both call sites: skb-\u003elen at the DPMAIF path after\nskb_pull(), and the validated feat_data_len at the handshake path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:12:45.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf"
},
{
"url": "https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202"
},
{
"url": "https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c"
},
{
"url": "https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1"
},
{
"url": "https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744"
}
],
"title": "net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43495",
"datePublished": "2026-05-21T12:12:45.988Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-21T12:12:45.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43494 (GCVE-0-2026-43494)
Vulnerability from cvelistv5 – Published: 2026-05-21 10:49 – Updated: 2026-05-23 11:25
VLAI?
Title
net/rds: reset op_nents when zerocopy page pin fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: reset op_nents when zerocopy page pin fails
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 9115669faedccdda100428e2d26fd0aac8c50799
(git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0bbbff00a15b1df2cac9014d6cf4b6890f473353 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 640e37f58f991546a87540d067279c2c1fa9fe51 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 290e833d1acb1093bc121fcdc97f5e6161157479 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < e174929793195e0cd6a4adb0cad731b39f9019b4 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-21T15:04:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9115669faedccdda100428e2d26fd0aac8c50799",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "0bbbff00a15b1df2cac9014d6cf4b6890f473353",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "640e37f58f991546a87540d067279c2c1fa9fe51",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "290e833d1acb1093bc121fcdc97f5e6161157479",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "e174929793195e0cd6a4adb0cad731b39f9019b4",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm-\u003edata.op_mmp_znotifier is cleared. But we fail to properly\nclear rm-\u003edata.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T11:25:59.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799"
},
{
"url": "https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353"
},
{
"url": "https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51"
},
{
"url": "https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479"
},
{
"url": "https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4"
}
],
"title": "net/rds: reset op_nents when zerocopy page pin fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43494",
"datePublished": "2026-05-21T10:49:21.310Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-23T11:25:59.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43493 (GCVE-0-2026-43493)
Vulnerability from cvelistv5 – Published: 2026-05-19 10:44 – Updated: 2026-05-20 16:08
VLAI?
Title
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
MAY_BACKLOG requests can return EBUSY. Handle them by checking
for that value and filtering out EINPROGRESS notifications.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 9f1cbca178c03188e201ed175251372149bb25f2
(git)
Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < eb34e243df57e32f4c08fa191f3602ea19076276 (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 77d55bc8675ee851ed639dc9be77325a8024cf67 (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 915b692e6cb723aac658c25eb82c58fd81235110 (git) |
|
| Linux | Linux |
Affected:
2.6.34
Unaffected: 0 , < 2.6.34 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f1cbca178c03188e201ed175251372149bb25f2",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "eb34e243df57e32f4c08fa191f3602ea19076276",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "77d55bc8675ee851ed639dc9be77325a8024cf67",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "915b692e6cb723aac658c25eb82c58fd81235110",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix handling of MAY_BACKLOG requests\n\nMAY_BACKLOG requests can return EBUSY. Handle them by checking\nfor that value and filtering out EINPROGRESS notifications."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:08:11.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f1cbca178c03188e201ed175251372149bb25f2"
},
{
"url": "https://git.kernel.org/stable/c/eb34e243df57e32f4c08fa191f3602ea19076276"
},
{
"url": "https://git.kernel.org/stable/c/77d55bc8675ee851ed639dc9be77325a8024cf67"
},
{
"url": "https://git.kernel.org/stable/c/46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a"
},
{
"url": "https://git.kernel.org/stable/c/915b692e6cb723aac658c25eb82c58fd81235110"
}
],
"title": "crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43493",
"datePublished": "2026-05-19T10:44:25.402Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-20T16:08:11.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43492 (GCVE-0-2026-43492)
Vulnerability from cvelistv5 – Published: 2026-05-19 10:44 – Updated: 2026-05-19 10:44
VLAI?
Title
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2d4d1eea540b27c72488fd1914674c42473d53df , < 2aa77a18dc7f2670497fe3ee5acbeda0b57659e5
(git)
Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 8637dfb4c1d8a7026ef681f2477c6de8b71c4003 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 30e513e755bb381afce6fb57cdc8694136193f22 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 (git) |
|
| Linux | Linux |
Affected:
4.4
Unaffected: 0 , < 4.4 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpicoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2aa77a18dc7f2670497fe3ee5acbeda0b57659e5",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "26d3a97ad46c7a9226ec04d4bf35bd4998a97d16",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "8637dfb4c1d8a7026ef681f2477c6de8b71c4003",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "30e513e755bb381afce6fb57cdc8694136193f22",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "8c2f1288250a90a4b5cabed5d888d7e3aeed4035",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpicoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()\n\nYiming reports an integer underflow in mpi_read_raw_from_sgl() when\nsubtracting \"lzeros\" from the unsigned \"nbytes\".\n\nFor this to happen, the scatterlist \"sgl\" needs to occupy more bytes\nthan the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the\nscatterlist must be zero. Under these conditions, the while loop\niterating over the scatterlist will count more zeroes than \"nbytes\",\nsubtract the number of zeroes from \"nbytes\" and cause the underflow.\n\nWhen commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally\nintroduced the bug, it couldn\u0027t be triggered because all callers of\nmpi_read_raw_from_sgl() passed a scatterlist whose length was equal to\n\"nbytes\".\n\nHowever since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto\ninterface without scatterlists\"), the underflow can now actually be\ntriggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a\nlarger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes,\ncrypto_akcipher_sync_prep() will create an all-zero scatterlist used for\nboth the \"src\" and \"dst\" member of struct akcipher_request and thereby\nfulfil the conditions to trigger the bug:\n\n sys_keyctl()\n keyctl_pkey_e_d_s()\n asymmetric_key_eds_op()\n software_key_eds_op()\n crypto_akcipher_sync_encrypt()\n crypto_akcipher_sync_prep()\n crypto_akcipher_encrypt()\n rsa_enc()\n mpi_read_raw_from_sgl()\n\nTo the user this will be visible as a DoS as the kernel spins forever,\ncausing soft lockup splats as a side effect.\n\nFix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T10:44:24.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5"
},
{
"url": "https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16"
},
{
"url": "https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003"
},
{
"url": "https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22"
},
{
"url": "https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035"
}
],
"title": "lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43492",
"datePublished": "2026-05-19T10:44:24.719Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-19T10:44:24.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43491 (GCVE-0-2026-43491)
Vulnerability from cvelistv5 – Published: 2026-05-19 10:44 – Updated: 2026-05-19 10:44
VLAI?
Title
net: qrtr: ns: Limit the maximum server registration per node
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: ns: Limit the maximum server registration per node
Current code does no bound checking on the number of servers added per
node. A malicious client can flood NEW_SERVER messages and exhaust memory.
Fix this issue by limiting the maximum number of server registrations to
256 per node. If the NEW_SERVER message is received for an old port, then
don't restrict it as it will get replaced. While at it, also rate limit
the error messages in the failure path of qrtr_ns_worker().
