Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0215
Vulnerability from certfr_avis - Published: 2026-02-26 - Updated: 2026-02-26
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 kernel 6.6.121.1-1 versions antérieures à 6.6.121.1-2 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 kernel 6.6.121.1-1 versions ant\u00e9rieures \u00e0 6.6.121.1-2",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-71230",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71230"
},
{
"name": "CVE-2026-23225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23225"
},
{
"name": "CVE-2026-23229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23229"
},
{
"name": "CVE-2026-23223",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23223"
},
{
"name": "CVE-2026-23224",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23224"
}
],
"initial_release_date": "2026-02-26T00:00:00",
"last_revision_date": "2026-02-26T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0215",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-02-26T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-02-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23223",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23223"
},
{
"published_at": "2026-02-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23229",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23229"
},
{
"published_at": "2026-02-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23225",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23225"
},
{
"published_at": "2026-02-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-23224",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23224"
},
{
"published_at": "2026-02-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71230",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71230"
}
]
}
CVE-2026-23223 (GCVE-0-2026-23223)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16
VLAI?
EPSS
Title
xfs: fix UAF in xchk_btree_check_block_owner
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix UAF in xchk_btree_check_block_owner
We cannot dereference bs->cur when trying to determine if bs->cur
aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.
Fix this by sampling before type before any freeing could happen.
The correct temporal ordering was broken when we removed xfs_btnum_t.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ec793e690f801d97a7ae2a0d429fea1fee4d44aa , < 1d411278dda293a507cb794db7d9ed3511c685c6
(git)
Affected: ec793e690f801d97a7ae2a0d429fea1fee4d44aa , < ed82e7949f5cac3058f4100f3cd670531d41a266 (git) Affected: ec793e690f801d97a7ae2a0d429fea1fee4d44aa , < ba5264610423d9653aa36920520902d83841bcfd (git) Affected: ec793e690f801d97a7ae2a0d429fea1fee4d44aa , < 1c253e11225bc5167217897885b85093e17c2217 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d411278dda293a507cb794db7d9ed3511c685c6",
"status": "affected",
"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa",
"versionType": "git"
},
{
"lessThan": "ed82e7949f5cac3058f4100f3cd670531d41a266",
"status": "affected",
"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa",
"versionType": "git"
},
{
"lessThan": "ba5264610423d9653aa36920520902d83841bcfd",
"status": "affected",
"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa",
"versionType": "git"
},
{
"lessThan": "1c253e11225bc5167217897885b85093e17c2217",
"status": "affected",
"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/scrub/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.72",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.11",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix UAF in xchk_btree_check_block_owner\n\nWe cannot dereference bs-\u003ecur when trying to determine if bs-\u003ecur\naliases bs-\u003esc-\u003esa.{bno,rmap}_cur after the latter has been freed.\nFix this by sampling before type before any freeing could happen.\nThe correct temporal ordering was broken when we removed xfs_btnum_t."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T03:16:29.765Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6"
},
{
"url": "https://git.kernel.org/stable/c/ed82e7949f5cac3058f4100f3cd670531d41a266"
},
{
"url": "https://git.kernel.org/stable/c/ba5264610423d9653aa36920520902d83841bcfd"
},
{
"url": "https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217"
}
],
"title": "xfs: fix UAF in xchk_btree_check_block_owner",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23223",
"datePublished": "2026-02-18T14:53:26.603Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-02-23T03:16:29.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71230 (GCVE-0-2025-71230)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16
VLAI?
EPSS
Title
hfs: ensure sb->s_fs_info is always cleaned up
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: ensure sb->s_fs_info is always cleaned up
When hfs was converted to the new mount api a bug was introduced by
changing the allocation pattern of sb->s_fs_info. If setup_bdev_super()
fails after a new superblock has been allocated by sget_fc(), but before
hfs_fill_super() takes ownership of the filesystem-specific s_fs_info
data it was leaked.
