Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0558
Vulnerability from certfr_avis - Published: 2026-05-11 - Updated: 2026-05-11
De multiples vulnérabilités ont été découvertes dans Microsoft Azure Linux. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 kernel 6.6.137.1-2 versions antérieures à 6.6.138.1-1 | ||
| Microsoft | Azure Linux | azl3 kf-kcoreaddons 5.249.0-1 versions antérieures à 5.249.0-2 | ||
| Microsoft | Azure Linux | azl3 firewalld 2.0.2-3 versions antérieures à 2.0.2-4 | ||
| Microsoft | Azure Linux | azl3 python-pip 24.2-6 versions antérieures à 24.2-7 | ||
| Microsoft | Azure Linux | azl3 nano 6.4-2 versions antérieures à 6.4-3 | ||
| Microsoft | Azure Linux | azl3 frr 10.5.0-3 versions antérieures à 10.5.4-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 kernel 6.6.137.1-2 versions ant\u00e9rieures \u00e0 6.6.138.1-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kf-kcoreaddons 5.249.0-1 versions ant\u00e9rieures \u00e0 5.249.0-2",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 firewalld 2.0.2-3 versions ant\u00e9rieures \u00e0 2.0.2-4",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 python-pip 24.2-6 versions ant\u00e9rieures \u00e0 24.2-7",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nano 6.4-2 versions ant\u00e9rieures \u00e0 6.4-3",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 frr 10.5.0-3 versions ant\u00e9rieures \u00e0 10.5.4-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-43305",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43305"
},
{
"name": "CVE-2026-43292",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43292"
},
{
"name": "CVE-2026-43274",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43274"
},
{
"name": "CVE-2025-71290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71290"
},
{
"name": "CVE-2026-43306",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43306"
},
{
"name": "CVE-2026-43284",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43284"
},
{
"name": "CVE-2026-43201",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43201"
},
{
"name": "CVE-2026-6843",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6843"
},
{
"name": "CVE-2026-43243",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43243"
},
{
"name": "CVE-2025-71294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71294"
},
{
"name": "CVE-2026-3219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3219"
},
{
"name": "CVE-2026-6842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6842"
},
{
"name": "CVE-2026-41526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41526"
},
{
"name": "CVE-2026-43400",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43400"
},
{
"name": "CVE-2026-43398",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43398"
},
{
"name": "CVE-2026-43228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43228"
},
{
"name": "CVE-2026-4948",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4948"
},
{
"name": "CVE-2026-43300",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43300"
},
{
"name": "CVE-2026-43191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43191"
},
{
"name": "CVE-2026-43176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43176"
},
{
"name": "CVE-2026-43237",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43237"
},
{
"name": "CVE-2026-43474",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43474"
},
{
"name": "CVE-2026-43195",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43195"
},
{
"name": "CVE-2025-71302",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71302"
},
{
"name": "CVE-2025-71293",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71293"
},
{
"name": "CVE-2026-43267",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43267"
},
{
"name": "CVE-2026-43165",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43165"
},
{
"name": "CVE-2026-43321",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43321"
},
{
"name": "CVE-2026-43320",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-43320"
},
{
"name": "CVE-2025-71299",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-71299"
},
{
"name": "CVE-2026-37457",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37457"
}
],
"initial_release_date": "2026-05-11T00:00:00",
"last_revision_date": "2026-05-11T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0558",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure Linux. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Linux",
"vendor_advisories": [
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43400",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43400"
},
{
"published_at": "2026-05-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-4948",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-4948"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71293",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71293"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43284",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43284"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43300",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43300"
},
{
"published_at": "2026-05-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-37457",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-37457"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71290",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71290"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43243",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43243"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71294",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71294"
},
{