Note that the limit of 256 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0c2204a4ad710d95d348ea006f14ba926e842ffd , < e6f6cd501fb54060940a6eb3f4103eeb5e426ae7
(git)
Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 3efaad55cad1ded429e3a873bfece389058a526b (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 35fb4a0c077c5d1049c2628b769e0a1b1e65df0d (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 868202aa2adae427060a42d5bd663b4d782ec02c (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < d5ee2ff98322337951c56398e79d51815acbf955 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/qrtr/ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6f6cd501fb54060940a6eb3f4103eeb5e426ae7",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "3efaad55cad1ded429e3a873bfece389058a526b",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "35fb4a0c077c5d1049c2628b769e0a1b1e65df0d",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "868202aa2adae427060a42d5bd663b4d782ec02c",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "d5ee2ff98322337951c56398e79d51815acbf955",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/qrtr/ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the maximum server registration per node\n\nCurrent code does no bound checking on the number of servers added per\nnode. A malicious client can flood NEW_SERVER messages and exhaust memory.\n\nFix this issue by limiting the maximum number of server registrations to\n256 per node. If the NEW_SERVER message is received for an old port, then\ndon\u0027t restrict it as it will get replaced. While at it, also rate limit\nthe error messages in the failure path of qrtr_ns_worker().\n\nNote that the limit of 256 is chosen based on the current platform\nrequirements. If requirement changes in the future, this limit can be\nincreased."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T10:44:23.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7"
},
{
"url": "https://git.kernel.org/stable/c/3efaad55cad1ded429e3a873bfece389058a526b"
},
{
"url": "https://git.kernel.org/stable/c/35fb4a0c077c5d1049c2628b769e0a1b1e65df0d"
},
{
"url": "https://git.kernel.org/stable/c/868202aa2adae427060a42d5bd663b4d782ec02c"
},
{
"url": "https://git.kernel.org/stable/c/d5ee2ff98322337951c56398e79d51815acbf955"
}
],
"title": "net: qrtr: ns: Limit the maximum server registration per node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43491",
"datePublished": "2026-05-19T10:44:23.832Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-19T10:44:23.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46333 (GCVE-0-2026-46333)
Vulnerability from cvelistv5 – Published: 2026-05-15 12:58 – Updated: 2026-05-23 16:07
VLAI?
Title
ptrace: slightly saner 'get_dumpable()' logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6
(git)
Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 15b828a46f305ae9f05a7c16914b3ce273474205 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 4709234fd1b95136ceb789f639b1e7ea5de1b181 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a (git) Affected: d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 (git) Affected: 03eed7afbc09e061f66b448daf7863174c3dc3f3 (git) Affected: e45692fa1aea06676449b63ef3c2b6e1e72b7578 (git) Affected: 694a95fa6dae4991f16cda333d897ea063021fed (git) Affected: 3.16.52 , < 3.17 (semver) Affected: 4.4.40 , < 4.5 (semver) Affected: 4.8.16 , < 4.9 (semver) Affected: 4.9.1 , < 4.10 (semver) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.256 , ≤ 5.10.* (semver) Unaffected: 5.15.207 , ≤ 5.15.* (semver) Unaffected: 6.1.173 , ≤ 6.1.* (semver) Unaffected: 6.6.139 , ≤ 6.6.* (semver) Unaffected: 6.12.89 , ≤ 6.12.* (semver) Unaffected: 6.18.31 , ≤ 6.18.* (semver) Unaffected: 7.0.8 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-20T18:47:13.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:24.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "15b828a46f305ae9f05a7c16914b3ce273474205",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "4709234fd1b95136ceb789f639b1e7ea5de1b181",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "8f907d345bae8f4b3f004c5abc56bf2dfb851ea7",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "2a93a4fac7b6051d3be7cd1b015fe7320cd0404d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "01363cb3fbd0238ffdeb09f53e9039c9edf8a730",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"status": "affected",
"version": "d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12",
"versionType": "git"
},
{
"status": "affected",
"version": "03eed7afbc09e061f66b448daf7863174c3dc3f3",
"versionType": "git"
},
{
"status": "affected",
"version": "e45692fa1aea06676449b63ef3c2b6e1e72b7578",
"versionType": "git"
},
{
"status": "affected",
"version": "694a95fa6dae4991f16cda333d897ea063021fed",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.52",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.40",
"versionType": "semver"
},
{
"lessThan": "4.9",
"status": "affected",
"version": "4.8.16",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.256",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.207",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.173",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.139",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.89",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:07:12.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6"
},
{
"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205"
},
{
"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181"
},
{
"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7"
},
{
"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d"
},
{
"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d"
},
{
"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730"
},
{
"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a"
}
],
"title": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46333",
"datePublished": "2026-05-15T12:58:44.599Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-05-23T16:07:12.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43490 (GCVE-0-2026-43490)
Vulnerability from cvelistv5 – Published: 2026-05-15 05:15 – Updated: 2026-05-23 11:25
VLAI?
Title
ksmbd: validate inherited ACE SID length
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate inherited ACE SID length
smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.
A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.
Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Severity ?
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < a7fb771314fb3a265d30f8ac245869a367ab065c
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 47c6e37a77b10e74f70d845ba4ea5d3cafa00336 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 1aa60fea7f637c071f529ad6784aecca2f2f0c5f (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c1d95c995d5bcb24b639200a899eda59cb1e6d64 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 996454bc0da84d5a1dedb1a7861823087e01a7ae (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7fb771314fb3a265d30f8ac245869a367ab065c",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "47c6e37a77b10e74f70d845ba4ea5d3cafa00336",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "1aa60fea7f637c071f529ad6784aecca2f2f0c5f",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c1d95c995d5bcb24b639200a899eda59cb1e6d64",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "996454bc0da84d5a1dedb1a7861823087e01a7ae",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate inherited ACE SID length\n\nsmb_inherit_dacl() walks the parent directory DACL loaded from the\nsecurity descriptor xattr. It verifies that each ACE contains the fixed\nSID header before using it, but does not verify that the variable-length\nSID described by sid.num_subauth is fully contained in the ACE.\n\nA malformed inheritable ACE can advertise more subauthorities than are\npresent in the ACE. compare_sids() may then read past the ACE.\nsmb_set_ace() also clamps the copied destination SID, but used the\nunchecked source SID count to compute the inherited ACE size. That could\nadvance the temporary inherited ACE buffer pointer and nt_size accounting\npast the allocated buffer.\n\nFix this by validating the parent ACE SID count and SID length before\nusing the SID during inheritance. Compute the inherited ACE size from the\ncopied SID so the size matches the bounded destination SID. Reject the\ninherited DACL if size accumulation would overflow smb_acl.size or the\nsecurity descriptor allocation size."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T11:25:58.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7fb771314fb3a265d30f8ac245869a367ab065c"
},
{
"url": "https://git.kernel.org/stable/c/47c6e37a77b10e74f70d845ba4ea5d3cafa00336"
},
{
"url": "https://git.kernel.org/stable/c/1aa60fea7f637c071f529ad6784aecca2f2f0c5f"
},
{
"url": "https://git.kernel.org/stable/c/c1d95c995d5bcb24b639200a899eda59cb1e6d64"
},
{
"url": "https://git.kernel.org/stable/c/996454bc0da84d5a1dedb1a7861823087e01a7ae"
}
],
"title": "ksmbd: validate inherited ACE SID length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43490",
"datePublished": "2026-05-15T05:15:37.666Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-23T11:25:58.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43502 (GCVE-0-2026-43502)
Vulnerability from nvd – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
net/rds: handle zerocopy send cleanup before the message is queued
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: handle zerocopy send cleanup before the message is queued
A zerocopy send can fail after user pages have been pinned but before
the message is attached to the sending socket.