Fix this by freeing sb->s_fs_info in hfs_kill_super().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
ffcd06b6d13b72823aba0d7c871f7e4876e7916b , < 46c1d56ad321fb024761abd9af61a0cb616cf2f6
(git)
Affected: ffcd06b6d13b72823aba0d7c871f7e4876e7916b , < 399219831514126bc9541e8eadefe02c6fbd9166 (git) Affected: ffcd06b6d13b72823aba0d7c871f7e4876e7916b , < 05ce49a902be15dc93854cbfc20161205a9ee446 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c",
"fs/hfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c1d56ad321fb024761abd9af61a0cb616cf2f6",
"status": "affected",
"version": "ffcd06b6d13b72823aba0d7c871f7e4876e7916b",
"versionType": "git"
},
{
"lessThan": "399219831514126bc9541e8eadefe02c6fbd9166",
"status": "affected",
"version": "ffcd06b6d13b72823aba0d7c871f7e4876e7916b",
"versionType": "git"
},
{
"lessThan": "05ce49a902be15dc93854cbfc20161205a9ee446",
"status": "affected",
"version": "ffcd06b6d13b72823aba0d7c871f7e4876e7916b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/mdb.c",
"fs/hfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.11",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: ensure sb-\u003es_fs_info is always cleaned up\n\nWhen hfs was converted to the new mount api a bug was introduced by\nchanging the allocation pattern of sb-\u003es_fs_info. If setup_bdev_super()\nfails after a new superblock has been allocated by sget_fc(), but before\nhfs_fill_super() takes ownership of the filesystem-specific s_fs_info\ndata it was leaked.\n\nFix this by freeing sb-\u003es_fs_info in hfs_kill_super()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T03:16:08.802Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c1d56ad321fb024761abd9af61a0cb616cf2f6"
},
{
"url": "https://git.kernel.org/stable/c/399219831514126bc9541e8eadefe02c6fbd9166"
},
{
"url": "https://git.kernel.org/stable/c/05ce49a902be15dc93854cbfc20161205a9ee446"
}
],
"title": "hfs: ensure sb-\u003es_fs_info is always cleaned up",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71230",
"datePublished": "2026-02-18T14:53:14.519Z",
"dateReserved": "2026-02-18T14:25:13.844Z",
"dateUpdated": "2026-02-23T03:16:08.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23229 (GCVE-0-2026-23229)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16
VLAI?
EPSS
Title
crypto: virtio - Add spinlock protection with virtqueue notification
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: virtio - Add spinlock protection with virtqueue notification
When VM boots with one virtio-crypto PCI device and builtin backend,
run openssl benchmark command with multiple processes, such as
openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32
openssl processes will hangup and there is error reported like this:
virtio_crypto virtio0: dataq.0:id 3 is not a head!
It seems that the data virtqueue need protection when it is handled
for virtio done notification. If the spinlock protection is added
in virtcrypto_done_task(), openssl benchmark with multiple processes
works well.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0eb69890e86775d178452880ea0d24384c5ccedf , < 552475d0b6cece73a52c0fa5faa0ce45e99df74b
(git)
Affected: 75cba72ddb788a5b9c7ed2139fbb84383df029eb , < 8ee8ccfd60bf17cbdab91069d324b5302f4f3a30 (git) Affected: ae4747dab2eab95a68bb2f6c7e904bff0424e1b1 , < c9e594194795c86ca753ad6ed64c2762e9309d0d (git) Affected: c4c54fce9ec54a59a4ca035af13c2823c76684cc , < d6f0d586808689963e58fd739bed626ff5013b24 (git) Affected: fed93fb62e05c38152b0fc1dc9609639e63eed76 , < c0a0ded3bb7fd45f720faa48449a930153257d3a (git) Affected: fed93fb62e05c38152b0fc1dc9609639e63eed76 , < e69a7b0a71b6561b3b6459f1fded8d589f2e8ac2 (git) Affected: fed93fb62e05c38152b0fc1dc9609639e63eed76 , < 49c57c6c108931a914ed94e3c0ddb974008260a3 (git) Affected: fed93fb62e05c38152b0fc1dc9609639e63eed76 , < b505047ffc8057555900d2d3a005d033e6967382 (git) Affected: 96be18c8fff9d57e29621386e2fa17268383ea27 (git) Affected: 830a4f073f7edd2cc4f30ba95bdc3495d97c2550 (git) Affected: 8862c0d2e47ba1733d9687fe0ff4e02d6e391255 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/crypto/virtio/virtio_crypto_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "552475d0b6cece73a52c0fa5faa0ce45e99df74b",
