Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2026:27354
Vulnerability from osv_almalinux
Published
2026-06-19 00:00
Modified
2026-06-22 08:15
Summary
Important: kernel-rt security, bug fix, and enhancement update
Details
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service (CVE-2026-31419)
- kernel: drm/amd/display: Do not skip unrelated mode changes in DSC validation (CVE-2026-31488)
- kernel: net: mana: fix use-after-free in add_adev() error path (CVE-2026-43056)
- kernel: ALSA: usb-audio: Add sanity check for OOB writes at silencing (CVE-2026-43279)
- kernel: net/sched: act_pedit: extend the writable skb range per key (CVE-2026-46331)
- kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop (CVE-2026-46090)
- kernel: RDMA/mana: Validate rx_hash_key_len (CVE-2026-46145)
- kernel: nvmet-tcp: fix race between ICReq handling and queue teardown (CVE-2026-46135)
Bug Fix(es) and Enhancement(s):
- AlmaLinux8 RT kernel panic in replenish_dl_entity() caused by stale DEADLINE PI state during rt_mutex de-boosting (JIRA:AlmaLinux-178520)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.136.1.rt7.477.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. \n\nSecurity Fix(es): \n\n * kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service (CVE-2026-31419)\n * kernel: drm/amd/display: Do not skip unrelated mode changes in DSC validation (CVE-2026-31488)\n * kernel: net: mana: fix use-after-free in add_adev() error path (CVE-2026-43056)\n * kernel: ALSA: usb-audio: Add sanity check for OOB writes at silencing (CVE-2026-43279)\n * kernel: net/sched: act_pedit: extend the writable skb range per key (CVE-2026-46331)\n * kernel: ALSA: aloop: Fix peer runtime UAF during format-change stop (CVE-2026-46090)\n * kernel: RDMA/mana: Validate rx_hash_key_len (CVE-2026-46145)\n * kernel: nvmet-tcp: fix race between ICReq handling and queue teardown (CVE-2026-46135)\n\n\nBug Fix(es) and Enhancement(s): \n\n * AlmaLinux8 RT kernel panic in replenish_dl_entity() caused by stale DEADLINE PI state during rt_mutex de-boosting (JIRA:AlmaLinux-178520)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:27354",
"modified": "2026-06-22T08:15:16Z",
"published": "2026-06-19T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:27354"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-31419"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-31488"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-43056"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-43279"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46090"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46135"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46145"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46331"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2457829"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2460619"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2464449"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2467215"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2479492"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2481980"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2482581"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2482654"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-27354.html"
}
],
"related": [
"CVE-2026-31419",
"CVE-2026-31488",
"CVE-2026-43056",
"CVE-2026-43279",
"CVE-2026-46331",
"CVE-2026-46090",
"CVE-2026-46145",
"CVE-2026-46135"
],
"summary": "Important: kernel-rt security, bug fix, and enhancement update"
}
CVE-2026-31419 (GCVE-0-2026-31419)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-06-19 11:57
VLAI
EPSS
Title
net: bonding: fix use-after-free in bond_xmit_broadcast()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free in bond_xmit_broadcast()
bond_xmit_broadcast() reuses the original skb for the last slave
(determined by bond_is_last_slave()) and clones it for others.
Concurrent slave enslave/release can mutate the slave list during
RCU-protected iteration, changing which slave is "last" mid-loop.
This causes the original skb to be double-consumed (double-freed).
Replace the racy bond_is_last_slave() check with a simple index
comparison (i + 1 == slaves_count) against the pre-snapshot slave
count taken via READ_ONCE() before the loop. This preserves the
zero-copy optimization for the last slave while making the "last"
determination stable against concurrent list mutations.