The purge path currently infers zerocopy state from rm->m_rs, so an
unqueued message can be cleaned up as if it owned normal payload pages.
However, zerocopy ownership is really determined by the presence of
op_mmp_znotifier, regardless of whether the message has reached the
socket queue.
Capture op_mmp_znotifier up front in rds_message_purge() and use it as
the cleanup discriminator. If the message is already associated with a
socket, keep the existing completion path. Otherwise, drop the pinned
page accounting directly and release the notifier before putting the
payload pages.
This keeps early send failure cleanup consistent with the zerocopy
lifetime rules without changing the normal queued completion path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 21d70744e6d3bbf9293aa1ee6fba7c53ad75275e
(git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 3abc8983b2bae3f487f77d9da5527d7d6b210d46 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 14ef6fd18db2494098b21e0471bf27a1d8e9993e (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 44b550d88b267320459d518c0743a241ab2108fa (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "21d70744e6d3bbf9293aa1ee6fba7c53ad75275e",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "3abc8983b2bae3f487f77d9da5527d7d6b210d46",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "14ef6fd18db2494098b21e0471bf27a1d8e9993e",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "44b550d88b267320459d518c0743a241ab2108fa",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: handle zerocopy send cleanup before the message is queued\n\nA zerocopy send can fail after user pages have been pinned but before\nthe message is attached to the sending socket.\n\nThe purge path currently infers zerocopy state from rm-\u003em_rs, so an\nunqueued message can be cleaned up as if it owned normal payload pages.\nHowever, zerocopy ownership is really determined by the presence of\nop_mmp_znotifier, regardless of whether the message has reached the\nsocket queue.\n\nCapture op_mmp_znotifier up front in rds_message_purge() and use it as\nthe cleanup discriminator. If the message is already associated with a\nsocket, keep the existing completion path. Otherwise, drop the pinned\npage accounting directly and release the notifier before putting the\npayload pages.\n\nThis keeps early send failure cleanup consistent with the zerocopy\nlifetime rules without changing the normal queued completion path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:50.444Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e"
},
{
"url": "https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46"
},
{
"url": "https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e"
},
{
"url": "https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b"
},
{
"url": "https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa"
}
],
"title": "net/rds: handle zerocopy send cleanup before the message is queued",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43502",
"datePublished": "2026-05-21T12:17:50.444Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:50.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43501 (GCVE-0-2026-43501)
Vulnerability from nvd – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps
the next segment into ipv6_hdr->daddr, recompresses, then pulls the old
header and pushes the new one plus the IPv6 header back. The
recompressed header can be larger than the received one when the swap
reduces the common-prefix length the segments share with daddr (CmprI=0,
CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes).
pskb_expand_head() was gated on segments_left == 0, so on earlier
segments the push consumed unchecked headroom. Once skb_push() leaves
fewer than skb->mac_len bytes in front of data,
skb_mac_header_rebuild()'s call to:
skb_set_mac_header(skb, -skb->mac_len);
will store (data - head) - mac_len into the u16 mac_header field, which
wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB
past skb->head.
A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two
segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one
pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.
Fix this by expanding the head whenever the remaining room is less than
the push size plus mac_len, and request that much extra so the rebuilt
MAC header fits afterwards.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 8e8be63465a5e80394c70324603dfea1bfdad48f
(git)
Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 4babc2d9fda2df43823b85d08a0180b68f1b0854 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < c261d07a80576dc8ccf394ef8f074f8c67a06b37 (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 7398ebefbfd4f8a31d4f665a4213302fa995494b (git) Affected: 8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3 , < 9e6bf146b55999a095bb14f73a843942456d1adc (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8e8be63465a5e80394c70324603dfea1bfdad48f",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "4babc2d9fda2df43823b85d08a0180b68f1b0854",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "c261d07a80576dc8ccf394ef8f074f8c67a06b37",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "7398ebefbfd4f8a31d4f665a4213302fa995494b",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
},
{
"lessThan": "9e6bf146b55999a095bb14f73a843942456d1adc",
"status": "affected",
"version": "8610c7c6e3bd647ff98d21c8bc0580e77bc2f8b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/exthdrs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: rpl: reserve mac_len headroom when recompressed SRH grows\n\nipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps\nthe next segment into ipv6_hdr-\u003edaddr, recompresses, then pulls the old\nheader and pushes the new one plus the IPv6 header back. The\nrecompressed header can be larger than the received one when the swap\nreduces the common-prefix length the segments share with daddr (CmprI=0,\nCmprE\u003e0, seg[0][0] != daddr[0] gives the maximum +8 bytes).\n\npskb_expand_head() was gated on segments_left == 0, so on earlier\nsegments the push consumed unchecked headroom. Once skb_push() leaves\nfewer than skb-\u003emac_len bytes in front of data,\nskb_mac_header_rebuild()\u0027s call to:\n\n\tskb_set_mac_header(skb, -skb-\u003emac_len);\n\nwill store (data - head) - mac_len into the u16 mac_header field, which\nwraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB\npast skb-\u003ehead.\n\nA single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two\nsegment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one\npass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv.\n\nFix this by expanding the head whenever the remaining room is less than\nthe push size plus mac_len, and request that much extra so the rebuilt\nMAC header fits afterwards."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:49.885Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f"
},
{
"url": "https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854"
},
{
"url": "https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37"
},
{
"url": "https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b"
},
{
"url": "https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc"
}
],
"title": "ipv6: rpl: reserve mac_len headroom when recompressed SRH grows",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43501",
"datePublished": "2026-05-21T12:17:49.885Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:49.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43499 (GCVE-0-2026-43499)
Vulnerability from nvd – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
rtmutex: Use waiter::task instead of current in remove_waiter()
Summary
In the Linux kernel, the following vulnerability has been resolved:
rtmutex: Use waiter::task instead of current in remove_waiter()
remove_waiter() is used by the slowlock paths, but it is also used for
proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from
futex_requeue().
In the latter case waiter::task is not current, but remove_waiter()
operates on current for the dequeue operation. That results in several
problems:
1) the rbtree dequeue happens without waiter::task::pi_lock being held
2) the waiter task's pi_blocked_on state is not cleared, which leaves a
dangling pointer primed for UAF around.
3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter
task
Use waiter::task instead of current in all related operations in
remove_waiter() to cure those problems.