"status": "affected",
"version": "0eb69890e86775d178452880ea0d24384c5ccedf",
"versionType": "git"
},
{
"lessThan": "8ee8ccfd60bf17cbdab91069d324b5302f4f3a30",
"status": "affected",
"version": "75cba72ddb788a5b9c7ed2139fbb84383df029eb",
"versionType": "git"
},
{
"lessThan": "c9e594194795c86ca753ad6ed64c2762e9309d0d",
"status": "affected",
"version": "ae4747dab2eab95a68bb2f6c7e904bff0424e1b1",
"versionType": "git"
},
{
"lessThan": "d6f0d586808689963e58fd739bed626ff5013b24",
"status": "affected",
"version": "c4c54fce9ec54a59a4ca035af13c2823c76684cc",
"versionType": "git"
},
{
"lessThan": "c0a0ded3bb7fd45f720faa48449a930153257d3a",
"status": "affected",
"version": "fed93fb62e05c38152b0fc1dc9609639e63eed76",
"versionType": "git"
},
{
"lessThan": "e69a7b0a71b6561b3b6459f1fded8d589f2e8ac2",
"status": "affected",
"version": "fed93fb62e05c38152b0fc1dc9609639e63eed76",
"versionType": "git"
},
{
"lessThan": "49c57c6c108931a914ed94e3c0ddb974008260a3",
"status": "affected",
"version": "fed93fb62e05c38152b0fc1dc9609639e63eed76",
"versionType": "git"
},
{
"lessThan": "b505047ffc8057555900d2d3a005d033e6967382",
"status": "affected",
"version": "fed93fb62e05c38152b0fc1dc9609639e63eed76",
"versionType": "git"
},
{
"status": "affected",
"version": "96be18c8fff9d57e29621386e2fa17268383ea27",
"versionType": "git"
},
{
"status": "affected",
"version": "830a4f073f7edd2cc4f30ba95bdc3495d97c2550",
"versionType": "git"
},
{
"status": "affected",
"version": "8862c0d2e47ba1733d9687fe0ff4e02d6e391255",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/crypto/virtio/virtio_crypto_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.8"
},
{
"lessThan": "6.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.125",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"versionStartIncluding": "5.10.209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"versionStartIncluding": "5.15.148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"versionStartIncluding": "6.1.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.125",
"versionStartIncluding": "6.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.72",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.11",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.268",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.7.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio - Add spinlock protection with virtqueue notification\n\nWhen VM boots with one virtio-crypto PCI device and builtin backend,\nrun openssl benchmark command with multiple processes, such as\n openssl speed -evp aes-128-cbc -engine afalg -seconds 10 -multi 32\n\nopenssl processes will hangup and there is error reported like this:\n virtio_crypto virtio0: dataq.0:id 3 is not a head!\n\nIt seems that the data virtqueue need protection when it is handled\nfor virtio done notification. If the spinlock protection is added\nin virtcrypto_done_task(), openssl benchmark with multiple processes\nworks well."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T03:16:41.797Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/552475d0b6cece73a52c0fa5faa0ce45e99df74b"
},
{
"url": "https://git.kernel.org/stable/c/8ee8ccfd60bf17cbdab91069d324b5302f4f3a30"
},
{
"url": "https://git.kernel.org/stable/c/c9e594194795c86ca753ad6ed64c2762e9309d0d"
},
{
"url": "https://git.kernel.org/stable/c/d6f0d586808689963e58fd739bed626ff5013b24"
},
{
"url": "https://git.kernel.org/stable/c/c0a0ded3bb7fd45f720faa48449a930153257d3a"
},
{
"url": "https://git.kernel.org/stable/c/e69a7b0a71b6561b3b6459f1fded8d589f2e8ac2"
},
{
"url": "https://git.kernel.org/stable/c/49c57c6c108931a914ed94e3c0ddb974008260a3"
},
{
"url": "https://git.kernel.org/stable/c/b505047ffc8057555900d2d3a005d033e6967382"
}
],
"title": "crypto: virtio - Add spinlock protection with virtqueue notification",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23229",
"datePublished": "2026-02-18T14:53:33.015Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-02-23T03:16:41.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23224 (GCVE-0-2026-23224)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16
VLAI?
