Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
24909 vulnerabilities found for linux by linux
CVE-2026-52910 (GCVE-0-2026-52910)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-06-19 14:43
VLAI
Title
bpf: Free reuseport cBPF prog after RCU grace period.
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Free reuseport cBPF prog after RCU grace period.
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11:
---truncated---
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 08264d5bba0bdd3a79bc2984fee09286aba0c4eb
(git)
Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < fec41484e7c2aa7ded44c541bba98872be937754 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < c3e3fddda6b5d9ba505d218b4055e7d8a282ac57 (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < f8b8f1d4bb76098e87b8269a0631019648330e6d (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 298db6167f81e9c470a57cf652e4e47757b4293e (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 87dfb977bdb6eaa47e9993a34e18f44970f88b1f (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 90e47dc5c572d1c73971ac51c7428803f42b78eb (git) Affected: 538950a1b7527a0a52ccd9337e3fcd304f027f13 , < 18fc650ccd7fe3376eca89203668cfb8268f60df (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08264d5bba0bdd3a79bc2984fee09286aba0c4eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "fec41484e7c2aa7ded44c541bba98872be937754",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "c3e3fddda6b5d9ba505d218b4055e7d8a282ac57",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "f8b8f1d4bb76098e87b8269a0631019648330e6d",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "298db6167f81e9c470a57cf652e4e47757b4293e",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "87dfb977bdb6eaa47e9993a34e18f44970f88b1f",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "90e47dc5c572d1c73971ac51c7428803f42b78eb",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
},
{
"lessThan": "18fc650ccd7fe3376eca89203668cfb8268f60df",
"status": "affected",
"version": "538950a1b7527a0a52ccd9337e3fcd304f027f13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/filter.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free reuseport cBPF prog after RCU grace period.\n\nEulgyu Kim reported the splat below with a repro. [0]\n\nThe repro sets up a UDP reuseport group with a cBPF prog and\nreplaces it with a new one while another thread is sending\na UDP packet to the group.\n\nThe reuseport prog is freed by sk_reuseport_prog_free().\nbpf_prog_put() is called for \"e\"BPF prog to destruct through\nmultiple stages while cBPF prog is freed immediately by\nbpf_release_orig_filter() and bpf_prog_free().\n\nIf a reuseport prog is detached from the setsockopt() path\n(reuseport_attach_prog() or reuseport_detach_prog()),\nsk_reuseport_prog_free() is called without waiting for RCU\nreaders to complete, resulting in various bugs.\n\nLet\u0027s defer freeing the reuseport cBPF prog after one RCU\ngrace period.\n\nNote \"e\"BPF prog is safe as is unless the fast path starts\nto touch fields destroyed in bpf_prog_put_deferred() and\n__bpf_prog_put_noref().\n\n[0]:\nBUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\nRead of size 4 at addr ffffc9000051e004 by task slowme/10208\nCPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)\nHardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596\n udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495\n __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723\n __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752\n __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752\n ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207\n ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318\n __netif_receive_skb_one_core net/core/dev.c:6181 [inline]\n __netif_receive_skb net/core/dev.c:6294 [inline]\n process_backlog+0xaa4/0x1960 net/core/dev.c:6645\n __napi_poll+0xae/0x340 net/core/dev.c:7709\n napi_poll net/core/dev.c:7772 [inline]\n net_rx_action+0x5d7/0xf50 net/core/dev.c:7929\n handle_softirqs+0x22b/0x870 kernel/softirq.c:622\n do_softirq+0x76/0xd0 kernel/softirq.c:523\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]\n __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237\n NF_HOOK_COND include/linux/netfilter.h:307 [inline]\n ip_output+0x29f/0x450 net/ipv4/ip_output.c:438\n ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508\n udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195\n udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n __sys_sendto+0x554/0x680 net/socket.c:2206\n __do_sys_sendto net/socket.c:2213 [inline]\n __se_sys_sendto net/socket.c:2209 [inline]\n __x64_sys_sendto+0xde/0x100 net/socket.c:2209\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x415a2d\nCode: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d\nRDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003\nRBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010\nR10: 0000000000000000 R11: \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T14:43:33.952Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08264d5bba0bdd3a79bc2984fee09286aba0c4eb"
},
{
"url": "https://git.kernel.org/stable/c/fec41484e7c2aa7ded44c541bba98872be937754"
},
{
"url": "https://git.kernel.org/stable/c/c3e3fddda6b5d9ba505d218b4055e7d8a282ac57"
},
{
"url": "https://git.kernel.org/stable/c/f8b8f1d4bb76098e87b8269a0631019648330e6d"
},
{
"url": "https://git.kernel.org/stable/c/298db6167f81e9c470a57cf652e4e47757b4293e"
},
{
"url": "https://git.kernel.org/stable/c/87dfb977bdb6eaa47e9993a34e18f44970f88b1f"
},
{
"url": "https://git.kernel.org/stable/c/90e47dc5c572d1c73971ac51c7428803f42b78eb"
},
{
"url": "https://git.kernel.org/stable/c/18fc650ccd7fe3376eca89203668cfb8268f60df"
}
],
"title": "bpf: Free reuseport cBPF prog after RCU grace period.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52910",
"datePublished": "2026-06-19T14:43:33.952Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-19T14:43:33.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52909 (GCVE-0-2026-52909)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:43 – Updated: 2026-06-19 14:43
VLAI
Title
ip6_vti: set netns_immutable on the fallback device.
Summary
In the Linux kernel, the following vulnerability has been resolved:
ip6_vti: set netns_immutable on the fallback device.
john1988 and Noam Rathaus reported that vti6_init_net() does not set the
netns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).
Other similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)
correctly set this flag during their fallback device initialization to
prevent them from being moved to another network namespace.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
61220ab349485d911083d0b7990ccd3db6c63297 , < ecf8904067dcba0dad86ece80874841e60317885
(git)
Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < dcdce3bc9f08026ff3739ee7339e1bef526fc5f3 (git) Affected: 61220ab349485d911083d0b7990ccd3db6c63297 , < d289d5307762d1838aaece22c6b6fcad9e8865f9 (git) |
|
| Linux | Linux |
Affected:
3.15
Unaffected: 0 , < 3.15 (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecf8904067dcba0dad86ece80874841e60317885",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "dcdce3bc9f08026ff3739ee7339e1bef526fc5f3",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
},
{
"lessThan": "d289d5307762d1838aaece22c6b6fcad9e8865f9",
"status": "affected",
"version": "61220ab349485d911083d0b7990ccd3db6c63297",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_vti.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.15"
},
{
"lessThan": "3.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "3.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_vti: set netns_immutable on the fallback device.\n\njohn1988 and Noam Rathaus reported that vti6_init_net() does not set the\nnetns_immutable flag on the per-netns fallback tunnel device (ip6_vti0).\n\nOther similar tunnel drivers (like ip6_tunnel, sit, ip6_gre, and ip_tunnel)\ncorrectly set this flag during their fallback device initialization to\nprevent them from being moved to another network namespace."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T14:43:33.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecf8904067dcba0dad86ece80874841e60317885"
},
{
"url": "https://git.kernel.org/stable/c/dcdce3bc9f08026ff3739ee7339e1bef526fc5f3"
},
{
"url": "https://git.kernel.org/stable/c/d289d5307762d1838aaece22c6b6fcad9e8865f9"
}
],
"title": "ip6_vti: set netns_immutable on the fallback device.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52909",
"datePublished": "2026-06-19T14:43:33.214Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-19T14:43:33.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52908 (GCVE-0-2026-52908)
Vulnerability from cvelistv5 – Published: 2026-06-19 14:00 – Updated: 2026-06-19 14:00
VLAI
Title
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
re-evaluated to ensure it is properly pinned as RW. Since the umem is
hidden inside each driver's mr struct add a ib_umem_check_rereg() function
that each driver has to call before processing IB_MR_REREG_ACCESS.