[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the
changelog ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 8a1fc8d698ac5e5916e3082a0f74450d71f9611f
(git)
Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 6d52dfcb2a5db86e346cf51f8fcf2071b8085166 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3fb7394a837740770f0d6b4b30567e60786a63f2 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 88614876370aac8ad1050ad785a4c095ba17ac11 (git) Affected: 8161239a8bcce9ad6b537c04a1fa3b5c68bae693 , < 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a1fc8d698ac5e5916e3082a0f74450d71f9611f",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "6d52dfcb2a5db86e346cf51f8fcf2071b8085166",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3fb7394a837740770f0d6b4b30567e60786a63f2",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "88614876370aac8ad1050ad785a4c095ba17ac11",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
},
{
"lessThan": "3bfdc63936dd4773109b7b8c280c0f3b5ae7d349",
"status": "affected",
"version": "8161239a8bcce9ad6b537c04a1fa3b5c68bae693",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/locking/rtmutex.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtmutex: Use waiter::task instead of current in remove_waiter()\n\nremove_waiter() is used by the slowlock paths, but it is also used for\nproxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from\nfutex_requeue().\n\nIn the latter case waiter::task is not current, but remove_waiter()\noperates on current for the dequeue operation. That results in several\nproblems:\n\n 1) the rbtree dequeue happens without waiter::task::pi_lock being held\n\n 2) the waiter task\u0027s pi_blocked_on state is not cleared, which leaves a\n dangling pointer primed for UAF around.\n\n 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter\n task\n\nUse waiter::task instead of current in all related operations in\nremove_waiter() to cure those problems.\n\n[ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the\n \tchangelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:49.281Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f"
},
{
"url": "https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166"
},
{
"url": "https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2"
},
{
"url": "https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11"
},
{
"url": "https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349"
}
],
"title": "rtmutex: Use waiter::task instead of current in remove_waiter()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43499",
"datePublished": "2026-05-21T12:17:49.281Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:49.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43498 (GCVE-0-2026-43498)
Vulnerability from nvd – Published: 2026-05-21 12:17 – Updated: 2026-05-21 12:17
VLAI?
Title
accel/ivpu: Disallow re-exporting imported GEM objects
Summary
In the Linux kernel, the following vulnerability has been resolved:
accel/ivpu: Disallow re-exporting imported GEM objects
Prevent re-exporting of imported GEM buffers by adding a custom
prime_handle_to_fd callback that checks if the object is imported
and returns -EOPNOTSUPP if so.
Re-exporting imported GEM buffers causes loss of buffer flags settings,
leading to incorrect device access and data corruption.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
57557964b582238d5ee4b8538d1c4694f91c2186 , < 3756043dd695bba34cc728cdc5688dcb49ac8043
(git)
Affected: 57557964b582238d5ee4b8538d1c4694f91c2186 , < 7dd57d7a6350770dfc283287125c409e995200e0 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3756043dd695bba34cc728cdc5688dcb49ac8043",
"status": "affected",
"version": "57557964b582238d5ee4b8538d1c4694f91c2186",
"versionType": "git"
},
{
"lessThan": "7dd57d7a6350770dfc283287125c409e995200e0",
"status": "affected",
"version": "57557964b582238d5ee4b8538d1c4694f91c2186",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/accel/ivpu/ivpu_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Disallow re-exporting imported GEM objects\n\nPrevent re-exporting of imported GEM buffers by adding a custom\nprime_handle_to_fd callback that checks if the object is imported\nand returns -EOPNOTSUPP if so.\n\nRe-exporting imported GEM buffers causes loss of buffer flags settings,\nleading to incorrect device access and data corruption."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:17:48.550Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3756043dd695bba34cc728cdc5688dcb49ac8043"
},
{
"url": "https://git.kernel.org/stable/c/7dd57d7a6350770dfc283287125c409e995200e0"
}
],
"title": "accel/ivpu: Disallow re-exporting imported GEM objects",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43498",
"datePublished": "2026-05-21T12:17:48.550Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-21T12:17:48.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43497 (GCVE-0-2026-43497)
Vulnerability from nvd – Published: 2026-05-21 12:12 – Updated: 2026-05-22 07:32
VLAI?
Title
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages
to userspace but sets no vm_ops on the VMA. This means the kernel cannot
track active mmaps. When dlfb_realloc_framebuffer() replaces the backing
buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.
On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages
while userspace PTEs still reference them, resulting in a use-after-free:
the process retains read/write access to freed kernel pages.
Add vm_operations_struct with open/close callbacks that maintain an
atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),
check mmap_count and return -EBUSY if the buffer is currently mapped,
preventing buffer replacement while userspace holds stale PTEs.
Tested with PoC using dummy_hcd + raw_gadget USB device emulation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7433914efd584b22bb49d3e1eee001f5d0525ecd , < 4f312c30f0368e8d2a76aa650dff73f23490b5e7
(git)
Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < 18dd358de72d57993422cbb5dfb29ccd74efe192 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < da9b065cedfd3b574f229d5be594e6aa47a27ae6 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < a2c53a3822ee26e8d758071815b9ed3bf6669fc1 (git) Affected: 7433914efd584b22bb49d3e1eee001f5d0525ecd , < 8de779dc40d35d39fa07387b6f921eb11df0f511 (git) |
|
| Linux | Linux |
Affected:
4.19
Unaffected: 0 , < 4.19 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c",
"include/video/udlfb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4f312c30f0368e8d2a76aa650dff73f23490b5e7",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "18dd358de72d57993422cbb5dfb29ccd74efe192",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "da9b065cedfd3b574f229d5be594e6aa47a27ae6",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "a2c53a3822ee26e8d758071815b9ed3bf6669fc1",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
},
{
"lessThan": "8de779dc40d35d39fa07387b6f921eb11df0f511",
"status": "affected",
"version": "7433914efd584b22bb49d3e1eee001f5d0525ecd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/udlfb.c",
"include/video/udlfb.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free\n\ndlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages\nto userspace but sets no vm_ops on the VMA. This means the kernel cannot\ntrack active mmaps. When dlfb_realloc_framebuffer() replaces the backing\nbuffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated.\nOn USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages\nwhile userspace PTEs still reference them, resulting in a use-after-free:\nthe process retains read/write access to freed kernel pages.\n\nAdd vm_operations_struct with open/close callbacks that maintain an\natomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(),\ncheck mmap_count and return -EBUSY if the buffer is currently mapped,\npreventing buffer replacement while userspace holds stale PTEs.\n\nTested with PoC using dummy_hcd + raw_gadget USB device emulation."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T07:32:48.345Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7"
},
{
"url": "https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192"
},
{
"url": "https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6"
},
{
"url": "https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1"
},
{
"url": "https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511"
}
],
"title": "fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43497",
"datePublished": "2026-05-21T12:12:47.150Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-22T07:32:48.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43496 (GCVE-0-2026-43496)
Vulnerability from nvd – Published: 2026-05-21 12:12 – Updated: 2026-05-21 12:12
VLAI?
Title
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked
When red qdisc has children (eg qfq qdisc) whose peek() callback is
qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such
qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from
its child (red in this case), it will do the following:
1a. do a peek() - and when sensing there's an skb the child can offer, then
- the child in this case(red) calls its child's (qfq) peek.
qfq does the right thing and will return the gso_skb queue packet.
Note: if there wasnt a gso_skb entry then qfq will store it there.
1b. invoke a dequeue() on the child (red). And herein lies the problem.
- red will call the child's dequeue() which will essentially just
try to grab something of qfq's queue.
[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)
[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]
[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d
[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216
[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048
[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078
[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000
[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200
[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000
[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0
[ 78.671585][ T363] PKRU: 55555554
[ 78.671713][ T363] Call Trace:
[ 78.671843][ T363] <TASK>
[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]
[ 78.672148][ T363] ? __pfx__printk+0x10/0x10
[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0
[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0
[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]
[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5
[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]
[ 78.673566][ T363] __qdisc_run+0x169/0x1900
The right thing to do in #1b is to grab the skb off gso_skb queue.