EPSS
Title
erofs: fix UAF issue for file-backed mounts w/ directio option
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix UAF issue for file-backed mounts w/ directio option
[ 9.269940][ T3222] Call trace:
[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108
[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198
[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180
[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24
[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac
[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220
[ 9.270083][ T3222] filemap_read_folio+0x60/0x120
[ 9.270102][ T3222] filemap_fault+0xcac/0x1060
[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554
[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c
[ 9.270142][ T3222] do_page_fault+0x178/0x88c
[ 9.270167][ T3222] do_translation_fault+0x38/0x54
[ 9.270183][ T3222] do_mem_abort+0x54/0xac
[ 9.270208][ T3222] el0_da+0x44/0x7c
[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4
[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0
EROFS may encounter above panic when enabling file-backed mount w/
directio mount option, the root cause is it may suffer UAF in below
race condition:
- z_erofs_read_folio wq s_dio_done_wq
- z_erofs_runqueue
- erofs_fileio_submit_bio
- erofs_fileio_rq_submit
- vfs_iocb_iter_read
- ext4_file_read_iter
- ext4_dio_read_iter
- iomap_dio_rw
: bio was submitted and return -EIOCBQUEUED
- dio_aio_complete_work
- dio_complete
- dio->iocb->ki_complete (erofs_fileio_ki_complete())
- kfree(rq)
: it frees iocb, iocb.ki_filp can be UAF in file_accessed().
- file_accessed
: access NULL file point
Introduce a reference count in struct erofs_fileio_rq, and initialize it
as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will
decrease reference count, the last one decreasing the reference count
to zero will free rq.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
fb176750266a3d7f42ebdcf28e8ba40350b27847 , < ae385826840a3c8e09bf38cac90adcd690716f57
(git)
Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < d741534302f71c511eb0bb670b92eaa7df4a0aec (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa (git) Affected: fb176750266a3d7f42ebdcf28e8ba40350b27847 , < 1caf50ce4af096d0280d59a31abdd85703cd995c (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae385826840a3c8e09bf38cac90adcd690716f57",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "d741534302f71c511eb0bb670b92eaa7df4a0aec",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
},
{
"lessThan": "1caf50ce4af096d0280d59a31abdd85703cd995c",
"status": "affected",
"version": "fb176750266a3d7f42ebdcf28e8ba40350b27847",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.72",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.72",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.11",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix UAF issue for file-backed mounts w/ directio option\n\n[ 9.269940][ T3222] Call trace:\n[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108\n[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198\n[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180\n[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24\n[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac\n[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220\n[ 9.270083][ T3222] filemap_read_folio+0x60/0x120\n[ 9.270102][ T3222] filemap_fault+0xcac/0x1060\n[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554\n[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c\n[ 9.270142][ T3222] do_page_fault+0x178/0x88c\n[ 9.270167][ T3222] do_translation_fault+0x38/0x54\n[ 9.270183][ T3222] do_mem_abort+0x54/0xac\n[ 9.270208][ T3222] el0_da+0x44/0x7c\n[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4\n[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0\n\nEROFS may encounter above panic when enabling file-backed mount w/\ndirectio mount option, the root cause is it may suffer UAF in below\nrace condition:\n\n- z_erofs_read_folio wq s_dio_done_wq\n - z_erofs_runqueue\n - erofs_fileio_submit_bio\n - erofs_fileio_rq_submit\n - vfs_iocb_iter_read\n - ext4_file_read_iter\n - ext4_dio_read_iter\n - iomap_dio_rw\n : bio was submitted and return -EIOCBQUEUED\n - dio_aio_complete_work\n - dio_complete\n - dio-\u003eiocb-\u003eki_complete (erofs_fileio_ki_complete())\n - kfree(rq)\n : it frees iocb, iocb.ki_filp can be UAF in file_accessed().\n - file_accessed\n : access NULL file point\n\nIntroduce a reference count in struct erofs_fileio_rq, and initialize it\nas two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will\ndecrease reference count, the last one decreasing the reference count\nto zero will free rq."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T03:16:31.463Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57"
},
{
"url": "https://git.kernel.org/stable/c/d741534302f71c511eb0bb670b92eaa7df4a0aec"
},
{
"url": "https://git.kernel.org/stable/c/b2ee5e4d5446babd23ff7beb4e636be0fb3ea5aa"
},
{
"url": "https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c"
}
],
"title": "erofs: fix UAF issue for file-backed mounts w/ directio option",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23224",
"datePublished": "2026-02-18T14:53:27.462Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-02-23T03:16:31.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23225 (GCVE-0-2026-23225)
Vulnerability from cvelistv5 – Published: 2026-02-18 14:53 – Updated: 2026-02-23 03:16
VLAI?