The UAF can trigger the following crash:
==================================================================
BUG: KASAN: slab-use-after-free in skb_clone
Read of size 8 at addr ffff888100ef8d40 by task exploit/147
CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY
Call Trace:
<TASK>
dump_stack_lvl (lib/dump_stack.c:123)
print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
kasan_report (mm/kasan/report.c:597)
skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)
bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)
bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)
dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)
__dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)
ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)
ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)
ip6_output (net/ipv6/ip6_output.c:250)
ip6_send_skb (net/ipv6/ip6_output.c:1985)
udp_v6_send_skb (net/ipv6/udp.c:1442)
udpv6_sendmsg (net/ipv6/udp.c:1733)
__sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)
__x64_sys_sendto (net/socket.c:2209)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
</TASK>
Allocated by task 147:
Freed by task 147:
The buggy address belongs to the object at ffff888100ef8c80
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 192 bytes inside of
freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)
Memory state around the buggy address:
ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4e5bd03ae34652cd932ab4c91c71c511793df75c , < 2de5c8eea0a9db99dae7c36f4b541b74b41d3a04
(git)
Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 3453882f36c40d2339267093676585a89808a73d (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < d4cc7e4c80b1634c7b1497574a2fdb18df6c026c (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < f5b94654a4a19891a8108d66ef166de6c028c6cd (git) Affected: 4e5bd03ae34652cd932ab4c91c71c511793df75c , < 2884bf72fb8f03409e423397319205de48adca16 (git) Affected: 20949c3816463e97c6f8fe84c0280c7e5ae83a8d (git) Affected: f1d206181f19b00b275b258fea1418718a2f4173 (git) Affected: c1f1691ef84fa6d38fa5e5148eca073145e97ffa (git) Affected: 5.10.94 , < 5.11 (semver) Affected: 5.15.17 , < 5.16 (semver) Affected: 5.16.3 , < 5.17 (semver) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.6.143 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2de5c8eea0a9db99dae7c36f4b541b74b41d3a04",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "3453882f36c40d2339267093676585a89808a73d",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "d4cc7e4c80b1634c7b1497574a2fdb18df6c026c",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "f5b94654a4a19891a8108d66ef166de6c028c6cd",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"lessThan": "2884bf72fb8f03409e423397319205de48adca16",
"status": "affected",
"version": "4e5bd03ae34652cd932ab4c91c71c511793df75c",
"versionType": "git"
},
{
"status": "affected",
"version": "20949c3816463e97c6f8fe84c0280c7e5ae83a8d",
"versionType": "git"
},
{
"status": "affected",
"version": "f1d206181f19b00b275b258fea1418718a2f4173",
"versionType": "git"
},
{
"status": "affected",
"version": "c1f1691ef84fa6d38fa5e5148eca073145e97ffa",
"versionType": "git"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.94",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.17",
"versionType": "semver"
},
{
"lessThan": "5.17",
"status": "affected",
"version": "5.16.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.143",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.143",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop. This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n \u003c/TASK\u003e\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003effff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n=================================================================="
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:57:40.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2de5c8eea0a9db99dae7c36f4b541b74b41d3a04"
},
{
"url": "https://git.kernel.org/stable/c/3453882f36c40d2339267093676585a89808a73d"
},
{
"url": "https://git.kernel.org/stable/c/d4cc7e4c80b1634c7b1497574a2fdb18df6c026c"
},
{
"url": "https://git.kernel.org/stable/c/f5b94654a4a19891a8108d66ef166de6c028c6cd"
},
{
"url": "https://git.kernel.org/stable/c/2884bf72fb8f03409e423397319205de48adca16"
}
],
"title": "net: bonding: fix use-after-free in bond_xmit_broadcast()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31419",
"datePublished": "2026-04-13T13:40:23.279Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-06-19T11:57:40.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31488 (GCVE-0-2026-31488)
Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-06-01 16:11
VLAI
EPSS
Title
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Do not skip unrelated mode changes in DSC validation
Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in
atomic check"), amdgpu resets the CRTC state mode_changed flag to false when
recomputing the DSC configuration results in no timing change for a particular
stream.
However, this is incorrect in scenarios where a change in MST/DSC configuration
happens in the same KMS commit as another (unrelated) mode change. For example,
the integrated panel of a laptop may be configured differently (e.g., HDR
enabled/disabled) depending on whether external screens are attached. In this
case, plugging in external DP-MST screens may result in the mode_changed flag
being dropped incorrectly for the integrated panel if its DSC configuration
did not change during precomputation in pre_validate_dsc().
At this point, however, dm_update_crtc_state() has already created new streams
for CRTCs with DSC-independent mode changes. In turn,
amdgpu_dm_commit_streams() will never release the old stream, resulting in a
memory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to
the new stream either, which manifests as a use-after-free when the stream gets
disabled later on:
BUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]
Write of size 4 at addr ffff88813d836524 by task kworker/9:9/29977
Workqueue: events drm_mode_rmfb_work_fn
Call Trace:
<TASK>
dump_stack_lvl+0x6e/0xa0
print_address_description.constprop.0+0x88/0x320
? dc_stream_release+0x25/0x90 [amdgpu]
print_report+0xfc/0x1ff
? srso_alias_return_thunk+0x5/0xfbef5
? __virt_addr_valid+0x225/0x4e0
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_report+0xe1/0x180
? dc_stream_release+0x25/0x90 [amdgpu]
kasan_check_range+0x125/0x200
dc_stream_release+0x25/0x90 [amdgpu]
dc_state_destruct+0x14d/0x5c0 [amdgpu]
dc_state_release.part.0+0x4e/0x130 [amdgpu]
dm_atomic_destroy_state+0x3f/0x70 [amdgpu]
drm_atomic_state_default_clear+0x8ee/0xf30
? drm_mode_object_put.part.0+0xb1/0x130
__drm_atomic_state_free+0x15c/0x2d0
atomic_remove_fb+0x67e/0x980
Since there is no reliable way of figuring out whether a CRTC has unrelated
mode changes pending at the time of DSC validation, remember the value of the
mode_changed flag from before the point where a CRTC was marked as potentially
affected by a change in DSC configuration. Reset the mode_changed flag to this
earlier value instead in pre_validate_dsc().