mlx4 has to retain its duplicate ib_access_writable check because it
implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
in place sequentially while the MR is live, so it will continue to not
support this combination.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b40656aa7d559adc1fe689396dc58b92a9a27286 , < 09dc18894148381d3bfc550083b1236043870dce
(git)
Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < eba5df21eda0fe7418efbea2f799f8ea1b8ca94c (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < 2904e985a2917b5dac65df82733065e78a65fc9d (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < 50334a05a950840b39a1ce3d2a173b4183db9b3e (git) Affected: b40656aa7d559adc1fe689396dc58b92a9a27286 , < badad6fad60def1b9805559dd81dbab3d97b82aa (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/umem.c",
"drivers/infiniband/hw/hns/hns_roce_mr.c",
"drivers/infiniband/hw/irdma/verbs.c",
"drivers/infiniband/hw/mlx4/mr.c",
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"include/rdma/ib_umem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "09dc18894148381d3bfc550083b1236043870dce",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "eba5df21eda0fe7418efbea2f799f8ea1b8ca94c",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "2904e985a2917b5dac65df82733065e78a65fc9d",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "50334a05a950840b39a1ce3d2a173b4183db9b3e",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
},
{
"lessThan": "badad6fad60def1b9805559dd81dbab3d97b82aa",
"status": "affected",
"version": "b40656aa7d559adc1fe689396dc58b92a9a27286",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/umem.c",
"drivers/infiniband/hw/hns/hns_roce_mr.c",
"drivers/infiniband/hw/irdma/verbs.c",
"drivers/infiniband/hw/mlx4/mr.c",
"drivers/infiniband/hw/mlx5/mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.c",
"include/rdma/ib_umem.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA: During rereg_mr ensure that REREG_ACCESS is compatible\n\nIf IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be\nre-evaluated to ensure it is properly pinned as RW. Since the umem is\nhidden inside each driver\u0027s mr struct add a ib_umem_check_rereg() function\nthat each driver has to call before processing IB_MR_REREG_ACCESS.\n\nmlx4 has to retain its duplicate ib_access_writable check because it\nimplements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items\nin place sequentially while the MR is live, so it will continue to not\nsupport this combination."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T14:00:35.971Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/09dc18894148381d3bfc550083b1236043870dce"
},
{
"url": "https://git.kernel.org/stable/c/eba5df21eda0fe7418efbea2f799f8ea1b8ca94c"
},
{
"url": "https://git.kernel.org/stable/c/2904e985a2917b5dac65df82733065e78a65fc9d"
},
{
"url": "https://git.kernel.org/stable/c/50334a05a950840b39a1ce3d2a173b4183db9b3e"
},
{
"url": "https://git.kernel.org/stable/c/badad6fad60def1b9805559dd81dbab3d97b82aa"
}
],
"title": "RDMA: During rereg_mr ensure that REREG_ACCESS is compatible",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52908",
"datePublished": "2026-06-19T14:00:35.971Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-19T14:00:35.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46331 (GCVE-0-2026-46331)
Vulnerability from cvelistv5 – Published: 2026-06-16 06:26 – Updated: 2026-06-19 12:00
VLAI
Title
net/sched: fix pedit partial COW leading to page cache corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8b796475fd7882663a870456466a4fb315cc1bd6 , < 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b
(git)
Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < b198ed4e52580a7238c7c7082f03906f8b310313 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 3dee9d0c198faeb95d052c1b94c2958751a28512 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 899ee91156e57784090c5565e4f31bd7dbffbc5a (git) Affected: d0c38a914b0c4c21d553da801003d36979016726 (git) Affected: 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 (git) Affected: abe35bf3be51482593076d516a680d79e5fbc8e1 (git) Affected: b773640d5bb9e2acfd91e2695717af04d47aa116 (git) Affected: c19cc520b3d69904e9518d401ad0df7f4702aca0 (git) Affected: 4.19.244 , < 4.20 (semver) Affected: 5.4.195 , < 5.5 (semver) Affected: 5.10.117 , < 5.11 (semver) Affected: 5.15.41 , < 5.16 (semver) Affected: 5.17.9 , < 5.18 (semver) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "b198ed4e52580a7238c7c7082f03906f8b310313",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "3dee9d0c198faeb95d052c1b94c2958751a28512",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "899ee91156e57784090c5565e4f31bd7dbffbc5a",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"status": "affected",
"version": "d0c38a914b0c4c21d553da801003d36979016726",
"versionType": "git"
},
{
"status": "affected",
"version": "2ec2dd7d51a9320151f275ddbb2b53260fb32ca1",
"versionType": "git"
},
{
"status": "affected",
"version": "abe35bf3be51482593076d516a680d79e5fbc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "b773640d5bb9e2acfd91e2695717af04d47aa116",
"versionType": "git"
},
{
"status": "affected",
"version": "c19cc520b3d69904e9518d401ad0df7f4702aca0",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.244",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.195",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.117",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.41",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW\u0027d.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:28.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b"
},
{
"url": "https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313"
},
{
"url": "https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512"
},
{
"url": "https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a"
}
],
"title": "net/sched: fix pedit partial COW leading to page cache corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46331",
"datePublished": "2026-06-16T06:26:21.066Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:28.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52907 (GCVE-0-2026-52907)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
media: rockchip: rkcif: fix off by one bugs
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rockchip: rkcif: fix off by one bugs
Change these comparisons from > vs >= to avoid accessing one element
beyond the end of the arrays.
While at it, use ARRAY_SIZE instead of the _MAX enum values.
[fix cosmetic issues]
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f2353f5a1af995efbf7bea44341aa0d03460b28 , < 73e119036b3a799170ed89907b4273c07306d611
(git)
Affected: 1f2353f5a1af995efbf7bea44341aa0d03460b28 , < e4056b84af0fc18c84b4e5741df04ecd8ca17973 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73e119036b3a799170ed89907b4273c07306d611",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
},
{
"lessThan": "e4056b84af0fc18c84b4e5741df04ecd8ca17973",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rockchip: rkcif: fix off by one bugs\n\nChange these comparisons from \u003e vs \u003e= to avoid accessing one element\nbeyond the end of the arrays.\nWhile at it, use ARRAY_SIZE instead of the _MAX enum values.\n\n[fix cosmetic issues]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:46.770Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73e119036b3a799170ed89907b4273c07306d611"
},
{
"url": "https://git.kernel.org/stable/c/e4056b84af0fc18c84b4e5741df04ecd8ca17973"
}
],
"title": "media: rockchip: rkcif: fix off by one bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52907",
"datePublished": "2026-06-09T12:36:04.617Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:46.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52906 (GCVE-0-2026-52906)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
9p: fix access mode flags being ORed instead of replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p: fix access mode flags being ORed instead of replaced
Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
"access=user", both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.
This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.
Fix by clearing the access mask before applying the user's choice.
Severity
7.7 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f3e4142c0eb178089ea0cbc97506a061470ad27 , < b8f037e87a083291190204b959cda417aaf01058
(git)
Affected: 1f3e4142c0eb178089ea0cbc97506a061470ad27 , < da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8f037e87a083291190204b959cda417aaf01058",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
},
{
"lessThan": "da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix access mode flags being ORed instead of replaced\n\nSince commit 1f3e4142c0eb (\"9p: convert to the new mount API\"),\nv9fs_apply_options() applies parsed mount flags with |= onto flags\nalready set by v9fs_session_init(). For 9P2000.L, session_init sets\nV9FS_ACCESS_CLIENT as the default, so when the user mounts with\n\"access=user\", both bits end up set. Access mode checks compare\nagainst exact values, so having both bits set matches neither mode.\n\nThis causes v9fs_fid_lookup() to fall through to the default switch\ncase, using INVALID_UID (nobody/65534) instead of current_fsuid()\nfor all fid lookups. Root is then unable to chown or perform other\nprivileged operations.\n\nFix by clearing the access mask before applying the user\u0027s choice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:41.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8f037e87a083291190204b959cda417aaf01058"
},
{
"url": "https://git.kernel.org/stable/c/da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9"
}
],
"title": "9p: fix access mode flags being ORed instead of replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52906",
"datePublished": "2026-06-09T12:36:03.521Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:41.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52905 (GCVE-0-2026-52905)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced
a bug that allows unaligned DAMON region address ranges. Commit
c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs
interface can emit non-power of two min_region_sz via damon_start(). Fix
the path by adding the is_power_of_2() check on damon_start().
The issue was discovered by sashiko [1].
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d8f867fa0825fb3e358457566d7326d8aab2406a , < 1de2db19a6028abe7d905875922faef5b873de67
(git)
Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 89b6226b6c2a4add3939f361653a47c212d6ab75 (git) Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 95093e5cb4c5b50a5b1a4b79f2942b62744bd66a (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1de2db19a6028abe7d905875922faef5b873de67",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "89b6226b6c2a4add3939f361653a47c212d6ab75",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "95093e5cb4c5b50a5b1a4b79f2942b62744bd66a",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: disallow non-power of two min_region_sz on damon_start()\n\nCommit d8f867fa0825 (\"mm/damon: add damon_ctx-\u003emin_sz_region\") introduced\na bug that allows unaligned DAMON region address ranges. Commit\nc80f46ac228b (\"mm/damon/core: disallow non-power of two min_region_sz\")\nfixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs\ninterface can emit non-power of two min_region_sz via damon_start(). Fix\nthe path by adding the is_power_of_2() check on damon_start().\n\nThe issue was discovered by sashiko [1]."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:36.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1de2db19a6028abe7d905875922faef5b873de67"
},
{
"url": "https://git.kernel.org/stable/c/89b6226b6c2a4add3939f361653a47c212d6ab75"
},
{
"url": "https://git.kernel.org/stable/c/95093e5cb4c5b50a5b1a4b79f2942b62744bd66a"
}
],
"title": "mm/damon/core: disallow non-power of two min_region_sz on damon_start()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52905",
"datePublished": "2026-06-09T12:36:02.516Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:36.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52904 (GCVE-0-2026-52904)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
drm/nouveau: fix nvkm_device leak on aperture removal failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix nvkm_device leak on aperture removal failure
When aperture_remove_conflicting_pci_devices() fails during probe, the
error path returns directly without unwinding the nvkm_device that was
just allocated by nvkm_device_pci_new(). This leaks both the device
wrapper and the pci_enable_device() reference taken inside it.