This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()
method instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 36aa34f42cb6842cf371f3a2d3e855d24fd57a50
(git)
Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < ce051eede433f876d322ac3550a36a3c6fc4c231 (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 8d09618840b99ef00154d3e731ce9b11e096196d (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 587dcf970a525f543d8b5855d9f37a4ca97b76ef (git) Affected: 77be155cba4e163e8bba9fd27222a8b6189ec4f7 , < 458d5615272d3de535748342eb68ca492343048c (git) |
|
| Linux | Linux |
Affected:
2.6.29
Unaffected: 0 , < 2.6.29 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_red.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36aa34f42cb6842cf371f3a2d3e855d24fd57a50",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "ce051eede433f876d322ac3550a36a3c6fc4c231",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "8d09618840b99ef00154d3e731ce9b11e096196d",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "587dcf970a525f543d8b5855d9f37a4ca97b76ef",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
},
{
"lessThan": "458d5615272d3de535748342eb68ca492343048c",
"status": "affected",
"version": "77be155cba4e163e8bba9fd27222a8b6189ec4f7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_red.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked\n\nWhen red qdisc has children (eg qfq qdisc) whose peek() callback is\nqdisc_peek_dequeued(), we could get a kernel panic. When the parent of such\nqdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from\nits child (red in this case), it will do the following:\n 1a. do a peek() - and when sensing there\u0027s an skb the child can offer, then\n - the child in this case(red) calls its child\u0027s (qfq) peek.\n qfq does the right thing and will return the gso_skb queue packet.\n Note: if there wasnt a gso_skb entry then qfq will store it there.\n 1b. invoke a dequeue() on the child (red). And herein lies the problem.\n - red will call the child\u0027s dequeue() which will essentially just\n try to grab something of qfq\u0027s queue.\n\n[ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]\n[ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full)\n[ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq]\n[ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 \u003c80\u003e 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d\n[ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216\n[ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048\n[ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078\n[ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000\n[ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200\n[ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000\n[ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0\n[ 78.671585][ T363] PKRU: 55555554\n[ 78.671713][ T363] Call Trace:\n[ 78.671843][ T363] \u003cTASK\u003e\n[ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq]\n[ 78.672148][ T363] ? __pfx__printk+0x10/0x10\n[ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0\n[ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0\n[ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red]\n[ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf]\n[ 78.673566][ T363] __qdisc_run+0x169/0x1900\n\nThe right thing to do in #1b is to grab the skb off gso_skb queue.\nThis patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked()\nmethod instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:12:46.584Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50"
},
{
"url": "https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231"
},
{
"url": "https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d"
},
{
"url": "https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef"
},
{
"url": "https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c"
}
],
"title": "net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43496",
"datePublished": "2026-05-21T12:12:46.584Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-21T12:12:46.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43495 (GCVE-0-2026-43495)
Vulnerability from nvd – Published: 2026-05-21 12:12 – Updated: 2026-05-21 12:12
VLAI?
Title
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.
Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.
Add a struct_size() check after extracting port_count and before the loop.
In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.
Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < f94450ce5053b36002995b72d1fa1db3bb08c5bf
(git)
Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 9855e063e063158cc5bded576382599dc3133202 (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 2b56d7903ab804481f5233a259d5f341e9fd513c (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < dd4f4c93c1488d7100b9964f2da4c8b3c29652f1 (git) Affected: da45d2566a1d4e260b894ff5d96be64b21c7fa79 , < 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_modem_ops.c",
"drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c",
"drivers/net/wwan/t7xx/t7xx_port_proxy.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f94450ce5053b36002995b72d1fa1db3bb08c5bf",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "9855e063e063158cc5bded576382599dc3133202",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "2b56d7903ab804481f5233a259d5f341e9fd513c",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "dd4f4c93c1488d7100b9964f2da4c8b3c29652f1",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
},
{
"lessThan": "0e7c074cfcd9bd93765505f9eb8b42f03ed2a744",
"status": "affected",
"version": "da45d2566a1d4e260b894ff5d96be64b21c7fa79",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wwan/t7xx/t7xx_modem_ops.c",
"drivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c",
"drivers/net/wwan/t7xx/t7xx_port_proxy.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\n\nt7xx_port_enum_msg_handler() uses the modem-supplied port_count field as\na loop bound over port_msg-\u003edata[] without checking that the message buffer\ncontains sufficient data. A modem sending port_count=65535 in a 12-byte\nbuffer triggers a slab-out-of-bounds read of up to 262140 bytes.\n\nAdd a sizeof(*port_msg) check before accessing the port message header\nfields to guard against undersized messages.\n\nAdd a struct_size() check after extracting port_count and before the loop.\n\nIn t7xx_parse_host_rt_data(), guard the rt_feature header read with a\nremaining-buffer check before accessing data_len, validate feat_data_len\nagainst the actual remaining buffer to prevent OOB reads and signed\ninteger overflow on offset.\n\nPass msg_len from both call sites: skb-\u003elen at the DPMAIF path after\nskb_pull(), and the validated feat_data_len at the handshake path."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:12:45.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf"
},
{
"url": "https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202"
},
{
"url": "https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c"
},
{
"url": "https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1"
},
{
"url": "https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744"
}
],
"title": "net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43495",
"datePublished": "2026-05-21T12:12:45.988Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-21T12:12:45.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43494 (GCVE-0-2026-43494)
Vulnerability from nvd – Published: 2026-05-21 10:49 – Updated: 2026-05-23 11:25
VLAI?
Title
net/rds: reset op_nents when zerocopy page pin fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/rds: reset op_nents when zerocopy page pin fails
When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),
the pinned pages are released with put_page(), and
rm->data.op_mmp_znotifier is cleared. But we fail to properly
clear rm->data.op_nents.
Later when rds_message_purge() is called from rds_sendmsg() the
cleanup loop iterates over the incorrectly non zero number of
op_nents and frees them again.
Fix this by properly resetting op_nents when it should be in
rds_message_zcopy_from_user().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 9115669faedccdda100428e2d26fd0aac8c50799
(git)
Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 0bbbff00a15b1df2cac9014d6cf4b6890f473353 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 640e37f58f991546a87540d067279c2c1fa9fe51 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < 290e833d1acb1093bc121fcdc97f5e6161157479 (git) Affected: 0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3 , < e174929793195e0cd6a4adb0cad731b39f9019b4 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-21T15:04:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9115669faedccdda100428e2d26fd0aac8c50799",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "0bbbff00a15b1df2cac9014d6cf4b6890f473353",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "640e37f58f991546a87540d067279c2c1fa9fe51",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "290e833d1acb1093bc121fcdc97f5e6161157479",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
},
{
"lessThan": "e174929793195e0cd6a4adb0cad731b39f9019b4",
"status": "affected",
"version": "0cebaccef3acbdfbc2d85880a2efb765d2f4e2e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rds/message.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: reset op_nents when zerocopy page pin fails\n\nWhen iov_iter_get_pages2() fails in rds_message_zcopy_from_user(),\nthe pinned pages are released with put_page(), and\nrm-\u003edata.op_mmp_znotifier is cleared. But we fail to properly\nclear rm-\u003edata.op_nents.\n\nLater when rds_message_purge() is called from rds_sendmsg() the\ncleanup loop iterates over the incorrectly non zero number of\nop_nents and frees them again.\n\nFix this by properly resetting op_nents when it should be in\nrds_message_zcopy_from_user()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T11:25:59.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799"
},
{
"url": "https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353"
},
{
"url": "https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51"
},
{
"url": "https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479"
},
{
"url": "https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4"
}
],
"title": "net/rds: reset op_nents when zerocopy page pin fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43494",
"datePublished": "2026-05-21T10:49:21.310Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-23T11:25:59.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43493 (GCVE-0-2026-43493)
Vulnerability from nvd – Published: 2026-05-19 10:44 – Updated: 2026-05-20 16:08
VLAI?