(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)
Severity
7.8 (High)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/da1d0ed31e9802fd9… | |
| https://git.kernel.org/stable/c/21159d8b335a6b9f4… | |
| https://git.kernel.org/stable/c/10862e344b4d64346… | |
| https://git.kernel.org/stable/c/8a5edc97fd9c6415f… | |
| https://git.kernel.org/stable/c/111208b5b7ebcdadb… | |
| https://git.kernel.org/stable/c/aed3d041ab061ec8a… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < da1d0ed31e9802fd99384f43cc63678a5a11cb41
(git)
Affected: 17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < 21159d8b335a6b9f44cbb506733013a902ae2da4 (git) Affected: 17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < 10862e344b4d6434642a48c87d765813fc0b0ba7 (git) Affected: 17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < 8a5edc97fd9c6415ff2eff872748439a97e3c3d8 (git) Affected: 17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < 111208b5b7ebcdadb3f922cc52d8425f0fa91b33 (git) Affected: 17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b , < aed3d041ab061ec8a64f50a3edda0f4db7280025 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h",
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da1d0ed31e9802fd99384f43cc63678a5a11cb41",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
},
{
"lessThan": "21159d8b335a6b9f44cbb506733013a902ae2da4",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
},
{
"lessThan": "10862e344b4d6434642a48c87d765813fc0b0ba7",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
},
{
"lessThan": "8a5edc97fd9c6415ff2eff872748439a97e3c3d8",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
},
{
"lessThan": "111208b5b7ebcdadb3f922cc52d8425f0fa91b33",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
},
{
"lessThan": "aed3d041ab061ec8a64f50a3edda0f4db7280025",
"status": "affected",
"version": "17ce8a6907f77b7ac97ddaa071d8a1f6e06ce85b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c",
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h",
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Do not skip unrelated mode changes in DSC validation\n\nStarting with commit 17ce8a6907f7 (\"drm/amd/display: Add dsc pre-validation in\natomic check\"), amdgpu resets the CRTC state mode_changed flag to false when\nrecomputing the DSC configuration results in no timing change for a particular\nstream.\n\nHowever, this is incorrect in scenarios where a change in MST/DSC configuration\nhappens in the same KMS commit as another (unrelated) mode change. For example,\nthe integrated panel of a laptop may be configured differently (e.g., HDR\nenabled/disabled) depending on whether external screens are attached. In this\ncase, plugging in external DP-MST screens may result in the mode_changed flag\nbeing dropped incorrectly for the integrated panel if its DSC configuration\ndid not change during precomputation in pre_validate_dsc().\n\nAt this point, however, dm_update_crtc_state() has already created new streams\nfor CRTCs with DSC-independent mode changes. In turn,\namdgpu_dm_commit_streams() will never release the old stream, resulting in a\nmemory leak. amdgpu_dm_atomic_commit_tail() will never acquire a reference to\nthe new stream either, which manifests as a use-after-free when the stream gets\ndisabled later on:\n\nBUG: KASAN: use-after-free in dc_stream_release+0x25/0x90 [amdgpu]\nWrite of size 4 at addr ffff88813d836524 by task kworker/9:9/29977\n\nWorkqueue: events drm_mode_rmfb_work_fn\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6e/0xa0\n print_address_description.constprop.0+0x88/0x320\n ? dc_stream_release+0x25/0x90 [amdgpu]\n print_report+0xfc/0x1ff\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __virt_addr_valid+0x225/0x4e0\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_report+0xe1/0x180\n ? dc_stream_release+0x25/0x90 [amdgpu]\n kasan_check_range+0x125/0x200\n dc_stream_release+0x25/0x90 [amdgpu]\n dc_state_destruct+0x14d/0x5c0 [amdgpu]\n dc_state_release.part.0+0x4e/0x130 [amdgpu]\n dm_atomic_destroy_state+0x3f/0x70 [amdgpu]\n drm_atomic_state_default_clear+0x8ee/0xf30\n ? drm_mode_object_put.part.0+0xb1/0x130\n __drm_atomic_state_free+0x15c/0x2d0\n atomic_remove_fb+0x67e/0x980\n\nSince there is no reliable way of figuring out whether a CRTC has unrelated\nmode changes pending at the time of DSC validation, remember the value of the\nmode_changed flag from before the point where a CRTC was marked as potentially\naffected by a change in DSC configuration. Reset the mode_changed flag to this\nearlier value instead in pre_validate_dsc().\n\n(cherry picked from commit cc7c7121ae082b7b82891baa7280f1ff2608f22b)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:11:33.175Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da1d0ed31e9802fd99384f43cc63678a5a11cb41"
},
{
"url": "https://git.kernel.org/stable/c/21159d8b335a6b9f44cbb506733013a902ae2da4"
},
{
"url": "https://git.kernel.org/stable/c/10862e344b4d6434642a48c87d765813fc0b0ba7"