"published_at": "2026-05-03",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6843",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6843"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43165",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43165"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43237",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43237"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43201",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43201"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43306",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43306"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43321",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43321"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71299",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71299"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43267",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43267"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43274",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43274"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43320",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43320"
},
{
"published_at": "2026-04-23",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-3219",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3219"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43195",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43195"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43228",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43228"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43191",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43191"
},
{
"published_at": "2026-05-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-41526",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41526"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43292",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43292"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43305",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43305"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43398",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43398"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43474",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43474"
},
{
"published_at": "2026-05-03",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-6842",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-6842"
},
{
"published_at": "2026-05-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43176",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43176"
},
{
"published_at": "2026-05-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-71302",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-71302"
}
]
}
CVE-2025-71290 (GCVE-0-2025-71290)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:32 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
misc: ti_fpc202: fix a potential memory leak in probe function
Summary
In the Linux kernel, the following vulnerability has been resolved:
misc: ti_fpc202: fix a potential memory leak in probe function
Use for_each_child_of_node_scoped() to simplify the code and ensure the
device node reference is automatically released when the loop scope
ends.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330 , < d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1
(git)
Affected: 1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330 , < dd16f314cb10e6807c74402efdfa2cccc1f15907 (git) Affected: 1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330 , < dad9f13d967b4e53e8eaf5f9c690f8e778ad9802 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/ti_fpc202.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1",
"status": "affected",
"version": "1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330",
"versionType": "git"
},
{
"lessThan": "dd16f314cb10e6807c74402efdfa2cccc1f15907",
"status": "affected",
"version": "1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330",
"versionType": "git"
},
{
"lessThan": "dad9f13d967b4e53e8eaf5f9c690f8e778ad9802",
"status": "affected",
"version": "1e5c9b1efa1c37ef3fc5c67b1c6e7025ec7b2330",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/ti_fpc202.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ti_fpc202: fix a potential memory leak in probe function\n\nUse for_each_child_of_node_scoped() to simplify the code and ensure the\ndevice node reference is automatically released when the loop scope\nends."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:20.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1"
},
{
"url": "https://git.kernel.org/stable/c/dd16f314cb10e6807c74402efdfa2cccc1f15907"
},
{
"url": "https://git.kernel.org/stable/c/dad9f13d967b4e53e8eaf5f9c690f8e778ad9802"
}
],
"title": "misc: ti_fpc202: fix a potential memory leak in probe function",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71290",
"datePublished": "2026-05-06T11:32:22.378Z",
"dateReserved": "2026-05-06T11:31:45.509Z",
"dateUpdated": "2026-05-11T21:57:20.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41526 (GCVE-0-2026-41526)
Vulnerability from cvelistv5 – Published: 2026-04-28 00:00 – Updated: 2026-04-28 13:07
VLAI?
EPSS
Summary
In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
Severity ?
6.5 (Medium)
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| KDE | KCoreAddons |
Affected:
0 , < 6.25
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:00:44.980535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T13:07:56.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "KCoreAddons",
"vendor": "KDE",
"versions": [
{
"lessThan": "6.25",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \\x01 can be used during injection."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T06:52:22.174Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://invent.kde.org/frameworks/kcoreaddons/"
},
{
"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L43-L49"
},
{
"url": "https://github.com/KDE/kcoreaddons/blob/50d360736c399502fedf203e95482b0d0e5a3ea2/src/lib/util/kshell.h#L168"
},
{
"url": "https://github.com/KDE/kcoreaddons/releases/tag/v6.25.0"
},
{
"url": "https://kde.org/info/security/advisory-20260427-1.txt"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-41526",
"datePublished": "2026-04-28T00:00:00.000Z",