Title
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix handling of MAY_BACKLOG requests
MAY_BACKLOG requests can return EBUSY. Handle them by checking
for that value and filtering out EINPROGRESS notifications.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 9f1cbca178c03188e201ed175251372149bb25f2
(git)
Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < eb34e243df57e32f4c08fa191f3602ea19076276 (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 77d55bc8675ee851ed639dc9be77325a8024cf67 (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a (git) Affected: 5a1436beec5744029f3ac90b6fe71a698dcd6155 , < 915b692e6cb723aac658c25eb82c58fd81235110 (git) |
|
| Linux | Linux |
Affected:
2.6.34
Unaffected: 0 , < 2.6.34 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9f1cbca178c03188e201ed175251372149bb25f2",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "eb34e243df57e32f4c08fa191f3602ea19076276",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "77d55bc8675ee851ed639dc9be77325a8024cf67",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
},
{
"lessThan": "915b692e6cb723aac658c25eb82c58fd81235110",
"status": "affected",
"version": "5a1436beec5744029f3ac90b6fe71a698dcd6155",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/pcrypt.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: pcrypt - Fix handling of MAY_BACKLOG requests\n\nMAY_BACKLOG requests can return EBUSY. Handle them by checking\nfor that value and filtering out EINPROGRESS notifications."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:08:11.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9f1cbca178c03188e201ed175251372149bb25f2"
},
{
"url": "https://git.kernel.org/stable/c/eb34e243df57e32f4c08fa191f3602ea19076276"
},
{
"url": "https://git.kernel.org/stable/c/77d55bc8675ee851ed639dc9be77325a8024cf67"
},
{
"url": "https://git.kernel.org/stable/c/46271895ddfb1ba41f89f7e0dffbe9c2bcf7380a"
},
{
"url": "https://git.kernel.org/stable/c/915b692e6cb723aac658c25eb82c58fd81235110"
}
],
"title": "crypto: pcrypt - Fix handling of MAY_BACKLOG requests",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43493",
"datePublished": "2026-05-19T10:44:25.402Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-20T16:08:11.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43492 (GCVE-0-2026-43492)
Vulnerability from nvd – Published: 2026-05-19 10:44 – Updated: 2026-05-19 10:44
VLAI?
Title
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
Yiming reports an integer underflow in mpi_read_raw_from_sgl() when
subtracting "lzeros" from the unsigned "nbytes".
For this to happen, the scatterlist "sgl" needs to occupy more bytes
than the "nbytes" parameter and the first "nbytes + 1" bytes of the
scatterlist must be zero. Under these conditions, the while loop
iterating over the scatterlist will count more zeroes than "nbytes",
subtract the number of zeroes from "nbytes" and cause the underflow.
When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally
introduced the bug, it couldn't be triggered because all callers of
mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to
"nbytes".
However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto
interface without scatterlists"), the underflow can now actually be
triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a
larger "out_len" than "in_len" and filling the "in" buffer with zeroes,
crypto_akcipher_sync_prep() will create an all-zero scatterlist used for
both the "src" and "dst" member of struct akcipher_request and thereby
fulfil the conditions to trigger the bug:
sys_keyctl()
keyctl_pkey_e_d_s()
asymmetric_key_eds_op()
software_key_eds_op()
crypto_akcipher_sync_encrypt()
crypto_akcipher_sync_prep()
crypto_akcipher_encrypt()
rsa_enc()
mpi_read_raw_from_sgl()
To the user this will be visible as a DoS as the kernel spins forever,
causing soft lockup splats as a side effect.
Fix it.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2d4d1eea540b27c72488fd1914674c42473d53df , < 2aa77a18dc7f2670497fe3ee5acbeda0b57659e5
(git)
Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 8637dfb4c1d8a7026ef681f2477c6de8b71c4003 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 30e513e755bb381afce6fb57cdc8694136193f22 (git) Affected: 2d4d1eea540b27c72488fd1914674c42473d53df , < 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 (git) |
|
| Linux | Linux |
Affected:
4.4
Unaffected: 0 , < 4.4 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpicoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2aa77a18dc7f2670497fe3ee5acbeda0b57659e5",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "26d3a97ad46c7a9226ec04d4bf35bd4998a97d16",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "8637dfb4c1d8a7026ef681f2477c6de8b71c4003",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "30e513e755bb381afce6fb57cdc8694136193f22",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
},
{
"lessThan": "8c2f1288250a90a4b5cabed5d888d7e3aeed4035",
"status": "affected",
"version": "2d4d1eea540b27c72488fd1914674c42473d53df",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/crypto/mpi/mpicoder.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()\n\nYiming reports an integer underflow in mpi_read_raw_from_sgl() when\nsubtracting \"lzeros\" from the unsigned \"nbytes\".\n\nFor this to happen, the scatterlist \"sgl\" needs to occupy more bytes\nthan the \"nbytes\" parameter and the first \"nbytes + 1\" bytes of the\nscatterlist must be zero. Under these conditions, the while loop\niterating over the scatterlist will count more zeroes than \"nbytes\",\nsubtract the number of zeroes from \"nbytes\" and cause the underflow.\n\nWhen commit 2d4d1eea540b (\"lib/mpi: Add mpi sgl helpers\") originally\nintroduced the bug, it couldn\u0027t be triggered because all callers of\nmpi_read_raw_from_sgl() passed a scatterlist whose length was equal to\n\"nbytes\".\n\nHowever since commit 63ba4d67594a (\"KEYS: asymmetric: Use new crypto\ninterface without scatterlists\"), the underflow can now actually be\ntriggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a\nlarger \"out_len\" than \"in_len\" and filling the \"in\" buffer with zeroes,\ncrypto_akcipher_sync_prep() will create an all-zero scatterlist used for\nboth the \"src\" and \"dst\" member of struct akcipher_request and thereby\nfulfil the conditions to trigger the bug:\n\n sys_keyctl()\n keyctl_pkey_e_d_s()\n asymmetric_key_eds_op()\n software_key_eds_op()\n crypto_akcipher_sync_encrypt()\n crypto_akcipher_sync_prep()\n crypto_akcipher_encrypt()\n rsa_enc()\n mpi_read_raw_from_sgl()\n\nTo the user this will be visible as a DoS as the kernel spins forever,\ncausing soft lockup splats as a side effect.\n\nFix it."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T10:44:24.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5"
},
{
"url": "https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16"
},
{
"url": "https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003"
},
{
"url": "https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22"
},
{
"url": "https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035"
}
],
"title": "lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43492",
"datePublished": "2026-05-19T10:44:24.719Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-19T10:44:24.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43491 (GCVE-0-2026-43491)
Vulnerability from nvd – Published: 2026-05-19 10:44 – Updated: 2026-05-19 10:44
VLAI?