Jump to the existing fail_nvkm label so nvkm_device_del() runs and
balances both. The leak was introduced when the intermediate
nvkm_device_del() between detection and aperture removal was dropped
in favor of creating the pci device once.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 5edd564ccb002ffc830e7818c1c4a992db774678
(git)
Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 843c0247cf21364e33bb5a8ffc9af57107d04d05 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 6597ff1d8de3f583be169587efeafd8af134e138 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5edd564ccb002ffc830e7818c1c4a992db774678",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "843c0247cf21364e33bb5a8ffc9af57107d04d05",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "6597ff1d8de3f583be169587efeafd8af134e138",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix nvkm_device leak on aperture removal failure\n\nWhen aperture_remove_conflicting_pci_devices() fails during probe, the\nerror path returns directly without unwinding the nvkm_device that was\njust allocated by nvkm_device_pci_new(). This leaks both the device\nwrapper and the pci_enable_device() reference taken inside it.\n\nJump to the existing fail_nvkm label so nvkm_device_del() runs and\nbalances both. The leak was introduced when the intermediate\nnvkm_device_del() between detection and aperture removal was dropped\nin favor of creating the pci device once."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:32.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5edd564ccb002ffc830e7818c1c4a992db774678"
},
{
"url": "https://git.kernel.org/stable/c/4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6"
},
{
"url": "https://git.kernel.org/stable/c/843c0247cf21364e33bb5a8ffc9af57107d04d05"
},
{
"url": "https://git.kernel.org/stable/c/6597ff1d8de3f583be169587efeafd8af134e138"
}
],
"title": "drm/nouveau: fix nvkm_device leak on aperture removal failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52904",
"datePublished": "2026-06-09T12:36:01.237Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:32.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46332 (GCVE-0-2026-46332)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
greybus: gb-beagleplay: bound bootloader receive buffering
Summary
In the Linux kernel, the following vulnerability has been resolved:
greybus: gb-beagleplay: bound bootloader receive buffering
cc1352_bootloader_rx() appends each serdev chunk into the fixed
rx_buffer before parsing bootloader packets. The helper can keep
leftover bytes between callbacks and may receive multiple packets in one
callback, so a single count value is not constrained by one packet
length.
Check that the incoming chunk fits in the remaining receive buffer space
before memcpy(). If it does not, drop the staged data and consume the
bytes instead of overflowing rx_buffer.
Severity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 663c2728a6d0f781044431111b53a27f71027e48
(git)
Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < fb91d4e49fcbea0b5091394ac5b8f7d4124265c3 (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 0339a746ff7cd3f9d10f565e89c99dc93191e58d (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 1214bf28965ceaf584fb20d357731264dd2e10e1 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "663c2728a6d0f781044431111b53a27f71027e48",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "fb91d4e49fcbea0b5091394ac5b8f7d4124265c3",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "0339a746ff7cd3f9d10f565e89c99dc93191e58d",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "1214bf28965ceaf584fb20d357731264dd2e10e1",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: gb-beagleplay: bound bootloader receive buffering\n\ncc1352_bootloader_rx() appends each serdev chunk into the fixed\nrx_buffer before parsing bootloader packets. The helper can keep\nleftover bytes between callbacks and may receive multiple packets in one\ncallback, so a single count value is not constrained by one packet\nlength.\n\nCheck that the incoming chunk fits in the remaining receive buffer space\nbefore memcpy(). If it does not, drop the staged data and consume the\nbytes instead of overflowing rx_buffer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:23.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/663c2728a6d0f781044431111b53a27f71027e48"
},
{
"url": "https://git.kernel.org/stable/c/fb91d4e49fcbea0b5091394ac5b8f7d4124265c3"
},
{
"url": "https://git.kernel.org/stable/c/0339a746ff7cd3f9d10f565e89c99dc93191e58d"
},
{
"url": "https://git.kernel.org/stable/c/1214bf28965ceaf584fb20d357731264dd2e10e1"
}
],
"title": "greybus: gb-beagleplay: bound bootloader receive buffering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46332",
"datePublished": "2026-06-09T12:36:00.450Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-06-14T18:09:23.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46331 (GCVE-0-2026-46331)
Vulnerability from nvd – Published: 2026-06-16 06:26 – Updated: 2026-06-19 12:00
VLAI
Title
net/sched: fix pedit partial COW leading to page cache corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8b796475fd7882663a870456466a4fb315cc1bd6 , < 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b
(git)
Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < b198ed4e52580a7238c7c7082f03906f8b310313 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 3dee9d0c198faeb95d052c1b94c2958751a28512 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 899ee91156e57784090c5565e4f31bd7dbffbc5a (git) Affected: d0c38a914b0c4c21d553da801003d36979016726 (git) Affected: 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 (git) Affected: abe35bf3be51482593076d516a680d79e5fbc8e1 (git) Affected: b773640d5bb9e2acfd91e2695717af04d47aa116 (git) Affected: c19cc520b3d69904e9518d401ad0df7f4702aca0 (git) Affected: 4.19.244 , < 4.20 (semver) Affected: 5.4.195 , < 5.5 (semver) Affected: 5.10.117 , < 5.11 (semver) Affected: 5.15.41 , < 5.16 (semver) Affected: 5.17.9 , < 5.18 (semver) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "b198ed4e52580a7238c7c7082f03906f8b310313",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "3dee9d0c198faeb95d052c1b94c2958751a28512",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "899ee91156e57784090c5565e4f31bd7dbffbc5a",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"status": "affected",
"version": "d0c38a914b0c4c21d553da801003d36979016726",
"versionType": "git"
},
{
"status": "affected",
"version": "2ec2dd7d51a9320151f275ddbb2b53260fb32ca1",
"versionType": "git"
},
{
"status": "affected",
"version": "abe35bf3be51482593076d516a680d79e5fbc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "b773640d5bb9e2acfd91e2695717af04d47aa116",
"versionType": "git"
},
{
"status": "affected",
"version": "c19cc520b3d69904e9518d401ad0df7f4702aca0",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.244",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.195",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.117",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.41",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW\u0027d.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:28.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b"
},
{
"url": "https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313"
},
{
"url": "https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512"
},
{
"url": "https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a"
}
],
"title": "net/sched: fix pedit partial COW leading to page cache corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46331",
"datePublished": "2026-06-16T06:26:21.066Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:28.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52907 (GCVE-0-2026-52907)
Vulnerability from nvd – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
media: rockchip: rkcif: fix off by one bugs
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rockchip: rkcif: fix off by one bugs
Change these comparisons from > vs >= to avoid accessing one element
beyond the end of the arrays.
While at it, use ARRAY_SIZE instead of the _MAX enum values.
[fix cosmetic issues]
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f2353f5a1af995efbf7bea44341aa0d03460b28 , < 73e119036b3a799170ed89907b4273c07306d611
(git)
Affected: 1f2353f5a1af995efbf7bea44341aa0d03460b28 , < e4056b84af0fc18c84b4e5741df04ecd8ca17973 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73e119036b3a799170ed89907b4273c07306d611",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
},
{
"lessThan": "e4056b84af0fc18c84b4e5741df04ecd8ca17973",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rockchip: rkcif: fix off by one bugs\n\nChange these comparisons from \u003e vs \u003e= to avoid accessing one element\nbeyond the end of the arrays.\nWhile at it, use ARRAY_SIZE instead of the _MAX enum values.\n\n[fix cosmetic issues]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:46.770Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73e119036b3a799170ed89907b4273c07306d611"
},
{
"url": "https://git.kernel.org/stable/c/e4056b84af0fc18c84b4e5741df04ecd8ca17973"
}
],
"title": "media: rockchip: rkcif: fix off by one bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52907",
"datePublished": "2026-06-09T12:36:04.617Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:46.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52906 (GCVE-0-2026-52906)
Vulnerability from nvd – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
9p: fix access mode flags being ORed instead of replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p: fix access mode flags being ORed instead of replaced
Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
"access=user", both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.
This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.
Fix by clearing the access mask before applying the user's choice.
Severity
7.7 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f3e4142c0eb178089ea0cbc97506a061470ad27 , < b8f037e87a083291190204b959cda417aaf01058
(git)
Affected: 1f3e4142c0eb178089ea0cbc97506a061470ad27 , < da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8f037e87a083291190204b959cda417aaf01058",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
},
{
"lessThan": "da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix access mode flags being ORed instead of replaced\n\nSince commit 1f3e4142c0eb (\"9p: convert to the new mount API\"),\nv9fs_apply_options() applies parsed mount flags with |= onto flags\nalready set by v9fs_session_init(). For 9P2000.L, session_init sets\nV9FS_ACCESS_CLIENT as the default, so when the user mounts with\n\"access=user\", both bits end up set. Access mode checks compare\nagainst exact values, so having both bits set matches neither mode.\n\nThis causes v9fs_fid_lookup() to fall through to the default switch\ncase, using INVALID_UID (nobody/65534) instead of current_fsuid()\nfor all fid lookups. Root is then unable to chown or perform other\nprivileged operations.\n\nFix by clearing the access mask before applying the user\u0027s choice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:41.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8f037e87a083291190204b959cda417aaf01058"
},
{
"url": "https://git.kernel.org/stable/c/da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9"
}
],
"title": "9p: fix access mode flags being ORed instead of replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52906",
"datePublished": "2026-06-09T12:36:03.521Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:41.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52905 (GCVE-0-2026-52905)
Vulnerability from nvd – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced
a bug that allows unaligned DAMON region address ranges. Commit
c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs
interface can emit non-power of two min_region_sz via damon_start(). Fix
the path by adding the is_power_of_2() check on damon_start().
The issue was discovered by sashiko [1].