EPSS
Title
sched/mmcid: Don't assume CID is CPU owned on mode switch
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/mmcid: Don't assume CID is CPU owned on mode switch
Shinichiro reported a KASAN UAF, which is actually an out of bounds access
in the MMCID management code.
CPU0 CPU1
T1 runs in userspace
T0: fork(T4) -> Switch to per CPU CID mode
fixup() set MM_CID_TRANSIT on T1/CPU1
T4 exit()
T3 exit()
T2 exit()
T1 exit() switch to per task mode
---> Out of bounds access.
As T1 has not scheduled after T0 set the TRANSIT bit, it exits with the
TRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in
the task and drops the CID, but it does not touch the per CPU storage.
That's functionally correct because a CID is only owned by the CPU when
the ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.
Now sched_mm_cid_exit() assumes that the CID is CPU owned because the
prior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the
not set ONCPU bit and then invokes clear_bit() with an insanely large
bit number because TRANSIT is set (bit 29).
Prevent that by actually validating that the CID is CPU owned in
mm_drop_cid_on_cpu().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/core.c",
"kernel/sched/sched.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "81f29975631db8a78651b3140ecd0f88ffafc476",
"status": "affected",
"version": "007d84287c7466ca68a5809b616338214dc5b77b",
"versionType": "git"
},
{
"lessThan": "1e83ccd5921a610ef409a7d4e56db27822b4ea39",
"status": "affected",
"version": "007d84287c7466ca68a5809b616338214dc5b77b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/core.c",
"kernel/sched/sched.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.1",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/mmcid: Don\u0027t assume CID is CPU owned on mode switch\n\nShinichiro reported a KASAN UAF, which is actually an out of bounds access\nin the MMCID management code.\n\n CPU0\t\t\t\t\t\tCPU1\n \t\t\t\t\t\tT1 runs in userspace\n T0: fork(T4) -\u003e Switch to per CPU CID mode\n fixup() set MM_CID_TRANSIT on T1/CPU1\n T4 exit()\n T3 exit()\n T2 exit()\n\t\t\t\t\t\tT1 exit() switch to per task mode\n\t\t\t\t\t\t ---\u003e Out of bounds access.\n\nAs T1 has not scheduled after T0 set the TRANSIT bit, it exits with the\nTRANSIT bit set. sched_mm_cid_remove_user() clears the TRANSIT bit in\nthe task and drops the CID, but it does not touch the per CPU storage.\nThat\u0027s functionally correct because a CID is only owned by the CPU when\nthe ONCPU bit is set, which is mutually exclusive with the TRANSIT flag.\n\nNow sched_mm_cid_exit() assumes that the CID is CPU owned because the\nprior mode was per CPU. It invokes mm_drop_cid_on_cpu() which clears the\nnot set ONCPU bit and then invokes clear_bit() with an insanely large\nbit number because TRANSIT is set (bit 29).\n\nPrevent that by actually validating that the CID is CPU owned in\nmm_drop_cid_on_cpu()."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T03:16:33.442Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476"
},
{
"url": "https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39"
}
],
"title": "sched/mmcid: Don\u0027t assume CID is CPU owned on mode switch",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23225",
"datePublished": "2026-02-18T14:53:28.387Z",
"dateReserved": "2026-01-13T15:37:45.987Z",
"dateUpdated": "2026-02-23T03:16:33.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…