"dateReserved": "2026-04-20T00:00:00.000Z",
"dateUpdated": "2026-04-28T13:07:56.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43300 (GCVE-0-2026-43300)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()
In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it
may be NULL:
if (!jdi)
mipi_dsi_detach(dsi);
However, when jdi is NULL, the function does not return and continues by
calling jdi_panel_disable():
err = jdi_panel_disable(&jdi->base);
Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can
lead to a NULL-pointer dereference:
struct jdi_panel *jdi = to_panel_jdi(panel);
backlight_disable(jdi->backlight);
To prevent such a potential NULL-pointer dereference, return early from
jdi_panel_dsi_remove() when jdi is NULL.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
25205087df1ffe06ccea9302944ed1f77dc68c6f , < ec2f37bbb733cdd7ed7d04171fca728a532414d5
(git)
Affected: 25205087df1ffe06ccea9302944ed1f77dc68c6f , < 2f5427d8726b22b807beec248d7d6bf88e291e0b (git) Affected: 25205087df1ffe06ccea9302944ed1f77dc68c6f , < 83ce0085fabf757b039322928188ad78e962d609 (git) Affected: 25205087df1ffe06ccea9302944ed1f77dc68c6f , < 95eed73b871111123a8b1d31cb1fce7e902e49ea (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec2f37bbb733cdd7ed7d04171fca728a532414d5",
"status": "affected",
"version": "25205087df1ffe06ccea9302944ed1f77dc68c6f",
"versionType": "git"
},
{
"lessThan": "2f5427d8726b22b807beec248d7d6bf88e291e0b",
"status": "affected",
"version": "25205087df1ffe06ccea9302944ed1f77dc68c6f",
"versionType": "git"
},
{
"lessThan": "83ce0085fabf757b039322928188ad78e962d609",
"status": "affected",
"version": "25205087df1ffe06ccea9302944ed1f77dc68c6f",
"versionType": "git"
},
{
"lessThan": "95eed73b871111123a8b1d31cb1fce7e902e49ea",
"status": "affected",
"version": "25205087df1ffe06ccea9302944ed1f77dc68c6f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panel/panel-jdi-lpm102a188a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()\n\nIn jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it\nmay be NULL:\n\n if (!jdi)\n mipi_dsi_detach(dsi);\n\nHowever, when jdi is NULL, the function does not return and continues by\ncalling jdi_panel_disable():\n\n err = jdi_panel_disable(\u0026jdi-\u003ebase);\n\nInside jdi_panel_disable(), jdi is dereferenced unconditionally, which can\nlead to a NULL-pointer dereference:\n\n struct jdi_panel *jdi = to_panel_jdi(panel);\n backlight_disable(jdi-\u003ebacklight);\n\nTo prevent such a potential NULL-pointer dereference, return early from\njdi_panel_dsi_remove() when jdi is NULL."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:53.416Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5"
},
{
"url": "https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b"
},
{
"url": "https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609"
},
{
"url": "https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea"
}
],
"title": "drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43300",
"datePublished": "2026-05-08T13:11:21.530Z",
"dateReserved": "2026-05-01T14:12:56.000Z",
"dateUpdated": "2026-05-11T22:21:53.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71294 (GCVE-0-2025-71294)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:32 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
drm/amdgpu: fix NULL pointer issue buffer funcs
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix NULL pointer issue buffer funcs
If SDMA block not enabled, buffer_funcs will not initialize,
fix the null pointer issue if buffer_funcs not initialized.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b70438004a14f4d0f9890b3297cd66248728546c , < 29fd416e0e08aa6d5a97fd313749d08d83de0826
(git)
Affected: b70438004a14f4d0f9890b3297cd66248728546c , < 276028fd9b60bbcc68796d1124b6b58298f4ca8a (git) Affected: b70438004a14f4d0f9890b3297cd66248728546c , < 3e849a93bff40f0c88a8aafba062b1de0ec2797b (git) Affected: b70438004a14f4d0f9890b3297cd66248728546c , < 9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9 (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29fd416e0e08aa6d5a97fd313749d08d83de0826",
"status": "affected",
"version": "b70438004a14f4d0f9890b3297cd66248728546c",
"versionType": "git"
},
{
"lessThan": "276028fd9b60bbcc68796d1124b6b58298f4ca8a",
"status": "affected",
"version": "b70438004a14f4d0f9890b3297cd66248728546c",
"versionType": "git"
},
{
"lessThan": "3e849a93bff40f0c88a8aafba062b1de0ec2797b",
"status": "affected",
"version": "b70438004a14f4d0f9890b3297cd66248728546c",
"versionType": "git"
},
{
"lessThan": "9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9",
"status": "affected",
"version": "b70438004a14f4d0f9890b3297cd66248728546c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer issue buffer funcs\n\nIf SDMA block not enabled, buffer_funcs will not initialize,\nfix the null pointer issue if buffer_funcs not initialized."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:25.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29fd416e0e08aa6d5a97fd313749d08d83de0826"
},
{
"url": "https://git.kernel.org/stable/c/276028fd9b60bbcc68796d1124b6b58298f4ca8a"
},
{
"url": "https://git.kernel.org/stable/c/3e849a93bff40f0c88a8aafba062b1de0ec2797b"
},
{
"url": "https://git.kernel.org/stable/c/9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9"
}
],
"title": "drm/amdgpu: fix NULL pointer issue buffer funcs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71294",
"datePublished": "2026-05-06T11:32:25.247Z",
"dateReserved": "2026-05-06T11:31:45.510Z",
"dateUpdated": "2026-05-11T21:57:25.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43400 (GCVE-0-2026-43400)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
drm/amdgpu: add upper bound check on user inputs in signal ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: add upper bound check on user inputs in signal ioctl
Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and
could be exploited.
So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.