},
{
"url": "https://git.kernel.org/stable/c/8a5edc97fd9c6415ff2eff872748439a97e3c3d8"
},
{
"url": "https://git.kernel.org/stable/c/111208b5b7ebcdadb3f922cc52d8425f0fa91b33"
},
{
"url": "https://git.kernel.org/stable/c/aed3d041ab061ec8a64f50a3edda0f4db7280025"
}
],
"title": "drm/amd/display: Do not skip unrelated mode changes in DSC validation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31488",
"datePublished": "2026-04-22T13:54:12.963Z",
"dateReserved": "2026-03-09T15:48:24.101Z",
"dateUpdated": "2026-06-01T16:11:33.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43056 (GCVE-0-2026-43056)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-11 22:16
VLAI
EPSS
Title
net: mana: fix use-after-free in add_adev() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mana: fix use-after-free in add_adev() error path
If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls
auxiliary_device_uninit(adev).
The auxiliary device has its release callback set to adev_release(),
which frees the containing struct mana_adev. Since adev is embedded in
struct mana_adev, the subsequent fall-through to init_fail and access
to adev->id may result in a use-after-free.
Fix this by saving the allocated auxiliary device id in a local
variable before calling auxiliary_device_add(), and use that saved id
in the cleanup path after auxiliary_device_uninit().
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < d88541ffd56d62a61e77209080001eddd4d69815
(git)
Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < 43f5b19fd190fea20d052bc84741b28031d5baa9 (git) Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < 5f4061f8225d18695e5afe9bbf1cb7bd673d7872 (git) Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < e5a75bf026c686b91a7dc6f9c5caf5016745d1fe (git) Affected: a69839d4327d053b18d8e1b0e7ddeee78db78f4f , < c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/mana_en.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d88541ffd56d62a61e77209080001eddd4d69815",
"status": "affected",
"version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
"versionType": "git"
},
{
"lessThan": "43f5b19fd190fea20d052bc84741b28031d5baa9",
"status": "affected",
"version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
"versionType": "git"
},
{
"lessThan": "5f4061f8225d18695e5afe9bbf1cb7bd673d7872",
"status": "affected",
"version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
"versionType": "git"
},
{
"lessThan": "e5a75bf026c686b91a7dc6f9c5caf5016745d1fe",
"status": "affected",
"version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
"versionType": "git"
},
{
"lessThan": "c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f",
"status": "affected",
"version": "a69839d4327d053b18d8e1b0e7ddeee78db78f4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/microsoft/mana/mana_en.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mana: fix use-after-free in add_adev() error path\n\nIf auxiliary_device_add() fails, add_adev() jumps to add_fail and calls\nauxiliary_device_uninit(adev).\n\nThe auxiliary device has its release callback set to adev_release(),\nwhich frees the containing struct mana_adev. Since adev is embedded in\nstruct mana_adev, the subsequent fall-through to init_fail and access\nto adev-\u003eid may result in a use-after-free.\n\nFix this by saving the allocated auxiliary device id in a local\nvariable before calling auxiliary_device_add(), and use that saved id\nin the cleanup path after auxiliary_device_uninit()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:16:51.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d88541ffd56d62a61e77209080001eddd4d69815"
},
{
"url": "https://git.kernel.org/stable/c/43f5b19fd190fea20d052bc84741b28031d5baa9"
},
{
"url": "https://git.kernel.org/stable/c/5f4061f8225d18695e5afe9bbf1cb7bd673d7872"
},
{
"url": "https://git.kernel.org/stable/c/e5a75bf026c686b91a7dc6f9c5caf5016745d1fe"
},
{
"url": "https://git.kernel.org/stable/c/c4ea7d8907cf72b259bf70bd8c2e791e1c4ff70f"
}
],
"title": "net: mana: fix use-after-free in add_adev() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43056",
"datePublished": "2026-05-01T14:15:48.837Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-11T22:16:51.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43279 (GCVE-0-2026-43279)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:29 – Updated: 2026-05-11 22:21
VLAI
EPSS
Title
ALSA: usb-audio: Add sanity check for OOB writes at silencing
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Add sanity check for OOB writes at silencing
At silencing the playback URB packets in the implicit fb mode before
the actual playback, we blindly assume that the received packets fit
with the buffer size. But when the setup in the capture stream
differs from the playback stream (e.g. due to the USB core limitation
of max packet size), such an inconsistency may lead to OOB writes to
the buffer, resulting in a crash.