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d8f867fa0825fb3e358457566d7326d8aab2406a , < 1de2db19a6028abe7d905875922faef5b873de67
(git)
Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 89b6226b6c2a4add3939f361653a47c212d6ab75 (git) Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 95093e5cb4c5b50a5b1a4b79f2942b62744bd66a (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1de2db19a6028abe7d905875922faef5b873de67",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "89b6226b6c2a4add3939f361653a47c212d6ab75",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "95093e5cb4c5b50a5b1a4b79f2942b62744bd66a",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: disallow non-power of two min_region_sz on damon_start()\n\nCommit d8f867fa0825 (\"mm/damon: add damon_ctx-\u003emin_sz_region\") introduced\na bug that allows unaligned DAMON region address ranges. Commit\nc80f46ac228b (\"mm/damon/core: disallow non-power of two min_region_sz\")\nfixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs\ninterface can emit non-power of two min_region_sz via damon_start(). Fix\nthe path by adding the is_power_of_2() check on damon_start().\n\nThe issue was discovered by sashiko [1]."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:36.556Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1de2db19a6028abe7d905875922faef5b873de67"
},
{
"url": "https://git.kernel.org/stable/c/89b6226b6c2a4add3939f361653a47c212d6ab75"
},
{
"url": "https://git.kernel.org/stable/c/95093e5cb4c5b50a5b1a4b79f2942b62744bd66a"
}
],
"title": "mm/damon/core: disallow non-power of two min_region_sz on damon_start()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52905",
"datePublished": "2026-06-09T12:36:02.516Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:36.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52904 (GCVE-0-2026-52904)
Vulnerability from nvd – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
drm/nouveau: fix nvkm_device leak on aperture removal failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix nvkm_device leak on aperture removal failure
When aperture_remove_conflicting_pci_devices() fails during probe, the
error path returns directly without unwinding the nvkm_device that was
just allocated by nvkm_device_pci_new(). This leaks both the device
wrapper and the pci_enable_device() reference taken inside it.
Jump to the existing fail_nvkm label so nvkm_device_del() runs and
balances both. The leak was introduced when the intermediate
nvkm_device_del() between detection and aperture removal was dropped
in favor of creating the pci device once.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 5edd564ccb002ffc830e7818c1c4a992db774678
(git)
Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 843c0247cf21364e33bb5a8ffc9af57107d04d05 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 6597ff1d8de3f583be169587efeafd8af134e138 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5edd564ccb002ffc830e7818c1c4a992db774678",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "843c0247cf21364e33bb5a8ffc9af57107d04d05",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "6597ff1d8de3f583be169587efeafd8af134e138",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix nvkm_device leak on aperture removal failure\n\nWhen aperture_remove_conflicting_pci_devices() fails during probe, the\nerror path returns directly without unwinding the nvkm_device that was\njust allocated by nvkm_device_pci_new(). This leaks both the device\nwrapper and the pci_enable_device() reference taken inside it.\n\nJump to the existing fail_nvkm label so nvkm_device_del() runs and\nbalances both. The leak was introduced when the intermediate\nnvkm_device_del() between detection and aperture removal was dropped\nin favor of creating the pci device once."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:32.591Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5edd564ccb002ffc830e7818c1c4a992db774678"
},
{
"url": "https://git.kernel.org/stable/c/4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6"
},
{
"url": "https://git.kernel.org/stable/c/843c0247cf21364e33bb5a8ffc9af57107d04d05"
},
{
"url": "https://git.kernel.org/stable/c/6597ff1d8de3f583be169587efeafd8af134e138"
}
],
"title": "drm/nouveau: fix nvkm_device leak on aperture removal failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52904",
"datePublished": "2026-06-09T12:36:01.237Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-14T18:09:32.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46332 (GCVE-0-2026-46332)
Vulnerability from nvd – Published: 2026-06-09 12:36 – Updated: 2026-06-14 18:09
VLAI
Title
greybus: gb-beagleplay: bound bootloader receive buffering
Summary
In the Linux kernel, the following vulnerability has been resolved:
greybus: gb-beagleplay: bound bootloader receive buffering
cc1352_bootloader_rx() appends each serdev chunk into the fixed
rx_buffer before parsing bootloader packets. The helper can keep
leftover bytes between callbacks and may receive multiple packets in one
callback, so a single count value is not constrained by one packet
length.
Check that the incoming chunk fits in the remaining receive buffer space
before memcpy(). If it does not, drop the staged data and consume the
bytes instead of overflowing rx_buffer.
Severity
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 663c2728a6d0f781044431111b53a27f71027e48
(git)
Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < fb91d4e49fcbea0b5091394ac5b8f7d4124265c3 (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 0339a746ff7cd3f9d10f565e89c99dc93191e58d (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 1214bf28965ceaf584fb20d357731264dd2e10e1 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "663c2728a6d0f781044431111b53a27f71027e48",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "fb91d4e49fcbea0b5091394ac5b8f7d4124265c3",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "0339a746ff7cd3f9d10f565e89c99dc93191e58d",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "1214bf28965ceaf584fb20d357731264dd2e10e1",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: gb-beagleplay: bound bootloader receive buffering\n\ncc1352_bootloader_rx() appends each serdev chunk into the fixed\nrx_buffer before parsing bootloader packets. The helper can keep\nleftover bytes between callbacks and may receive multiple packets in one\ncallback, so a single count value is not constrained by one packet\nlength.\n\nCheck that the incoming chunk fits in the remaining receive buffer space\nbefore memcpy(). If it does not, drop the staged data and consume the\nbytes instead of overflowing rx_buffer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:23.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/663c2728a6d0f781044431111b53a27f71027e48"
},
{
"url": "https://git.kernel.org/stable/c/fb91d4e49fcbea0b5091394ac5b8f7d4124265c3"
},
{
"url": "https://git.kernel.org/stable/c/0339a746ff7cd3f9d10f565e89c99dc93191e58d"
},
{
"url": "https://git.kernel.org/stable/c/1214bf28965ceaf584fb20d357731264dd2e10e1"
}
],
"title": "greybus: gb-beagleplay: bound bootloader receive buffering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46332",
"datePublished": "2026-06-09T12:36:00.450Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-06-14T18:09:23.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46330 (GCVE-0-2026-46330)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-14 04:30
VLAI
Title
Revert "net/smc: Introduce TCP ULP support"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "net/smc: Introduce TCP ULP support"
This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.
As reported by Al Viro, the TCP ULP support for SMC is fundamentally
broken. The implementation attempts to convert an active TCP socket
into an SMC socket by modifying the underlying `struct file`, dentry,
and inode in-place, which violates core VFS invariants that assume
these structures are immutable for an open file, creating a risk of
use after free errors and general system instability.
Given the severity of this design flaw and the fact that cleaner
alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application
transparency, the correct course of action is to remove this feature
entirely.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d7cd421da9da2cc7b4d25b8537f66db5c8331c40 , < 6c505d95c69e27dbf28fea29dc84d2498d69515c
(git)
Affected: d7cd421da9da2cc7b4d25b8537f66db5c8331c40 , < df31a6b0a3057e66994ad6ccf5d95b9b9514f033 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c505d95c69e27dbf28fea29dc84d2498d69515c",
"status": "affected",
"version": "d7cd421da9da2cc7b4d25b8537f66db5c8331c40",
"versionType": "git"
},
{
"lessThan": "df31a6b0a3057e66994ad6ccf5d95b9b9514f033",
"status": "affected",
"version": "d7cd421da9da2cc7b4d25b8537f66db5c8331c40",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"net/smc: Introduce TCP ULP support\"\n\nThis reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.\n\nAs reported by Al Viro, the TCP ULP support for SMC is fundamentally\nbroken. The implementation attempts to convert an active TCP socket\ninto an SMC socket by modifying the underlying `struct file`, dentry,\nand inode in-place, which violates core VFS invariants that assume\nthese structures are immutable for an open file, creating a risk of\nuse after free errors and general system instability.\n\nGiven the severity of this design flaw and the fact that cleaner\nalternatives (e.g., LD_PRELOAD, BPF) exist for legacy application\ntransparency, the correct course of action is to remove this feature\nentirely."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T04:30:28.844Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c505d95c69e27dbf28fea29dc84d2498d69515c"
},
{
"url": "https://git.kernel.org/stable/c/df31a6b0a3057e66994ad6ccf5d95b9b9514f033"
}
],
"title": "Revert \"net/smc: Introduce TCP ULP support\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46330",
"datePublished": "2026-06-09T12:25:59.413Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T04:30:28.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46329 (GCVE-0-2026-46329)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
erofs: handle end of filesystem properly for file-backed mounts
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle end of filesystem properly for file-backed mounts
I/O requests beyond the end of the filesystem should be zeroed out,
similar to loopback devices and that is what we expect.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < 8d582d65d20bb4796db01b19e86909ad68cb337b
(git)
Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < e49abde0ffc382a967b24f326d1614ac3bb06a94 (git) Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < fe4039034dcdf584afbf763787909e28e92a4927 (git) Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d582d65d20bb4796db01b19e86909ad68cb337b",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "e49abde0ffc382a967b24f326d1614ac3bb06a94",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "fe4039034dcdf584afbf763787909e28e92a4927",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle end of filesystem properly for file-backed mounts\n\nI/O requests beyond the end of the filesystem should be zeroed out,\nsimilar to loopback devices and that is what we expect."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:58.520Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d582d65d20bb4796db01b19e86909ad68cb337b"
},
{
"url": "https://git.kernel.org/stable/c/e49abde0ffc382a967b24f326d1614ac3bb06a94"
},
{
"url": "https://git.kernel.org/stable/c/fe4039034dcdf584afbf763787909e28e92a4927"
},
{
"url": "https://git.kernel.org/stable/c/bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc"
}
],
"title": "erofs: handle end of filesystem properly for file-backed mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46329",
"datePublished": "2026-06-09T12:25:58.520Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:58.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46328 (GCVE-0-2026-46328)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-14 04:30
VLAI
Title
apparmor: fix rlimit for posix cpu timers
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix rlimit for posix cpu timers
Posix cpu timers requires an additional step beyond setting the rlimit.
Refactor the code so its clear when what code is setting the
limit and conditionally update the posix cpu timers when appropriate.