(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a292fdecd72834b3bec380baa5db1e69e7f70679 , < 6fff5204d8aa26b1be50b6427f833bd3e8899c4f
(git)
Affected: a292fdecd72834b3bec380baa5db1e69e7f70679 , < 46630d966b99b0fc6cb01fef4110587f3375a0c0 (git) Affected: a292fdecd72834b3bec380baa5db1e69e7f70679 , < ea78f8c68f4f6211c557df49174c54d167821962 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6fff5204d8aa26b1be50b6427f833bd3e8899c4f",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
},
{
"lessThan": "46630d966b99b0fc6cb01fef4110587f3375a0c0",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
},
{
"lessThan": "ea78f8c68f4f6211c557df49174c54d167821962",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add upper bound check on user inputs in signal ioctl\n\nHuge input values in amdgpu_userq_signal_ioctl can lead to a OOM and\ncould be exploited.\n\nSo check these input value against AMDGPU_USERQ_MAX_HANDLES\nwhich is big enough value for genuine use cases and could\npotentially avoid OOM.\n\n(cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:51.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f"
},
{
"url": "https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0"
},
{
"url": "https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962"
}
],
"title": "drm/amdgpu: add upper bound check on user inputs in signal ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43400",
"datePublished": "2026-05-08T14:21:42.225Z",
"dateReserved": "2026-05-01T14:12:56.007Z",
"dateUpdated": "2026-05-11T22:23:51.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43306 (GCVE-0-2026-43306)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 22:22
VLAI?
EPSS
Title
bpf: crypto: Use the correct destructor kfunc type
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: crypto: Use the correct destructor kfunc type
With CONFIG_CFI enabled, the kernel strictly enforces that indirect
function calls use a function pointer type that matches the target
function. I ran into the following type mismatch when running BPF
self-tests:
CFI failure at bpf_obj_free_fields+0x190/0x238 (target:
bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)
Internal error: Oops - CFI: 00000000f2008228 [#1] SMP
...
As bpf_crypto_ctx_release() is also used in BPF programs and using
a void pointer as the argument would make the verifier unhappy, add
a simple stub function with the correct type and register it as the
destructor kfunc instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < 4e3e57dbf46dad3498f8c4219ce2dba756875962
(git)
Affected: 3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < 50d6fd69388cc7b05dce72f09080674dcede4ac9 (git) Affected: 3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < 3979a550fe06b370d73647f59cf462fa525c9ec4 (git) Affected: 3e1c6f35409f9e447bf37f64840f5b65576bfb78 , < b40a5d724f29fc2eed23ff353808a9aae616b48a (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e3e57dbf46dad3498f8c4219ce2dba756875962",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "50d6fd69388cc7b05dce72f09080674dcede4ac9",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "3979a550fe06b370d73647f59cf462fa525c9ec4",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
},
{
"lessThan": "b40a5d724f29fc2eed23ff353808a9aae616b48a",
"status": "affected",
"version": "3e1c6f35409f9e447bf37f64840f5b65576bfb78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/crypto.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: crypto: Use the correct destructor kfunc type\n\nWith CONFIG_CFI enabled, the kernel strictly enforces that indirect\nfunction calls use a function pointer type that matches the target\nfunction. I ran into the following type mismatch when running BPF\nself-tests:\n\n CFI failure at bpf_obj_free_fields+0x190/0x238 (target:\n bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc)\n Internal error: Oops - CFI: 00000000f2008228 [#1] SMP\n ...\n\nAs bpf_crypto_ctx_release() is also used in BPF programs and using\na void pointer as the argument would make the verifier unhappy, add\na simple stub function with the correct type and register it as the\ndestructor kfunc instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:00.468Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962"
},
{
"url": "https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9"
},
{
"url": "https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4"
},
{
"url": "https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a"
}
],
"title": "bpf: crypto: Use the correct destructor kfunc type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43306",
"datePublished": "2026-05-08T13:11:25.624Z",
"dateReserved": "2026-05-01T14:12:56.000Z",
"dateUpdated": "2026-05-11T22:22:00.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71293 (GCVE-0-2025-71293)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:32 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
drm/amdgpu/ras: Move ras data alloc before bad page check
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/ras: Move ras data alloc before bad page check
In the rare event if eeprom has only invalid address entries,
allocation is skipped, this causes following NULL pointer issue
[ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 547.118897] #PF: supervisor read access in kernel mode
[ 547.130292] #PF: error_code(0x0000) - not-present page
[ 547.141689] PGD 124757067 P4D 0
[ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu
[ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025
[ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]
[ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76
[ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246
[ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000
[ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800
[ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000
[ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092
[ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000
[ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0
[ 547.389321] PKRU: 55555554
[ 547.395316] Call Trace:
[ 547.400737] <TASK>
[ 547.405386] ? show_regs+0x6d/0x80
[ 547.412929] ? __die+0x24/0x80
[ 547.419697] ? page_fault_oops+0x99/0x1b0
[ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0
[ 547.438249] ? exc_page_fault+0x83/0x1b0
[ 547.446949] ? asm_exc_page_fault+0x27/0x30
[ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]
[ 547.470040] ? mas_wr_modify+0xcd/0x140
[ 547.478548] sysfs_kf_bin_read+0x63/0xb0
[ 547.487248] kernfs_file_read_iter+0xa1/0x190
[ 547.496909] kernfs_fop_read_iter+0x25/0x40
[ 547.506182] vfs_read+0x255/0x390
This also result in space left assigned to negative values.