For addressing it, add a sanity check of the transfer buffer size at
prepare_silent_urb(), and stop the data copy if the received data
overflows. Also, report back the transfer error properly from there,
too.
Note that this doesn't fix the root cause of the playback error
itself, but this merely covers the kernel Oops.
Severity
7.8 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/fa01973bb79d70c47… | |
| https://git.kernel.org/stable/c/780dc57794a217b49… | |
| https://git.kernel.org/stable/c/8995fc0e00b3fee9b… | |
| https://git.kernel.org/stable/c/fc9e5af60dc199051… | |
| https://git.kernel.org/stable/c/6af16f1b8649df4c0… | |
| https://git.kernel.org/stable/c/ccaf9296763be4f76… | |
| https://git.kernel.org/stable/c/fba2105a157fffcf1… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f
(git)
Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 780dc57794a217b49994fa1d0b42465fb10a00aa (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 8995fc0e00b3fee9bf7ecb3d836b635b730c1049 (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fc9e5af60dc199051dc202ae78e1fe76a9977a5e (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < 6af16f1b8649df4c00d6ced924bdd8b72c885b6a (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < ccaf9296763be4f76b59e2cac377006016c34435 (git) Affected: c75a8a7ae565d7cd9baa87a504ba9162e355b4b0 , < fba2105a157fffcf19825e4eea498346738c9948 (git) |
|
| Linux | Linux |
Affected:
3.5
Unaffected: 0 , < 3.5 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "780dc57794a217b49994fa1d0b42465fb10a00aa",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "8995fc0e00b3fee9bf7ecb3d836b635b730c1049",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "fc9e5af60dc199051dc202ae78e1fe76a9977a5e",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "6af16f1b8649df4c00d6ced924bdd8b72c885b6a",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "ccaf9296763be4f76b59e2cac377006016c34435",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
},
{
"lessThan": "fba2105a157fffcf19825e4eea498346738c9948",
"status": "affected",
"version": "c75a8a7ae565d7cd9baa87a504ba9162e355b4b0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/endpoint.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Add sanity check for OOB writes at silencing\n\nAt silencing the playback URB packets in the implicit fb mode before\nthe actual playback, we blindly assume that the received packets fit\nwith the buffer size. But when the setup in the capture stream\ndiffers from the playback stream (e.g. due to the USB core limitation\nof max packet size), such an inconsistency may lead to OOB writes to\nthe buffer, resulting in a crash.\n\nFor addressing it, add a sanity check of the transfer buffer size at\nprepare_silent_urb(), and stop the data copy if the received data\noverflows. Also, report back the transfer error properly from there,\ntoo.\n\nNote that this doesn\u0027t fix the root cause of the playback error\nitself, but this merely covers the kernel Oops."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:29.169Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f"
},
{
"url": "https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa"
},
{
"url": "https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049"
},
{
"url": "https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e"
},
{
"url": "https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a"
},
{
"url": "https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435"
},
{
"url": "https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948"
}
],
"title": "ALSA: usb-audio: Add sanity check for OOB writes at silencing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43279",
"datePublished": "2026-05-06T11:29:00.844Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-11T22:21:29.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46090 (GCVE-0-2026-46090)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:58 – Updated: 2026-06-19 11:59
VLAI
EPSS
Title
ALSA: aloop: Fix peer runtime UAF during format-change stop
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix peer runtime UAF during format-change stop
loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.
A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.
Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.