Severity
7.3 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < e1cc11550b2f66687a374536c9dfdddcefca0efe
(git)
Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 2232d7cd243833ad750cae656d1817fe43744a09 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 1f736dfe27c857b78f8461cd7c3dd9640be74b37 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < e43818b16815c0c2bf933ef28316f8e704e5e0ef (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 9bf1fa150775b0c6b794e4b6a2c0395e13777999 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 57d51d41b90eface809b72e0e009b50546492f1f (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 6ca56813f4a589f536adceb42882855d91fb1125 (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1cc11550b2f66687a374536c9dfdddcefca0efe",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "2232d7cd243833ad750cae656d1817fe43744a09",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "1f736dfe27c857b78f8461cd7c3dd9640be74b37",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "e43818b16815c0c2bf933ef28316f8e704e5e0ef",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "9bf1fa150775b0c6b794e4b6a2c0395e13777999",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "57d51d41b90eface809b72e0e009b50546492f1f",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "6ca56813f4a589f536adceb42882855d91fb1125",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix rlimit for posix cpu timers\n\nPosix cpu timers requires an additional step beyond setting the rlimit.\nRefactor the code so its clear when what code is setting the\nlimit and conditionally update the posix cpu timers when appropriate."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T04:30:27.441Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1cc11550b2f66687a374536c9dfdddcefca0efe"
},
{
"url": "https://git.kernel.org/stable/c/2232d7cd243833ad750cae656d1817fe43744a09"
},
{
"url": "https://git.kernel.org/stable/c/28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3"
},
{
"url": "https://git.kernel.org/stable/c/1f736dfe27c857b78f8461cd7c3dd9640be74b37"
},
{
"url": "https://git.kernel.org/stable/c/e43818b16815c0c2bf933ef28316f8e704e5e0ef"
},
{
"url": "https://git.kernel.org/stable/c/9bf1fa150775b0c6b794e4b6a2c0395e13777999"
},
{
"url": "https://git.kernel.org/stable/c/57d51d41b90eface809b72e0e009b50546492f1f"
},
{
"url": "https://git.kernel.org/stable/c/6ca56813f4a589f536adceb42882855d91fb1125"
}
],
"title": "apparmor: fix rlimit for posix cpu timers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46328",
"datePublished": "2026-06-09T12:25:57.629Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T04:30:27.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46327 (GCVE-0-2026-46327)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-14 04:30
VLAI
Title
dm: fix unlocked test for dm_suspended_md
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix unlocked test for dm_suspended_md
The function dm_blk_report_zones tests if the device is suspended with
the "dm_suspended_md" call. However, this function is called without
holding any locks, so the device may be suspended just after it.
Move the call to dm_suspended_md after dm_get_live_table, so that the
device can't be suspended after the suspended state was tested.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f9c1bdf24615303d48a2d0fd629c88f3189563aa , < 175ac0a6115400278d3900f5a04a58b17b3f6cd0
(git)
Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < 7a3385e97af2b6f485fef11e82d8c29adee4be93 (git) Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < d809a36692ee1394cac85ce6ba7cf8ea58da5812 (git) Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < 24c405fdbe215c45e57bba672cc42859038491ee (git) Affected: d19bc1b4dd5f322980b1f05f79b2ea4f0db10920 (git) Affected: 6.12.34 , < 6.12.75 (semver) Affected: 6.15.3 , < 6.16 (semver) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-zone.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "175ac0a6115400278d3900f5a04a58b17b3f6cd0",
"status": "affected",
"version": "f9c1bdf24615303d48a2d0fd629c88f3189563aa",
"versionType": "git"
},
{
"lessThan": "7a3385e97af2b6f485fef11e82d8c29adee4be93",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"lessThan": "d809a36692ee1394cac85ce6ba7cf8ea58da5812",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"lessThan": "24c405fdbe215c45e57bba672cc42859038491ee",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"status": "affected",
"version": "d19bc1b4dd5f322980b1f05f79b2ea4f0db10920",
"versionType": "git"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-zone.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix unlocked test for dm_suspended_md\n\nThe function dm_blk_report_zones tests if the device is suspended with\nthe \"dm_suspended_md\" call. However, this function is called without\nholding any locks, so the device may be suspended just after it.\n\nMove the call to dm_suspended_md after dm_get_live_table, so that the\ndevice can\u0027t be suspended after the suspended state was tested."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T04:30:25.673Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/175ac0a6115400278d3900f5a04a58b17b3f6cd0"
},
{
"url": "https://git.kernel.org/stable/c/7a3385e97af2b6f485fef11e82d8c29adee4be93"
},
{
"url": "https://git.kernel.org/stable/c/d809a36692ee1394cac85ce6ba7cf8ea58da5812"
},
{
"url": "https://git.kernel.org/stable/c/24c405fdbe215c45e57bba672cc42859038491ee"
}
],
"title": "dm: fix unlocked test for dm_suspended_md",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46327",
"datePublished": "2026-06-09T12:25:54.781Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T04:30:25.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46326 (GCVE-0-2026-46326)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-14 04:30
VLAI
Title
iio: pressure: mprls0025pa: fix spi_transfer struct initialisation
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: pressure: mprls0025pa: fix spi_transfer struct initialisation
Make sure that the spi_transfer struct is zeroed out before use.
Severity
8.4 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a0858f0cd28e822b91376ae288d5548bc1847531 , < 72158f9ae29a9e56d0f9704ce461a866feaf9925
(git)
Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 664ffdf34c01810085e4d85508b361c3fdd2ab40 (git) Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 9080c7ac30f5f8f8fcb7b27b56df60fea7909c21 (git) Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 1e0ac56c92e26115cbc8cfc639843725cb3a7d6a (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/pressure/mprls0025pa_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72158f9ae29a9e56d0f9704ce461a866feaf9925",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "664ffdf34c01810085e4d85508b361c3fdd2ab40",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "9080c7ac30f5f8f8fcb7b27b56df60fea7909c21",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "1e0ac56c92e26115cbc8cfc639843725cb3a7d6a",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/pressure/mprls0025pa_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: pressure: mprls0025pa: fix spi_transfer struct initialisation\n\nMake sure that the spi_transfer struct is zeroed out before use."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T04:30:22.679Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72158f9ae29a9e56d0f9704ce461a866feaf9925"
},
{
"url": "https://git.kernel.org/stable/c/664ffdf34c01810085e4d85508b361c3fdd2ab40"
},
{
"url": "https://git.kernel.org/stable/c/9080c7ac30f5f8f8fcb7b27b56df60fea7909c21"
},
{
"url": "https://git.kernel.org/stable/c/1e0ac56c92e26115cbc8cfc639843725cb3a7d6a"
}
],
"title": "iio: pressure: mprls0025pa: fix spi_transfer struct initialisation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46326",
"datePublished": "2026-06-09T12:25:53.893Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T04:30:22.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46325 (GCVE-0-2026-46325)
Vulnerability from nvd – Published: 2026-06-09 12:25 – Updated: 2026-06-14 04:30
VLAI
Title
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
The current implementation incorrectly handles memory regions (MRs) with
page sizes different from the system PAGE_SIZE. The core issue is that
rxe_set_page() is called with mr->page_size step increments, but the
page_list stores individual struct page pointers, each representing
PAGE_SIZE of memory.
ib_sg_to_page() has ensured that when i>=1 either
a) SG[i-1].dma_end and SG[i].dma_addr are contiguous
or
b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned.
This leads to incorrect iova-to-va conversion in scenarios:
1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K):
ibmr->iova = 0x181800
sg[0]: dma_addr=0x181800, len=0x800
sg[1]: dma_addr=0x173000, len=0x1000
Access iova = 0x181800 + 0x810 = 0x182010
Expected VA: 0x173010 (second SG, offset 0x10)
Before fix:
- index = (0x182010 >> 12) - (0x181800 >> 12) = 1
- page_offset = 0x182010 & 0xFFF = 0x10
- xarray[1] stores system page base 0x170000
- Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)
2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K):
ibmr->iova = 0x18f800
sg[0]: dma_addr=0x18f800, len=0x800
sg[1]: dma_addr=0x170000, len=0x1000
Access iova = 0x18f800 + 0x810 = 0x190010
Expected VA: 0x170010 (second SG, offset 0x10)
Before fix:
- index = (0x190010 >> 16) - (0x18f800 >> 16) = 1
- page_offset = 0x190010 & 0xFFFF = 0x10
- xarray[1] stores system page for dma_addr 0x170000
- Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)
Yi Zhang reported a kernel panic[1] years ago related to this defect.
Solution:
1. Replace xarray with pre-allocated rxe_mr_page array for sequential
indexing (all MR page indices are contiguous)
2. Each rxe_mr_page stores both struct page* and offset within the
system page
3. Handle MR page_size != PAGE_SIZE relationships:
- page_size > PAGE_SIZE: Split MR pages into multiple system pages
- page_size <= PAGE_SIZE: Store offset within system page
4. Add boundary checks and compatibility validation
This ensures correct iova-to-va conversion regardless of MR page size
and system PAGE_SIZE relationship, while improving performance through
array-based sequential access.