Moving data alloc call before bad page check resolves both the issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d45c5e6845a76169ef3d6076f0f04487e5776905 , < 0b7f78caeffa51a1afa521c284e863ec3b5a36df
(git)
Affected: d45c5e6845a76169ef3d6076f0f04487e5776905 , < 5c685235b60459381e959109b416a63db4d8dbac (git) Affected: d45c5e6845a76169ef3d6076f0f04487e5776905 , < bd68a1404b6fa2e7e9957b38ba22616faba43e75 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b7f78caeffa51a1afa521c284e863ec3b5a36df",
"status": "affected",
"version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
"versionType": "git"
},
{
"lessThan": "5c685235b60459381e959109b416a63db4d8dbac",
"status": "affected",
"version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
"versionType": "git"
},
{
"lessThan": "bd68a1404b6fa2e7e9957b38ba22616faba43e75",
"status": "affected",
"version": "d45c5e6845a76169ef3d6076f0f04487e5776905",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/ras: Move ras data alloc before bad page check\n\nIn the rare event if eeprom has only invalid address entries,\nallocation is skipped, this causes following NULL pointer issue\n[ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010\n[ 547.118897] #PF: supervisor read access in kernel mode\n[ 547.130292] #PF: error_code(0x0000) - not-present page\n[ 547.141689] PGD 124757067 P4D 0\n[ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu\n[ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025\n[ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 \u003c48\u003e 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76\n[ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246\n[ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000\n[ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800\n[ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000\n[ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n[ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092\n[ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000\n[ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0\n[ 547.389321] PKRU: 55555554\n[ 547.395316] Call Trace:\n[ 547.400737] \u003cTASK\u003e\n[ 547.405386] ? show_regs+0x6d/0x80\n[ 547.412929] ? __die+0x24/0x80\n[ 547.419697] ? page_fault_oops+0x99/0x1b0\n[ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0\n[ 547.438249] ? exc_page_fault+0x83/0x1b0\n[ 547.446949] ? asm_exc_page_fault+0x27/0x30\n[ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu]\n[ 547.470040] ? mas_wr_modify+0xcd/0x140\n[ 547.478548] sysfs_kf_bin_read+0x63/0xb0\n[ 547.487248] kernfs_file_read_iter+0xa1/0x190\n[ 547.496909] kernfs_fop_read_iter+0x25/0x40\n[ 547.506182] vfs_read+0x255/0x390\n\nThis also result in space left assigned to negative values.\nMoving data alloc call before bad page check resolves both the issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:23.917Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df"
},
{
"url": "https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac"
},
{
"url": "https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75"
}
],
"title": "drm/amdgpu/ras: Move ras data alloc before bad page check",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71293",
"datePublished": "2026-05-06T11:32:24.583Z",
"dateReserved": "2026-05-06T11:31:45.510Z",
"dateUpdated": "2026-05-11T21:57:23.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43191 (GCVE-0-2026-43191)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35
[Why]
A backport of the change made for DCN401 that addresses an issue where
we turn off the PHY PLL when disabling TMDS output, which causes the
OTG to remain stuck.
The OTG being stuck can lead to a hang in the DCHVM's ability to ACK
invalidations when it thinks the HUBP is still on but it's not receiving
global sync.
The transition to PLL_ON needs to be atomic as there's no guarantee
that the thread isn't pre-empted or is able to complete before the
IOMMU watchdog times out.
[How]
Backport the implementation from dcn401 back to dcn35.