Severity
7.8 (High)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/83bd62fa9620ac98d… | |
| https://git.kernel.org/stable/c/345c24b2bcf0923df… | |
| https://git.kernel.org/stable/c/03f52a9c170431e8f… | |
| https://git.kernel.org/stable/c/bdd9503c3d222d273… | |
| https://git.kernel.org/stable/c/5d45e34bf001344e2… | |
| https://git.kernel.org/stable/c/e5c33cdc6f402eab8… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
597603d615d2b19a9e451d8cfac24372856a522d , < 83bd62fa9620ac98d5d694bde14c50f98c8e7189
(git)
Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 345c24b2bcf0923dfae1ab41497351c68214ff76 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 03f52a9c170431e8f10e156b9dc0dae80b3e9198 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < 5d45e34bf001344e2966dabca1897561bbc9e913 (git) Affected: 597603d615d2b19a9e451d8cfac24372856a522d , < e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff (git) |
|
| Linux | Linux |
Affected:
2.6.37
Unaffected: 0 , < 2.6.37 (semver) Unaffected: 5.10.259 , ≤ 5.10.* (semver) Unaffected: 5.15.210 , ≤ 5.15.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "83bd62fa9620ac98d5d694bde14c50f98c8e7189",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "345c24b2bcf0923dfae1ab41497351c68214ff76",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "03f52a9c170431e8f10e156b9dc0dae80b3e9198",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "5d45e34bf001344e2966dabca1897561bbc9e913",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
},
{
"lessThan": "e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff",
"status": "affected",
"version": "597603d615d2b19a9e451d8cfac24372856a522d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.259",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.210",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.259",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.210",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix peer runtime UAF during format-change stop\n\nloopback_check_format() may stop the capture side when playback starts\nwith parameters that no longer match a running capture stream. Commit\n826af7fa62e3 (\"ALSA: aloop: Fix racy access at PCM trigger\") moved\nthe peer lookup under cable-\u003elock, but the actual snd_pcm_stop() still\nruns after dropping that lock.\n\nA concurrent close can clear the capture entry from cable-\u003estreams[] and\ndetach or free its runtime while the playback trigger path still holds a\nstale peer substream pointer.\n\nKeep a per-cable count of in-flight peer stops before dropping\ncable-\u003elock, and make free_cable() wait for those stops before\ndetaching the runtime. This preserves the existing behavior while\nmaking the peer runtime lifetime explicit."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T11:59:25.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/83bd62fa9620ac98d5d694bde14c50f98c8e7189"
},
{
"url": "https://git.kernel.org/stable/c/345c24b2bcf0923dfae1ab41497351c68214ff76"
},
{
"url": "https://git.kernel.org/stable/c/03f52a9c170431e8f10e156b9dc0dae80b3e9198"
},
{
"url": "https://git.kernel.org/stable/c/bdd9503c3d222d2735b56c7a8b4422ccf3de6e5c"
},
{
"url": "https://git.kernel.org/stable/c/5d45e34bf001344e2966dabca1897561bbc9e913"
},
{
"url": "https://git.kernel.org/stable/c/e5c33cdc6f402eab8abd36ecf436b22c9d3a8aff"
}
],
"title": "ALSA: aloop: Fix peer runtime UAF during format-change stop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46090",
"datePublished": "2026-05-27T12:58:34.428Z",
"dateReserved": "2026-05-13T15:03:33.097Z",
"dateUpdated": "2026-06-19T11:59:25.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46135 (GCVE-0-2026-46135)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-15 08:03
VLAI
EPSS
Title
nvmet-tcp: fix race between ICReq handling and queue teardown
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: fix race between ICReq handling and queue teardown
nvmet_tcp_handle_icreq() updates queue->state after sending an
Initialization Connection Response (ICResp), but it does so without
serializing against target-side queue teardown.
If an NVMe/TCP host sends an Initialization Connection Request
(ICReq) and immediately closes the connection, target-side teardown
may start in softirq context before io_work drains the already
buffered ICReq. In that case, nvmet_tcp_schedule_release_queue()
sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue
reference under state_lock.
If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can
still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the
DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and
allows a later socket state change to re-enter teardown and issue a
second kref_put() on an already released queue.
The ICResp send failure path has the same problem. If teardown has
already moved the queue to DISCONNECTING, a send error can still
overwrite the state with NVMET_TCP_Q_FAILED, again reopening the
window for a second teardown path to drop the queue reference.
Fix this by serializing both post-send state transitions with
state_lock and bailing out if teardown has already started.
Use -ESHUTDOWN as an internal sentinel for that bail-out path rather
than propagating it as a transport error like -ECONNRESET. Keep
nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before
honoring that sentinel so receive-side parsing stays quiesced until the
existing release path completes.