Tests on 4K and 64K PAGE_SIZE hosts:
- rdma-core/pytests
$ ./build/bin/run_tests.py --dev eth0_rxe
- blktest:
$ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd
[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/
Severity
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
592627ccbdff0ec6fff00fc761142a76db750dd4 , < 409c2c5508f3d30627bea576f8676de523cb906e
(git)
Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 836f6c13c9674027793f720be3f15ecd2b90b6ca (git) Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 12985e5915a0b8354796efadaaeb201eed115377 (git) Affected: 0e443760b8b7b1e6723f4408afa056b2bc4fea12 (git) Affected: 6.2.3 , < 6.3 (semver) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "409c2c5508f3d30627bea576f8676de523cb906e",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"lessThan": "836f6c13c9674027793f720be3f15ecd2b90b6ca",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"lessThan": "12985e5915a0b8354796efadaaeb201eed115377",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"status": "affected",
"version": "0e443760b8b7b1e6723f4408afa056b2bc4fea12",
"versionType": "git"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\n\nThe current implementation incorrectly handles memory regions (MRs) with\npage sizes different from the system PAGE_SIZE. The core issue is that\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\npage_list stores individual struct page pointers, each representing\nPAGE_SIZE of memory.\n\nib_sg_to_page() has ensured that when i\u003e=1 either\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\nor\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\n\nThis leads to incorrect iova-to-va conversion in scenarios:\n\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\n ibmr-\u003eiova = 0x181800\n sg[0]: dma_addr=0x181800, len=0x800\n sg[1]: dma_addr=0x173000, len=0x1000\n\n Access iova = 0x181800 + 0x810 = 0x182010\n Expected VA: 0x173010 (second SG, offset 0x10)\n Before fix:\n - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\n - page_offset = 0x182010 \u0026 0xFFF = 0x10\n - xarray[1] stores system page base 0x170000\n - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\n\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\n ibmr-\u003eiova = 0x18f800\n sg[0]: dma_addr=0x18f800, len=0x800\n sg[1]: dma_addr=0x170000, len=0x1000\n\n Access iova = 0x18f800 + 0x810 = 0x190010\n Expected VA: 0x170010 (second SG, offset 0x10)\n Before fix:\n - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\n - page_offset = 0x190010 \u0026 0xFFFF = 0x10\n - xarray[1] stores system page for dma_addr 0x170000\n - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\n\nYi Zhang reported a kernel panic[1] years ago related to this defect.\n\nSolution:\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\n indexing (all MR page indices are contiguous)\n2. Each rxe_mr_page stores both struct page* and offset within the\n system page\n3. Handle MR page_size != PAGE_SIZE relationships:\n - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\n - page_size \u003c= PAGE_SIZE: Store offset within system page\n4. Add boundary checks and compatibility validation\n\nThis ensures correct iova-to-va conversion regardless of MR page size\nand system PAGE_SIZE relationship, while improving performance through\narray-based sequential access.\n\nTests on 4K and 64K PAGE_SIZE hosts:\n- rdma-core/pytests\n $ ./build/bin/run_tests.py --dev eth0_rxe\n- blktest:\n $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\n\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T04:30:21.581Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e"
},
{
"url": "https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca"
},
{
"url": "https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377"
}
],
"title": "RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46325",
"datePublished": "2026-06-09T12:25:52.792Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T04:30:21.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46324 (GCVE-0-2026-46324)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:09
VLAI
Title
netfilter: nf_tables: use list_del_rcu for netlink hooks
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: use list_del_rcu for netlink hooks
nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need
to use list_del_rcu(), this list can be walked by concurrent dumpers.
Add a new helper and use it consistently.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < 0bd93ce4f3c35e845532184331d7917d7e562c80
(git)
Affected: f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < 0f33e8ad6ac563ae2233dd7f75884e0ee010521d (git) Affected: f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < f3224ee463f8f6f6ced7dcdf6081add4f8128527 (git) Affected: c73955a09408e7374d9abfd0e78ce3de9cda0635 (git) Affected: b09e6ccf0d12f9356e8e3508d3e3dce126298538 (git) Affected: 3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82 (git) Affected: 9c413a8c8bb49cc16796371805ecb260e885bb2b (git) Affected: a3940dcf552f2393d1e8f263b386593f98abe829 (git) Affected: 86c0154f4c3a56c5db8b9dd09e3ce885382c2c19 (git) Affected: 4.19.316 , < 4.20 (semver) Affected: 5.4.262 , < 5.5 (semver) Affected: 5.10.198 , < 5.11 (semver) Affected: 5.15.45 , < 5.16 (semver) Affected: 5.17.13 , < 5.18 (semver) Affected: 5.18.2 , < 5.19 (semver) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bd93ce4f3c35e845532184331d7917d7e562c80",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"lessThan": "0f33e8ad6ac563ae2233dd7f75884e0ee010521d",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"lessThan": "f3224ee463f8f6f6ced7dcdf6081add4f8128527",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"status": "affected",
"version": "c73955a09408e7374d9abfd0e78ce3de9cda0635",
"versionType": "git"
},
{
"status": "affected",
"version": "b09e6ccf0d12f9356e8e3508d3e3dce126298538",
"versionType": "git"
},
{
"status": "affected",
"version": "3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82",
"versionType": "git"
},
{
"status": "affected",
"version": "9c413a8c8bb49cc16796371805ecb260e885bb2b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3940dcf552f2393d1e8f263b386593f98abe829",
"versionType": "git"
},
{
"status": "affected",
"version": "86c0154f4c3a56c5db8b9dd09e3ce885382c2c19",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThan": "5.19",
"status": "affected",
"version": "5.18.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use list_del_rcu for netlink hooks\n\nnft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need\nto use list_del_rcu(), this list can be walked by concurrent dumpers.\n\nAdd a new helper and use it consistently."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:09:18.857Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bd93ce4f3c35e845532184331d7917d7e562c80"
},
{
"url": "https://git.kernel.org/stable/c/0f33e8ad6ac563ae2233dd7f75884e0ee010521d"
},
{
"url": "https://git.kernel.org/stable/c/f3224ee463f8f6f6ced7dcdf6081add4f8128527"
}
],
"title": "netfilter: nf_tables: use list_del_rcu for netlink hooks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46324",
"datePublished": "2026-06-09T12:11:16.602Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:09:18.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46323 (GCVE-0-2026-46323)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI
Title
net: gro: don't merge zcopy skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Severity
7.8 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d
(git)
Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 1f9c828556416fbe3f49386708ce999fc4d4da06 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 479084ae0e1d9cb7929cb4298d35623de189f80a (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "1f9c828556416fbe3f49386708ce999fc4d4da06",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "479084ae0e1d9cb7929cb4298d35623de189f80a",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "e334cbf3388fd9334503a778a82d9e9f14dd2f71",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "44bea2032af0425e4ce6d26a8af0ede79db49ec1",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "4db79a322db8c97f7b73b8a347395ef4d685eb40",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:26.362Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c6cc9f2ca65b6dd61b1af75452dc0e1cd0aad8d"
},
{
"url": "https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"
},
{
"url": "https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"
},
{
"url": "https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"
},
{
"url": "https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"
},
{
"url": "https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"
}
],
"title": "net: gro: don\u0027t merge zcopy skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46323",
"datePublished": "2026-06-09T12:11:15.562Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:26.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46322 (GCVE-0-2026-46322)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI
Title
tun: free page on build_skb failure in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on build_skb failure in tun_xdp_one()
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Severity
7.1 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
043d222f93ab8c76b56a3b315cd8692e35affb6c , < 26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9
(git)
Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 793385c154771603b8671dd8338927221e9d8d78 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 2638a9c1521905bb5c5d1e95c8fbc09f79148ed7 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 60d9c0d6cdde5420d6483c921b16fe5465eb5238 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < d16e38fac09a47bfcf98c1ad65a1bb53f94540f5 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa308e9dbb9acb17cacdbbce9e4504f69bac8385 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 4fefc6156a162a9f50035c12091a5e5130c82c6e (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "793385c154771603b8671dd8338927221e9d8d78",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "2638a9c1521905bb5c5d1e95c8fbc09f79148ed7",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "60d9c0d6cdde5420d6483c921b16fe5465eb5238",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "d16e38fac09a47bfcf98c1ad65a1bb53f94540f5",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa308e9dbb9acb17cacdbbce9e4504f69bac8385",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "4fefc6156a162a9f50035c12091a5e5130c82c6e",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa8963fdce667a42fb7f0bdd2909fadcab02f9a8",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on build_skb failure in tun_xdp_one()\n\nWhen build_skb() fails in tun_xdp_one(), the function sets ret to\n-ENOMEM and jumps to the out label, which returns without freeing the\npage that vhost_net_build_xdp() allocated for the frame. As with the\nshort-frame rejection path, tun_sendmsg() discards the per-buffer error\nand still returns total_len, so vhost_tx_batch() takes the success path\nand never frees the page. Each build_skb() failure in a batch leaks one\npage-frag chunk.\n\nFree the page before taking the error path, matching the put_page() the\nother error exits of tun_xdp_one() already perform."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:24.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/26fe549b5192536b6c1c68a2dfdc8c0dcf9fa4a9"
},
{
"url": "https://git.kernel.org/stable/c/793385c154771603b8671dd8338927221e9d8d78"
},
{
"url": "https://git.kernel.org/stable/c/2638a9c1521905bb5c5d1e95c8fbc09f79148ed7"
},
{
"url": "https://git.kernel.org/stable/c/60d9c0d6cdde5420d6483c921b16fe5465eb5238"
},
{
"url": "https://git.kernel.org/stable/c/d16e38fac09a47bfcf98c1ad65a1bb53f94540f5"
},
{
"url": "https://git.kernel.org/stable/c/aa308e9dbb9acb17cacdbbce9e4504f69bac8385"
},
{
"url": "https://git.kernel.org/stable/c/4fefc6156a162a9f50035c12091a5e5130c82c6e"
},
{
"url": "https://git.kernel.org/stable/c/aa8963fdce667a42fb7f0bdd2909fadcab02f9a8"
}
],
"title": "tun: free page on build_skb failure in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46322",
"datePublished": "2026-06-09T12:11:14.776Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:24.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46321 (GCVE-0-2026-46321)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI
Title
tun: free page on short-frame rejection in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on short-frame rejection in tun_xdp_one()
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Severity
7.1 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6100e0237204890269e3f934acfc50d35fd6f319 , < 0a6f46a9332ad6958992d64d3b3a81a80b2ca940
(git)