There's a functional difference in when the eDP output is disabled in
dcn401 code so we don't want to utilize it directly.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ec129fa356bea5411cb16833cc5dab32689ea389 , < d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51
(git)
Affected: ec129fa356bea5411cb16833cc5dab32689ea389 , < 75372d75a4e23783583998ed99d5009d555850da (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c",
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h",
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51",
"status": "affected",
"version": "ec129fa356bea5411cb16833cc5dab32689ea389",
"versionType": "git"
},
{
"lessThan": "75372d75a4e23783583998ed99d5009d555850da",
"status": "affected",
"version": "ec129fa356bea5411cb16833cc5dab32689ea389",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c",
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h",
"drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35\n\n[Why]\nA backport of the change made for DCN401 that addresses an issue where\nwe turn off the PHY PLL when disabling TMDS output, which causes the\nOTG to remain stuck.\n\nThe OTG being stuck can lead to a hang in the DCHVM\u0027s ability to ACK\ninvalidations when it thinks the HUBP is still on but it\u0027s not receiving\nglobal sync.\n\nThe transition to PLL_ON needs to be atomic as there\u0027s no guarantee\nthat the thread isn\u0027t pre-empted or is able to complete before the\nIOMMU watchdog times out.\n\n[How]\nBackport the implementation from dcn401 back to dcn35.\n\nThere\u0027s a functional difference in when the eDP output is disabled in\ndcn401 code so we don\u0027t want to utilize it directly."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:36.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51"
},
{
"url": "https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da"
}
],
"title": "drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43191",
"datePublished": "2026-05-06T11:28:00.470Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:36.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43292 (GCVE-0-2026-43292)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during
vmalloc cleanup triggers expensive stack unwinding that acquires RCU read
locks. Processing a large purge_list without rescheduling can cause the
task to hold CPU for extended periods (10+ seconds), leading to RCU stalls
and potential OOM conditions.
The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node()
where iterating through hundreds or thousands of vmap_area entries and
freeing their associated shadow pages causes:
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l
...
task:kworker/0:17 state:R running task stack:28840 pid:6229
...
kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299
purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299
Each call to kasan_release_vmalloc() can free many pages, and with
page_owner tracking, each free triggers save_stack() which performs stack
unwinding under RCU read lock. Without yielding, this creates an
unbounded RCU critical section.
Add periodic cond_resched() calls within the loop to allow:
- RCU grace periods to complete
- Other tasks to run
- Scheduler to preempt when needed
The fix uses need_resched() for immediate response under load, with a
batch count of 32 as a guaranteed upper bound to prevent worst-case stalls
even under light load.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
282631cb2447318e2a55b41a665dbe8571c46d70 , < 2efa9c02c9b4c0d6866aa445f11056809b25ca28
(git)
Affected: 282631cb2447318e2a55b41a665dbe8571c46d70 , < 1afe45f89d54b7183768ebbbbf14238ec187ab5c (git) Affected: 282631cb2447318e2a55b41a665dbe8571c46d70 , < b351fbe71091f7c8676c8ba597653d08b6719447 (git) Affected: 282631cb2447318e2a55b41a665dbe8571c46d70 , < 5747435e0fd474c24530ef1a6822f47e7d264b27 (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2efa9c02c9b4c0d6866aa445f11056809b25ca28",
"status": "affected",
"version": "282631cb2447318e2a55b41a665dbe8571c46d70",
"versionType": "git"
},
{
"lessThan": "1afe45f89d54b7183768ebbbbf14238ec187ab5c",
"status": "affected",
"version": "282631cb2447318e2a55b41a665dbe8571c46d70",
"versionType": "git"
},
{
"lessThan": "b351fbe71091f7c8676c8ba597653d08b6719447",
"status": "affected",
"version": "282631cb2447318e2a55b41a665dbe8571c46d70",
"versionType": "git"
},
{
"lessThan": "5747435e0fd474c24530ef1a6822f47e7d264b27",
"status": "affected",