Severity
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3
(git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < dcfe4d1f7960e7d1c01642318f3aae1a604f8508 (git) Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 5293a8882c549fab4a878bc76b0b6c951f980a61 (git) |
|
| Linux | Linux |
Affected:
5.0
Unaffected: 0 , < 5.0 (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "dcfe4d1f7960e7d1c01642318f3aae1a604f8508",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
},
{
"lessThan": "5293a8882c549fab4a878bc76b0b6c951f980a61",
"status": "affected",
"version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvme/target/tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"lessThan": "5.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: fix race between ICReq handling and queue teardown\n\nnvmet_tcp_handle_icreq() updates queue-\u003estate after sending an\nInitialization Connection Response (ICResp), but it does so without\nserializing against target-side queue teardown.\n\nIf an NVMe/TCP host sends an Initialization Connection Request\n(ICReq) and immediately closes the connection, target-side teardown\nmay start in softirq context before io_work drains the already\nbuffered ICReq. In that case, nvmet_tcp_schedule_release_queue()\nsets queue-\u003estate to NVMET_TCP_Q_DISCONNECTING and drops the queue\nreference under state_lock.\n\nIf io_work later processes that ICReq, nvmet_tcp_handle_icreq() can\nstill overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the\nDISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and\nallows a later socket state change to re-enter teardown and issue a\nsecond kref_put() on an already released queue.\n\nThe ICResp send failure path has the same problem. If teardown has\nalready moved the queue to DISCONNECTING, a send error can still\noverwrite the state with NVMET_TCP_Q_FAILED, again reopening the\nwindow for a second teardown path to drop the queue reference.\n\nFix this by serializing both post-send state transitions with\nstate_lock and bailing out if teardown has already started.\n\nUse -ESHUTDOWN as an internal sentinel for that bail-out path rather\nthan propagating it as a transport error like -ECONNRESET. Keep\nnvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before\nhonoring that sentinel so receive-side parsing stays quiesced until the\nexisting release path completes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T08:03:25.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49891c8fe0cb43fbbe480da1cdccfbbaeb820cb3"
},
{
"url": "https://git.kernel.org/stable/c/67e1aaf93b495c2f10bc8a5fbba575fbb7f449b6"
},
{
"url": "https://git.kernel.org/stable/c/dcfe4d1f7960e7d1c01642318f3aae1a604f8508"
},
{
"url": "https://git.kernel.org/stable/c/5293a8882c549fab4a878bc76b0b6c951f980a61"
}
],
"title": "nvmet-tcp: fix race between ICReq handling and queue teardown",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46135",
"datePublished": "2026-05-28T09:35:49.828Z",
"dateReserved": "2026-05-13T15:03:33.099Z",
"dateUpdated": "2026-06-15T08:03:25.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46145 (GCVE-0-2026-46145)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:57
VLAI
EPSS
Title
RDMA/mana: Validate rx_hash_key_len
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Validate rx_hash_key_len
Sashiko points out that rx_hash_key_len comes from a uAPI structure and is
blindly passed to memcpy, allowing the userspace to trash kernel
memory. Bounds check it so the memcpy cannot overflow.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0266a177631d4c6b963b5b12dd986a8c5abdbf06 , < 7d7c9f0fcd19c4d2f0164347c58d49cafa961b72
(git)
Affected: 0266a177631d4c6b963b5b12dd986a8c5abdbf06 , < 11c1431d641e0e4e0529e96957995820600c7287 (git) Affected: 0266a177631d4c6b963b5b12dd986a8c5abdbf06 , < 012796f9541fcd0c1fa8ae4da7eb4d83931ef838 (git) Affected: 0266a177631d4c6b963b5b12dd986a8c5abdbf06 , < 7d94f155f354b961c598f71bafa804dceded513f (git) Affected: 0266a177631d4c6b963b5b12dd986a8c5abdbf06 , < 6dd2d4ad9c8429523b1c220c5132bd551c006425 (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mana/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d7c9f0fcd19c4d2f0164347c58d49cafa961b72",
"status": "affected",
"version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
"versionType": "git"
},
{
"lessThan": "11c1431d641e0e4e0529e96957995820600c7287",
"status": "affected",
"version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
"versionType": "git"
},
{
"lessThan": "012796f9541fcd0c1fa8ae4da7eb4d83931ef838",
"status": "affected",
"version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
"versionType": "git"
},
{
"lessThan": "7d94f155f354b961c598f71bafa804dceded513f",
"status": "affected",
"version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
"versionType": "git"
},
{
"lessThan": "6dd2d4ad9c8429523b1c220c5132bd551c006425",
"status": "affected",
"version": "0266a177631d4c6b963b5b12dd986a8c5abdbf06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mana/qp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mana: Validate rx_hash_key_len\n\nSashiko points out that rx_hash_key_len comes from a uAPI structure and is\nblindly passed to memcpy, allowing the userspace to trash kernel\nmemory. Bounds check it so the memcpy cannot overflow."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:57:54.214Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d7c9f0fcd19c4d2f0164347c58d49cafa961b72"