Affected: 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 , < 0e8211fcf9426f5adddf32516ba0f400ceb9544d (git) Affected: ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 , < e915445942af6dcea628bf66d6241641201a0c41 (git) Affected: d5ad89b7d01ed4e66fd04734fc63d6e78536692a , < 5b34f9e4fe2f203724a6e893d6df0316b9670057 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 69863ff2720a0e9871f1a5710f2a33a94217fee0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 98c67be9eb9de72465a071949e84a3cdb8fab5a3 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < f4feb1e20058e407cb00f45aff47f5b7e19a6bbf (git) Affected: 32b0aaba5dbc85816898167d9b5d45a22eae82e9 (git) Affected: a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb (git) Affected: 8418f55302fa1d2eeb73e16e345167e545c598a5 (git) Affected: 5.10.223 , < 5.10.259 (semver) Affected: 5.15.164 , < 5.15.210 (semver) Affected: 6.1.102 , < 6.1.176 (semver) Affected: 6.6.43 , < 6.6.143 (semver) Affected: 5.4.281 , < 5.5 (semver) Affected: 6.9.12 , < 6.10 (semver) Affected: 6.10.2 , < 6.11 (semver) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0a6f46a9332ad6958992d64d3b3a81a80b2ca940",
"status": "affected",
"version": "6100e0237204890269e3f934acfc50d35fd6f319",
"versionType": "git"
},
{
"lessThan": "0e8211fcf9426f5adddf32516ba0f400ceb9544d",
"status": "affected",
"version": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2",
"versionType": "git"
},
{
"lessThan": "e915445942af6dcea628bf66d6241641201a0c41",
"status": "affected",
"version": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146",
"versionType": "git"
},
{
"lessThan": "5b34f9e4fe2f203724a6e893d6df0316b9670057",
"status": "affected",
"version": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a",
"versionType": "git"
},
{
"lessThan": "69863ff2720a0e9871f1a5710f2a33a94217fee0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "37a1c268c2c8090bf4dc552d732bd23ba36f8eb0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "98c67be9eb9de72465a071949e84a3cdb8fab5a3",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "f4feb1e20058e407cb00f45aff47f5b7e19a6bbf",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"status": "affected",
"version": "32b0aaba5dbc85816898167d9b5d45a22eae82e9",
"versionType": "git"
},
{
"status": "affected",
"version": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb",
"versionType": "git"
},
{
"status": "affected",
"version": "8418f55302fa1d2eeb73e16e345167e545c598a5",
"versionType": "git"
},
{
"lessThan": "5.10.259",
"status": "affected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThan": "5.15.210",
"status": "affected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThan": "6.1.176",
"status": "affected",
"version": "6.1.102",
"versionType": "semver"
},
{
"lessThan": "6.6.143",
"status": "affected",
"version": "6.6.43",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.281",
"versionType": "semver"
},
{
"lessThan": "6.10",
"status": "affected",
"version": "6.9.12",
"versionType": "semver"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "6.1.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "6.6.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:22.421Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0a6f46a9332ad6958992d64d3b3a81a80b2ca940"
},
{
"url": "https://git.kernel.org/stable/c/0e8211fcf9426f5adddf32516ba0f400ceb9544d"
},
{
"url": "https://git.kernel.org/stable/c/e915445942af6dcea628bf66d6241641201a0c41"
},
{
"url": "https://git.kernel.org/stable/c/5b34f9e4fe2f203724a6e893d6df0316b9670057"
},
{
"url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"
},
{
"url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"
},
{
"url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"
},
{
"url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"
}
],
"title": "tun: free page on short-frame rejection in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46321",
"datePublished": "2026-06-09T12:11:13.872Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:22.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46320 (GCVE-0-2026-46320)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-19 12:00
VLAI
Title
tap: free page on error paths in tap_get_user_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tap: free page on error paths in tap_get_user_xdp()
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Severity
7.4 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0efac27791ee068075d80f07c55a229b1335ce12 , < 8d03e65eb6cfbffec471a6b65416f93679bf3286
(git)
Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < f979971835dddbca86cf99e3b2e2b94a408a1ab2 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3f52a86a482a69294c50a5a2a097bd6f4104990a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d30aac0fa00ca0afc3e08174cf7f974a66bdcf05 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < d68eab61944a9b0826fa2e954e42db1aa3201b7a (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < e27c17346628cb56843a83f93ac63c314c00f388 (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 18a84c35842e19cd3c5534d8cee73d31863f696d (git) Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.1.176 , ≤ 6.1.* (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d03e65eb6cfbffec471a6b65416f93679bf3286",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "f979971835dddbca86cf99e3b2e2b94a408a1ab2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3f52a86a482a69294c50a5a2a097bd6f4104990a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d30aac0fa00ca0afc3e08174cf7f974a66bdcf05",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "d68eab61944a9b0826fa2e954e42db1aa3201b7a",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "e27c17346628cb56843a83f93ac63c314c00f388",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "18a84c35842e19cd3c5534d8cee73d31863f696d",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.176",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: free page on error paths in tap_get_user_xdp()\n\ntap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,\nand returns -ENOMEM when build_skb() fails. Both paths jump to the err\nlabel without freeing the page that vhost_net_build_xdp() allocated for\nthe frame. tap_sendmsg() discards the per-buffer return value and always\nreturns 0, so vhost_tx_batch() takes the success path and never frees\nthe page; each rejected frame in a batch leaks one page-frag chunk.\n\nFree the page on both error paths, before the skb is built. This is the\ntap counterpart of the same leak in tun_xdp_one()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:17.235Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d03e65eb6cfbffec471a6b65416f93679bf3286"
},
{
"url": "https://git.kernel.org/stable/c/f979971835dddbca86cf99e3b2e2b94a408a1ab2"
},
{
"url": "https://git.kernel.org/stable/c/3f52a86a482a69294c50a5a2a097bd6f4104990a"
},
{
"url": "https://git.kernel.org/stable/c/d30aac0fa00ca0afc3e08174cf7f974a66bdcf05"
},
{
"url": "https://git.kernel.org/stable/c/d68eab61944a9b0826fa2e954e42db1aa3201b7a"
},
{
"url": "https://git.kernel.org/stable/c/e27c17346628cb56843a83f93ac63c314c00f388"
},
{
"url": "https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2"
}
],
"title": "tap: free page on error paths in tap_get_user_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46320",
"datePublished": "2026-06-09T12:11:12.882Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:17.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46319 (GCVE-0-2026-46319)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:08
VLAI
Title
net/sched: act_ct: Only release RCU read lock after ct_ft
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: Only release RCU read lock after ct_ft
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Severity
7.8 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
138470a9b2cc2e26e6018300394afc3858a54e6a , < ece578ca61e572df96cfc80456357ebfae0b4b9e
(git)
Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f23424a0ddadb494d4bd57056a7ca703312d3a7b (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 3e20e1b3058e0b94638e7b931c138e840e266724 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f462dca0c8415bf0058d0ffa476354c4476d0f09 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ece578ca61e572df96cfc80456357ebfae0b4b9e",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "a2e0c045c87aa252eb61412e67dd91f2c2b19f81",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "67c9ecc9f2575273ed1323e312881fc98ac83d6d",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f23424a0ddadb494d4bd57056a7ca703312d3a7b",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "17dfb67cb399b660105d9a8c6100851c0d0cdc70",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "4c727c6967a41b37efe0f26332ca9ec5b74785a3",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "3e20e1b3058e0b94638e7b931c138e840e266724",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f462dca0c8415bf0058d0ffa476354c4476d0f09",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: Only release RCU read lock after ct_ft\n\nWhen looking up a flow table in act_ct in tcf_ct_flow_table_get(),\nrhashtable_lookup_fast() internally opens and closes an RCU read critical\nsection before returning ct_ft.\nThe tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()\nis invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft\nobject. This vulnerability can lead to privilege escalation.\n\nAnalysis from zdi-disclosures@trendmicro.com:\nWhen initializing act_ct, tcf_ct_init() is called, which internally triggers\ntcf_ct_flow_table_get().\n\nstatic int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)\n\n{\n struct zones_ht_key key = { .net = net, .zone = params-\u003ezone };\n struct tcf_ct_flow_table *ct_ft;\n int err = -ENOMEM;\n\n mutex_lock(\u0026zones_mutex);\n ct_ft = rhashtable_lookup_fast(\u0026zones_ht, \u0026key, zones_params); // [1]\n if (ct_ft \u0026\u0026 refcount_inc_not_zero(\u0026ct_ft-\u003eref)) // [2]\n goto out_unlock;\n ...\n}\n\nstatic __always_inline void *rhashtable_lookup_fast(\n struct rhashtable *ht, const void *key,\n const struct rhashtable_params params)\n{\n void *obj;\n\n rcu_read_lock();\n obj = rhashtable_lookup(ht, key, params);\n rcu_read_unlock();\n\n return obj;\n}\n\nAt [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft\nfrom zones_ht . The lookup is performed within an RCU read critical section\nthrough rcu_read_lock() / rcu_read_unlock(), which prevents the object from\nbeing freed. However, at the point of function return, rcu_read_unlock() has\nalready been called, and there is nothing preventing ct_ft from being freed\nbefore reaching refcount_inc_not_zero(\u0026ct_ft-\u003eref) at [2]. This interval becomes\nthe race window, during which ct_ft can be freed.\n\nFree Process:\n\ntcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()\ntcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().\n\nstatic void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)\n{\n if (refcount_dec_and_test(\u0026ct_ft-\u003eref)) {\n rhashtable_remove_fast(\u0026zones_ht, \u0026ct_ft-\u003enode, zones_params);\n INIT_RCU_WORK(\u0026ct_ft-\u003erwork, tcf_ct_flow_table_cleanup_work); // [3]\n queue_rcu_work(act_ct_wq, \u0026ct_ft-\u003erwork);\n }\n}\n\nAt [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work\n\nstatic void tcf_ct_flow_table_cleanup_work(struct work_struct *work)\n\n{\n struct tcf_ct_flow_table *ct_ft;\n struct flow_block *block;\n\n ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,\n rwork);\n nf_flow_table_free(\u0026ct_ft-\u003enf_ft);\n block = \u0026ct_ft-\u003enf_ft.flow_block;\n down_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n WARN_ON(!list_empty(\u0026block-\u003ecb_list));\n up_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n kfree(ct_ft); // [4]\n\n module_put(THIS_MODULE);\n}\n\ntcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes\nbetween [1] and [2], UAF occurs.\n\nThis race condition has a very short race window, making it generally\ndifficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was\ninserted after[1]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:57.070Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ece578ca61e572df96cfc80456357ebfae0b4b9e"
},
{
"url": "https://git.kernel.org/stable/c/a2e0c045c87aa252eb61412e67dd91f2c2b19f81"
},
{
"url": "https://git.kernel.org/stable/c/67c9ecc9f2575273ed1323e312881fc98ac83d6d"
},
{
"url": "https://git.kernel.org/stable/c/f23424a0ddadb494d4bd57056a7ca703312d3a7b"
},
{
"url": "https://git.kernel.org/stable/c/17dfb67cb399b660105d9a8c6100851c0d0cdc70"
},
{
"url": "https://git.kernel.org/stable/c/4c727c6967a41b37efe0f26332ca9ec5b74785a3"
},
{
"url": "https://git.kernel.org/stable/c/3e20e1b3058e0b94638e7b931c138e840e266724"
},
{
"url": "https://git.kernel.org/stable/c/f462dca0c8415bf0058d0ffa476354c4476d0f09"
}
],
"title": "net/sched: act_ct: Only release RCU read lock after ct_ft",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46319",
"datePublished": "2026-06-09T12:11:12.128Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:57.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46318 (GCVE-0-2026-46318)
Vulnerability from nvd – Published: 2026-06-09 12:11 – Updated: 2026-06-14 18:08
VLAI
Title
Revert "mm/hugetlbfs: update hugetlbfs to use mmap_prepare"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "mm/hugetlbfs: update hugetlbfs to use mmap_prepare"
This reverts commit ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use
mmap_prepare") with conflict resolution to account for changes in commit
ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use mmap_prepare").