"version": "282631cb2447318e2a55b41a665dbe8571c46d70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/vmalloc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node\n\nWhen CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during\nvmalloc cleanup triggers expensive stack unwinding that acquires RCU read\nlocks. Processing a large purge_list without rescheduling can cause the\ntask to hold CPU for extended periods (10+ seconds), leading to RCU stalls\nand potential OOM conditions.\n\nThe issue manifests in purge_vmap_node() -\u003e kasan_release_vmalloc_node()\nwhere iterating through hundreds or thousands of vmap_area entries and\nfreeing their associated shadow pages causes:\n\n rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:\n rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l\n ...\n task:kworker/0:17 state:R running task stack:28840 pid:6229\n ...\n kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299\n purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299\n\nEach call to kasan_release_vmalloc() can free many pages, and with\npage_owner tracking, each free triggers save_stack() which performs stack\nunwinding under RCU read lock. Without yielding, this creates an\nunbounded RCU critical section.\n\nAdd periodic cond_resched() calls within the loop to allow:\n- RCU grace periods to complete\n- Other tasks to run\n- Scheduler to preempt when needed\n\nThe fix uses need_resched() for immediate response under load, with a\nbatch count of 32 as a guaranteed upper bound to prevent worst-case stalls\neven under light load."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:44.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28"
},
{
"url": "https://git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c"
},
{
"url": "https://git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447"
},
{
"url": "https://git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27"
}
],
"title": "mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43292",
"datePublished": "2026-05-08T13:11:16.017Z",
"dateReserved": "2026-05-01T14:12:55.999Z",
"dateUpdated": "2026-05-11T22:21:44.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71302 (GCVE-0-2025-71302)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:26 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
drm/panthor: fix for dma-fence safe access rules
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/panthor: fix for dma-fence safe access rules
Commit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and document
the rules") details the dma-fence safe access rules. The most common
culprit is that drm_sched_fence_get_timeline_name may race with
group_free_queue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
de85488138247d034eb3241840424a54d660926b , < ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2
(git)
Affected: de85488138247d034eb3241840424a54d660926b , < eae60933abd11df013876f647c9edbd35ce67615 (git) Affected: de85488138247d034eb3241840424a54d660926b , < efe24898485c5c831e629d9c6fb9350c35cb576f (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "eae60933abd11df013876f647c9edbd35ce67615",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
},
{
"lessThan": "efe24898485c5c831e629d9c6fb9350c35cb576f",
"status": "affected",
"version": "de85488138247d034eb3241840424a54d660926b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/panthor/panthor_sched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: fix for dma-fence safe access rules\n\nCommit 506aa8b02a8d6 (\"dma-fence: Add safe access helpers and document\nthe rules\") details the dma-fence safe access rules. The most common\nculprit is that drm_sched_fence_get_timeline_name may race with\ngroup_free_queue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:34.387Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2"
},
{
"url": "https://git.kernel.org/stable/c/eae60933abd11df013876f647c9edbd35ce67615"
},
{
"url": "https://git.kernel.org/stable/c/efe24898485c5c831e629d9c6fb9350c35cb576f"
}
],
"title": "drm/panthor: fix for dma-fence safe access rules",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71302",
"datePublished": "2026-05-08T13:26:11.418Z",
"dateReserved": "2026-05-08T13:14:33.087Z",
"dateUpdated": "2026-05-11T21:57:34.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-71299 (GCVE-0-2025-71299)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 21:57
VLAI?
EPSS
Title
spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing
The recent refactoring of where runtime PM is enabled done in commit
f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to
avoid imbalance") made the fact that when we do a pm_runtime_disable()
in the error paths of probe() we can trigger a runtime disable which in
turn results in duplicate clock disables. This is particularly likely
to happen when there is missing or broken DT description for the flashes
attached to the controller.
Early on in the probe function we do a pm_runtime_get_noresume() since
the probe function leaves the device in a powered up state but in the
error path we can't assume that PM is enabled so we also manually
disable everything, including clocks. This means that when runtime PM is
active both it and the probe function release the same reference to the
main clock for the IP, triggering warnings from the clock subsystem:
[ 8.693719] clk:75:7 already disabled
[ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb
...