},
{
"url": "https://git.kernel.org/stable/c/11c1431d641e0e4e0529e96957995820600c7287"
},
{
"url": "https://git.kernel.org/stable/c/012796f9541fcd0c1fa8ae4da7eb4d83931ef838"
},
{
"url": "https://git.kernel.org/stable/c/7d94f155f354b961c598f71bafa804dceded513f"
},
{
"url": "https://git.kernel.org/stable/c/6dd2d4ad9c8429523b1c220c5132bd551c006425"
}
],
"title": "RDMA/mana: Validate rx_hash_key_len",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46145",
"datePublished": "2026-05-28T09:36:01.805Z",
"dateReserved": "2026-05-13T15:03:33.100Z",
"dateUpdated": "2026-06-14T17:57:54.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46331 (GCVE-0-2026-46331)
Vulnerability from cvelistv5 – Published: 2026-06-16 06:26 – Updated: 2026-06-19 12:00
VLAI
EPSS
Title
net/sched: fix pedit partial COW leading to page cache corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: fix pedit partial COW leading to page cache corruption
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8b796475fd7882663a870456466a4fb315cc1bd6 , < 2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b
(git)
Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < b198ed4e52580a7238c7c7082f03906f8b310313 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 3dee9d0c198faeb95d052c1b94c2958751a28512 (git) Affected: 8b796475fd7882663a870456466a4fb315cc1bd6 , < 899ee91156e57784090c5565e4f31bd7dbffbc5a (git) Affected: d0c38a914b0c4c21d553da801003d36979016726 (git) Affected: 2ec2dd7d51a9320151f275ddbb2b53260fb32ca1 (git) Affected: abe35bf3be51482593076d516a680d79e5fbc8e1 (git) Affected: b773640d5bb9e2acfd91e2695717af04d47aa116 (git) Affected: c19cc520b3d69904e9518d401ad0df7f4702aca0 (git) Affected: 4.19.244 , < 4.20 (semver) Affected: 5.4.195 , < 5.5 (semver) Affected: 5.10.117 , < 5.11 (semver) Affected: 5.15.41 , < 5.16 (semver) Affected: 5.17.9 , < 5.18 (semver) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.12.94 , ≤ 6.12.* (semver) Unaffected: 6.18.36 , ≤ 6.18.* (semver) Unaffected: 7.0.13 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "b198ed4e52580a7238c7c7082f03906f8b310313",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "3dee9d0c198faeb95d052c1b94c2958751a28512",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"lessThan": "899ee91156e57784090c5565e4f31bd7dbffbc5a",
"status": "affected",
"version": "8b796475fd7882663a870456466a4fb315cc1bd6",
"versionType": "git"
},
{
"status": "affected",
"version": "d0c38a914b0c4c21d553da801003d36979016726",
"versionType": "git"
},
{
"status": "affected",
"version": "2ec2dd7d51a9320151f275ddbb2b53260fb32ca1",
"versionType": "git"
},
{
"status": "affected",
"version": "abe35bf3be51482593076d516a680d79e5fbc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "b773640d5bb9e2acfd91e2695717af04d47aa116",
"versionType": "git"
},
{
"status": "affected",
"version": "c19cc520b3d69904e9518d401ad0df7f4702aca0",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.244",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.195",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.117",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.41",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.9",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/tc_act/tc_pedit.h",
"net/sched/act_pedit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.94",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.36",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.13",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.195",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.117",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix pedit partial COW leading to page cache corruption\n\ntcf_pedit_act() computes the COW range for skb_ensure_writable()\nonce before the key loop using tcfp_off_max_hint, but the hint does\nnot account for the runtime header offset added by typed keys. This\ncan leave part of the write region un-COW\u0027d.\n\nFix by moving skb_ensure_writable() inside the per-key loop where\nthe actual write offset is known, and add overflow checking on the\noffset arithmetic. For negative offsets (e.g. Ethernet header edits\nat ingress), use skb_cow() to COW the headroom instead. Guard\noffset_valid() against INT_MIN, where negation is undefined."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T12:00:28.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2bec122b9fb91507a758ab5e3e5c4fbe7cb3f61b"
},
{
"url": "https://git.kernel.org/stable/c/b198ed4e52580a7238c7c7082f03906f8b310313"
},
{
"url": "https://git.kernel.org/stable/c/3dee9d0c198faeb95d052c1b94c2958751a28512"
},
{
"url": "https://git.kernel.org/stable/c/899ee91156e57784090c5565e4f31bd7dbffbc5a"
}
],
"title": "net/sched: fix pedit partial COW leading to page cache corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46331",
"datePublished": "2026-06-16T06:26:21.066Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-19T12:00:28.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…