The patch incorrectly handled hugetlb VMA lock allocation at the
mmap_prepare stage, where a failed allocation occurring after mmap_prepare
is called might result in the lock leaking.
There is no risk of a merge causing a similar issues, as
VMA_DONTEXPAND_BIT is set for hugetlb mappings.
As a first step in addressing this issue, simply revert the change so we
can rework how we do this having corrected the underlying issues.
We maintain the VMA flags changes as best we can, accounting for the fact
that we were working with a VMA descriptor previously and propagating
like-for-like changes for this.
Note that we invoke vma_set_flags() and do not call vma_start_write() as
vm_flags_set() does. This is OK as it's being done in an .mmap hook where
the VMA is not yet linked into the tree so nobody else can be accessing
it.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ea52cb24cd3fb121283754ab82b2cb3044609359 , < 3af5fc3f0ac98c624c109c8c0796fa46e814344c
(git)
Affected: ea52cb24cd3fb121283754ab82b2cb3044609359 , < 83f9efcce93f8574be2279090ee2aec58b86cda7 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c",
"include/linux/hugetlb.h",
"include/linux/hugetlb_inline.h",
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3af5fc3f0ac98c624c109c8c0796fa46e814344c",
"status": "affected",
"version": "ea52cb24cd3fb121283754ab82b2cb3044609359",
"versionType": "git"
},
{
"lessThan": "83f9efcce93f8574be2279090ee2aec58b86cda7",
"status": "affected",
"version": "ea52cb24cd3fb121283754ab82b2cb3044609359",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c",
"include/linux/hugetlb.h",
"include/linux/hugetlb_inline.h",
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"\n\nThis reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use\nmmap_prepare\") with conflict resolution to account for changes in commit\nea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").\n\nThe patch incorrectly handled hugetlb VMA lock allocation at the\nmmap_prepare stage, where a failed allocation occurring after mmap_prepare\nis called might result in the lock leaking.\n\nThere is no risk of a merge causing a similar issues, as\nVMA_DONTEXPAND_BIT is set for hugetlb mappings.\n\nAs a first step in addressing this issue, simply revert the change so we\ncan rework how we do this having corrected the underlying issues.\n\nWe maintain the VMA flags changes as best we can, accounting for the fact\nthat we were working with a VMA descriptor previously and propagating\nlike-for-like changes for this.\n\nNote that we invoke vma_set_flags() and do not call vma_start_write() as\nvm_flags_set() does. This is OK as it\u0027s being done in an .mmap hook where\nthe VMA is not yet linked into the tree so nobody else can be accessing\nit."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:52.009Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3af5fc3f0ac98c624c109c8c0796fa46e814344c"
},
{
"url": "https://git.kernel.org/stable/c/83f9efcce93f8574be2279090ee2aec58b86cda7"
}
],
"title": "Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46318",
"datePublished": "2026-06-09T12:11:11.181Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:52.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46317 (GCVE-0-2026-46317)
Vulnerability from nvd – Published: 2026-06-09 11:52 – Updated: 2026-06-14 18:08
VLAI
Title
KVM: arm64: Reassign nested_mmus array behind mmu_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Reassign nested_mmus array behind mmu_lock
kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.
Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.
Severity
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 918450ad6010df6ecd2efde12a1409e011da22d6
(git)
Affected: 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 4424dbcb06d68e34e51c019a5781a7dc00731971 (git) Affected: 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918450ad6010df6ecd2efde12a1409e011da22d6",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
},
{
"lessThan": "4424dbcb06d68e34e51c019a5781a7dc00731971",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
},
{
"lessThan": "70543358fa08e0f7cebc3447c3b70fe97ad7aaa8",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Reassign nested_mmus array behind mmu_lock\n\nkvm-\u003earch.nested_mmus[] is walked under kvm-\u003emmu_lock, including from the\nMMU notifier path (kvm_unmap_gfn_range() -\u003e kvm_nested_s2_unmap()), which\ncan run at any time. kvm_vcpu_init_nested() reallocates the array and frees\nthe old buffer while holding only kvm-\u003earch.config_lock, so such a walker\ncan reference the freed array.\n\nAllocate the new array outside of mmu_lock, as the allocation can sleep.\nUnder the lock, copy the existing entries, fix up the back pointers and\nreassign the array. Free the old buffer after dropping the lock, as\nkvfree() can sleep as well."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:48.063Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918450ad6010df6ecd2efde12a1409e011da22d6"
},
{
"url": "https://git.kernel.org/stable/c/4424dbcb06d68e34e51c019a5781a7dc00731971"
},
{
"url": "https://git.kernel.org/stable/c/70543358fa08e0f7cebc3447c3b70fe97ad7aaa8"
}
],
"title": "KVM: arm64: Reassign nested_mmus array behind mmu_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46317",
"datePublished": "2026-06-09T11:52:30.333Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:48.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46316 (GCVE-0-2026-46316)
Vulnerability from nvd – Published: 2026-06-09 11:52 – Updated: 2026-06-14 18:08
VLAI
Title
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().
The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.
xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.
Severity
9.3 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8201d1028caa4fae88e222c4e8cf541fdf45b821 , < b7b72e88046328c9fdc638fe887d4240257dd5dc
(git)
Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 2bbc395e81bd29c543a0529a678327e932a7ec69 (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 9121f4605ab94969f62d1b5714ca3c6c69bd202f (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 13031fb6b8357fbbcded2a7f4cba73e4781ee594 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7b72e88046328c9fdc638fe887d4240257dd5dc",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "2bbc395e81bd29c543a0529a678327e932a7ec69",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "9121f4605ab94969f62d1b5714ca3c6c69bd202f",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "13031fb6b8357fbbcded2a7f4cba73e4781ee594",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry\n\nvgic_its_invalidate_cache() walks the per-ITS translation cache with\nxa_for_each() and drops the cache\u0027s reference on each entry with\nvgic_put_irq(). It puts the iterated pointer, though, rather than the\nvalue returned by xa_erase().\n\nThe function is called from contexts that do not exclude one another: the\nITS command handlers hold its_lock, the GITS_CTLR write path holds\ncmd_lock, and the path that clears EnableLPIs in a redistributor\u0027s\nGICR_CTLR holds neither. Two or more of them can drain the same cache\nconcurrently, and if each one observes the same entry, erases it and then\nputs it, the single reference the cache holds on that entry is dropped\nmore than once. The entry can then be freed while an ITE still maps it.\n\nxa_erase() is atomic and returns the previous entry, so put only the entry\nthat this context actually removed. The cache reference is then dropped\nexactly once per entry even when the invalidations run concurrently, and\nthe behavior is unchanged when only one context runs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:08:43.226Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc"
},
{
"url": "https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69"
},
{
"url": "https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f"
},
{
"url": "https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594"
}
],
"title": "KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46316",
"datePublished": "2026-06-09T11:52:29.349Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-14T18:08:43.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}