Title
net: qrtr: ns: Limit the maximum server registration per node
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: qrtr: ns: Limit the maximum server registration per node
Current code does no bound checking on the number of servers added per
node. A malicious client can flood NEW_SERVER messages and exhaust memory.
Fix this issue by limiting the maximum number of server registrations to
256 per node. If the NEW_SERVER message is received for an old port, then
don't restrict it as it will get replaced. While at it, also rate limit
the error messages in the failure path of qrtr_ns_worker().
Note that the limit of 256 is chosen based on the current platform
requirements. If requirement changes in the future, this limit can be
increased.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0c2204a4ad710d95d348ea006f14ba926e842ffd , < e6f6cd501fb54060940a6eb3f4103eeb5e426ae7
(git)
Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 3efaad55cad1ded429e3a873bfece389058a526b (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 35fb4a0c077c5d1049c2628b769e0a1b1e65df0d (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < 868202aa2adae427060a42d5bd663b4d782ec02c (git) Affected: 0c2204a4ad710d95d348ea006f14ba926e842ffd , < d5ee2ff98322337951c56398e79d51815acbf955 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/qrtr/ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e6f6cd501fb54060940a6eb3f4103eeb5e426ae7",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "3efaad55cad1ded429e3a873bfece389058a526b",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "35fb4a0c077c5d1049c2628b769e0a1b1e65df0d",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "868202aa2adae427060a42d5bd663b4d782ec02c",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
},
{
"lessThan": "d5ee2ff98322337951c56398e79d51815acbf955",
"status": "affected",
"version": "0c2204a4ad710d95d348ea006f14ba926e842ffd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/qrtr/ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qrtr: ns: Limit the maximum server registration per node\n\nCurrent code does no bound checking on the number of servers added per\nnode. A malicious client can flood NEW_SERVER messages and exhaust memory.\n\nFix this issue by limiting the maximum number of server registrations to\n256 per node. If the NEW_SERVER message is received for an old port, then\ndon\u0027t restrict it as it will get replaced. While at it, also rate limit\nthe error messages in the failure path of qrtr_ns_worker().\n\nNote that the limit of 256 is chosen based on the current platform\nrequirements. If requirement changes in the future, this limit can be\nincreased."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T10:44:23.832Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7"
},
{
"url": "https://git.kernel.org/stable/c/3efaad55cad1ded429e3a873bfece389058a526b"
},
{
"url": "https://git.kernel.org/stable/c/35fb4a0c077c5d1049c2628b769e0a1b1e65df0d"
},
{
"url": "https://git.kernel.org/stable/c/868202aa2adae427060a42d5bd663b4d782ec02c"
},
{
"url": "https://git.kernel.org/stable/c/d5ee2ff98322337951c56398e79d51815acbf955"
}
],
"title": "net: qrtr: ns: Limit the maximum server registration per node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43491",
"datePublished": "2026-05-19T10:44:23.832Z",
"dateReserved": "2026-05-01T14:12:56.013Z",
"dateUpdated": "2026-05-19T10:44:23.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46333 (GCVE-0-2026-46333)
Vulnerability from nvd – Published: 2026-05-15 12:58 – Updated: 2026-05-23 16:07
VLAI?
Title
ptrace: slightly saner 'get_dumpable()' logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6
(git)
Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 15b828a46f305ae9f05a7c16914b3ce273474205 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 4709234fd1b95136ceb789f639b1e7ea5de1b181 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a (git) Affected: d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 (git) Affected: 03eed7afbc09e061f66b448daf7863174c3dc3f3 (git) Affected: e45692fa1aea06676449b63ef3c2b6e1e72b7578 (git) Affected: 694a95fa6dae4991f16cda333d897ea063021fed (git) Affected: 3.16.52 , < 3.17 (semver) Affected: 4.4.40 , < 4.5 (semver) Affected: 4.8.16 , < 4.9 (semver) Affected: 4.9.1 , < 4.10 (semver) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.256 , ≤ 5.10.* (semver) Unaffected: 5.15.207 , ≤ 5.15.* (semver) Unaffected: 6.1.173 , ≤ 6.1.* (semver) Unaffected: 6.6.139 , ≤ 6.6.* (semver) Unaffected: 6.12.89 , ≤ 6.12.* (semver) Unaffected: 6.18.31 , ≤ 6.18.* (semver) Unaffected: 7.0.8 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-20T18:47:13.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00035.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/14"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/20/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:24.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "15b828a46f305ae9f05a7c16914b3ce273474205",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "4709234fd1b95136ceb789f639b1e7ea5de1b181",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "8f907d345bae8f4b3f004c5abc56bf2dfb851ea7",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "2a93a4fac7b6051d3be7cd1b015fe7320cd0404d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "01363cb3fbd0238ffdeb09f53e9039c9edf8a730",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"status": "affected",
"version": "d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12",
"versionType": "git"
},
{
"status": "affected",
"version": "03eed7afbc09e061f66b448daf7863174c3dc3f3",
"versionType": "git"
},
{
"status": "affected",
"version": "e45692fa1aea06676449b63ef3c2b6e1e72b7578",
"versionType": "git"
},
{
"status": "affected",
"version": "694a95fa6dae4991f16cda333d897ea063021fed",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.52",
"versionType": "semver"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.40",
"versionType": "semver"
},
{
"lessThan": "4.9",
"status": "affected",
"version": "4.8.16",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.256",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.207",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.173",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.139",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.89",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:07:12.401Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6"
},
{
"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205"
},
{
"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181"
},
{
"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7"
},
{
"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d"
},
{
"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d"
},
{
"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730"
},
{
"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a"
}
],
"title": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46333",
"datePublished": "2026-05-15T12:58:44.599Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-05-23T16:07:12.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43490 (GCVE-0-2026-43490)
Vulnerability from nvd – Published: 2026-05-15 05:15 – Updated: 2026-05-23 11:25
VLAI?
Title
ksmbd: validate inherited ACE SID length
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate inherited ACE SID length
smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.
A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.
Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Severity ?
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < a7fb771314fb3a265d30f8ac245869a367ab065c
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 47c6e37a77b10e74f70d845ba4ea5d3cafa00336 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 1aa60fea7f637c071f529ad6784aecca2f2f0c5f (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c1d95c995d5bcb24b639200a899eda59cb1e6d64 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 996454bc0da84d5a1dedb1a7861823087e01a7ae (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7fb771314fb3a265d30f8ac245869a367ab065c",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "47c6e37a77b10e74f70d845ba4ea5d3cafa00336",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "1aa60fea7f637c071f529ad6784aecca2f2f0c5f",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c1d95c995d5bcb24b639200a899eda59cb1e6d64",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "996454bc0da84d5a1dedb1a7861823087e01a7ae",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate inherited ACE SID length\n\nsmb_inherit_dacl() walks the parent directory DACL loaded from the\nsecurity descriptor xattr. It verifies that each ACE contains the fixed\nSID header before using it, but does not verify that the variable-length\nSID described by sid.num_subauth is fully contained in the ACE.\n\nA malformed inheritable ACE can advertise more subauthorities than are\npresent in the ACE. compare_sids() may then read past the ACE.\nsmb_set_ace() also clamps the copied destination SID, but used the\nunchecked source SID count to compute the inherited ACE size. That could\nadvance the temporary inherited ACE buffer pointer and nt_size accounting\npast the allocated buffer.\n\nFix this by validating the parent ACE SID count and SID length before\nusing the SID during inheritance. Compute the inherited ACE size from the\ncopied SID so the size matches the bounded destination SID. Reject the\ninherited DACL if size accumulation would overflow smb_acl.size or the\nsecurity descriptor allocation size."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T11:25:58.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7fb771314fb3a265d30f8ac245869a367ab065c"
},
{
"url": "https://git.kernel.org/stable/c/47c6e37a77b10e74f70d845ba4ea5d3cafa00336"
},
{
"url": "https://git.kernel.org/stable/c/1aa60fea7f637c071f529ad6784aecca2f2f0c5f"
},
{
"url": "https://git.kernel.org/stable/c/c1d95c995d5bcb24b639200a899eda59cb1e6d64"
},
{
"url": "https://git.kernel.org/stable/c/996454bc0da84d5a1dedb1a7861823087e01a7ae"
}
],
"title": "ksmbd: validate inherited ACE SID length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43490",
"datePublished": "2026-05-15T05:15:37.666Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-23T11:25:58.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43489 (GCVE-0-2026-43489)
Vulnerability from nvd – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
liveupdate: luo_file: remember retrieve() status
Summary
In the Linux kernel, the following vulnerability has been resolved:
liveupdate: luo_file: remember retrieve() status
LUO keeps track of successful retrieve attempts on a LUO file. It does so
to avoid multiple retrievals of the same file. Multiple retrievals cause
problems because once the file is retrieved, the serialized data
structures are likely freed and the file is likely in a very different
state from what the code expects.
The retrieve boolean in struct luo_file keeps track of this, and is passed
to the finish callback so it knows what work was already done and what it
has left to do.
All this works well when retrieve succeeds. When it fails,
luo_retrieve_file() returns the error immediately, without ever storing
anywhere that a retrieve was attempted or what its error code was. This
results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,
but nothing prevents it from trying this again.
The retry is problematic for much of the same reasons listed above. The
file is likely in a very different state than what the retrieve logic
normally expects, and it might even have freed some serialization data
structures. Attempting to access them or free them again is going to
break things.
For example, if memfd managed to restore 8 of its 10 folios, but fails on
the 9th, a subsequent retrieve attempt will try to call
kho_restore_folio() on the first folio again, and that will fail with a
warning since it is an invalid operation.
Apart from the retry, finish() also breaks. Since on failure the
retrieved bool in luo_file is never touched, the finish() call on session
close will tell the file handler that retrieve was never attempted, and it
will try to access or free the data structures that might not exist, much
in the same way as the retry attempt.
There is no sane way of attempting the retrieve again. Remember the error
retrieve returned and directly return it on a retry. Also pass this
status code to finish() so it can make the right decision on the work it
needs to do.
This is done by changing the bool to an integer. A value of 0 means
retrieve was never attempted, a positive value means it succeeded, and a
negative value means it failed and the error code is the value.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < 1d3ad69484dc1cc53be62d2554e7ef038a627af9
(git)
Affected: 7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < f85b1c6af5bc3872f994df0a5688c1162de07a62 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/liveupdate.h",
"kernel/liveupdate/luo_file.c",
"mm/memfd_luo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d3ad69484dc1cc53be62d2554e7ef038a627af9",
"status": "affected",
"version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
"versionType": "git"
},
{
"lessThan": "f85b1c6af5bc3872f994df0a5688c1162de07a62",
"status": "affected",
"version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/liveupdate.h",
"kernel/liveupdate/luo_file.c",
"mm/memfd_luo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file. It does so\nto avoid multiple retrievals of the same file. Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds. When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was. This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above. The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures. Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks. Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again. Remember the error\nretrieve returned and directly return it on a retry. Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer. A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:33.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9"
},
{
"url": "https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62"
}
],
"title": "liveupdate: luo_file: remember retrieve() status",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43489",
"datePublished": "2026-05-13T15:08:33.810Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:33.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43488 (GCVE-0-2026-43488)
Vulnerability from nvd – Published: 2026-05-13 15:08 – Updated: 2026-05-14 14:31
VLAI?
Title
usb: xhci: Prevent interrupt storm on host controller error (HCE)
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Prevent interrupt storm on host controller error (HCE)
The xHCI controller reports a Host Controller Error (HCE) in UAS Storage
Device plug/unplug scenarios on Android devices. HCE is checked in
xhci_irq() function and causes an interrupt storm (since the interrupt
isn’t cleared), leading to severe system-level faults.
When the xHC controller reports HCE in the interrupt handler, the driver
only logs a warning and assumes xHC activity will stop as stated in xHCI
specification. An interrupt storm does however continue on some hosts
even after HCE, and only ceases after manually disabling xHC interrupt
and stopping the controller by calling xhci_halt().
Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,
mirroring the existing error handling pattern used for STS_FATAL errors.
This only fixes the interrupt storm. Proper HCE recovery requires resetting
and re-initializing the xHC.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2a25e66d676dfb9b018abd503deed3d38a892dec , < b2dd9abf8c06cfcbcf242321fd54ae51a4807705
(git)
Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < 6f91f3f087194c114d6d8ea4591b850bb00672f8 (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < cd41e0d1df8fcf5eae294657da52b50d1ce03246 (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < 09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < d6d5febd12452b7fd951fdd15c3ec262f01901a4 (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2dd9abf8c06cfcbcf242321fd54ae51a4807705",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "6f91f3f087194c114d6d8ea4591b850bb00672f8",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "cd41e0d1df8fcf5eae294657da52b50d1ce03246",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "d6d5febd12452b7fd951fdd15c3ec262f01901a4",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Prevent interrupt storm on host controller error (HCE)\n\nThe xHCI controller reports a Host Controller Error (HCE) in UAS Storage\nDevice plug/unplug scenarios on Android devices. HCE is checked in\nxhci_irq() function and causes an interrupt storm (since the interrupt\nisn\u2019t cleared), leading to severe system-level faults.\n\nWhen the xHC controller reports HCE in the interrupt handler, the driver\nonly logs a warning and assumes xHC activity will stop as stated in xHCI\nspecification. An interrupt storm does however continue on some hosts\neven after HCE, and only ceases after manually disabling xHC interrupt\nand stopping the controller by calling xhci_halt().\n\nAdd xhci_halt() to xhci_irq() function where STS_HCE status is checked,\nmirroring the existing error handling pattern used for STS_FATAL errors.\n\nThis only fixes the interrupt storm. Proper HCE recovery requires resetting\nand re-initializing the xHC."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T14:31:22.390Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2dd9abf8c06cfcbcf242321fd54ae51a4807705"
},
{
"url": "https://git.kernel.org/stable/c/6f91f3f087194c114d6d8ea4591b850bb00672f8"
},
{
"url": "https://git.kernel.org/stable/c/cd41e0d1df8fcf5eae294657da52b50d1ce03246"
},
{
"url": "https://git.kernel.org/stable/c/09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d"
},
{
"url": "https://git.kernel.org/stable/c/d6d5febd12452b7fd951fdd15c3ec262f01901a4"
}
],
"title": "usb: xhci: Prevent interrupt storm on host controller error (HCE)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43488",
"datePublished": "2026-05-13T15:08:33.196Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-14T14:31:22.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}