[ 8.694261] clk_core_disable+0xa0/0xb4 (P)
[ 8.694272] clk_disable+0x38/0x60
[ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi]
[ 8.694309] platform_probe+0x5c/0xa4
Dealing with this issue properly is complicated by the fact that we
don't know if runtime PM is active so can't tell if it will disable the
clocks or not. We can, however, sidestep the issue for the flash
descriptions by moving their parsing to when we parse the controller
properties which also save us doing a bunch of setup which can never be
used so let's do that.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3 , < 08dca4c8099a41a9fa3be128a793387603f73a17
(git)
Affected: f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3 , < dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a (git) Affected: f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3 , < 9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3 (git) Affected: 7f3c5e0585250097be39736e6b182c5779b7b609 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "08dca4c8099a41a9fa3be128a793387603f73a17",
"status": "affected",
"version": "f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3",
"versionType": "git"
},
{
"lessThan": "dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a",
"status": "affected",
"version": "f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3",
"versionType": "git"
},
{
"lessThan": "9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3",
"status": "affected",
"version": "f1eb4e792bb1ee3dcdffa66f8a83a4867cda2dd3",
"versionType": "git"
},
{
"status": "affected",
"version": "7f3c5e0585250097be39736e6b182c5779b7b609",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-cadence-quadspi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing\n\nThe recent refactoring of where runtime PM is enabled done in commit\nf1eb4e792bb1 (\"spi: spi-cadence-quadspi: Enable pm runtime earlier to\navoid imbalance\") made the fact that when we do a pm_runtime_disable()\nin the error paths of probe() we can trigger a runtime disable which in\nturn results in duplicate clock disables. This is particularly likely\nto happen when there is missing or broken DT description for the flashes\nattached to the controller.\n\nEarly on in the probe function we do a pm_runtime_get_noresume() since\nthe probe function leaves the device in a powered up state but in the\nerror path we can\u0027t assume that PM is enabled so we also manually\ndisable everything, including clocks. This means that when runtime PM is\nactive both it and the probe function release the same reference to the\nmain clock for the IP, triggering warnings from the clock subsystem:\n\n[ 8.693719] clk:75:7 already disabled\n[ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb\n...\n[ 8.694261] clk_core_disable+0xa0/0xb4 (P)\n[ 8.694272] clk_disable+0x38/0x60\n[ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi]\n[ 8.694309] platform_probe+0x5c/0xa4\n\nDealing with this issue properly is complicated by the fact that we\ndon\u0027t know if runtime PM is active so can\u0027t tell if it will disable the\nclocks or not. We can, however, sidestep the issue for the flash\ndescriptions by moving their parsing to when we parse the controller\nproperties which also save us doing a bunch of setup which can never be\nused so let\u0027s do that."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:57:30.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/08dca4c8099a41a9fa3be128a793387603f73a17"
},
{
"url": "https://git.kernel.org/stable/c/dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a"
},
{
"url": "https://git.kernel.org/stable/c/9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3"
}
],
"title": "spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-71299",
"datePublished": "2026-05-08T13:11:10.518Z",
"dateReserved": "2026-05-06T11:31:45.510Z",
"dateUpdated": "2026-05-11T21:57:30.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43321 (GCVE-0-2026-43321)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:26 – Updated: 2026-05-11 22:22
VLAI?
EPSS
Title
bpf: Properly mark live registers for indirect jumps
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Properly mark live registers for indirect jumps
For a `gotox rX` instruction the rX register should be marked as used
in the compute_insn_live_regs() function. Fix this.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
493d9e0d608339a32f568504d5fd411a261bb0af , < 7beae54111c34ca63357ef120e115889b915beb5
(git)
Affected: 493d9e0d608339a32f568504d5fd411a261bb0af , < d1aab1ca576c90192ba961094d51b0be6355a4d6 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7beae54111c34ca63357ef120e115889b915beb5",
"status": "affected",
"version": "493d9e0d608339a32f568504d5fd411a261bb0af",
"versionType": "git"
},
{
"lessThan": "d1aab1ca576c90192ba961094d51b0be6355a4d6",
"status": "affected",
"version": "493d9e0d608339a32f568504d5fd411a261bb0af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Properly mark live registers for indirect jumps\n\nFor a `gotox rX` instruction the rX register should be marked as used\nin the compute_insn_live_regs() function. Fix this."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:18.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5"
},
{
"url": "https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6"
}
],
"title": "bpf: Properly mark live registers for indirect jumps",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43321",
"datePublished": "2026-05-08T13:26:15.600Z",
"dateReserved": "2026-05-01T14:12:56.001Z",
"dateUpdated": "2026-05-11T22:22:18.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43228 (GCVE-0-2026-43228)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
EPSS
Title
hfs: Replace BUG_ON with error handling for CNID count checks
Summary
In the Linux kernel, the following vulnerability has been resolved:
hfs: Replace BUG_ON with error handling for CNID count checks
In a06ec283e125 next_id, folder_count, and file_count in the super block
info were expanded to 64 bits, and BUG_ONs were added to detect
overflow. This triggered an error reported by syzbot: if the MDB is
corrupted, the BUG_ON is triggered. This patch replaces this mechanism
with proper error handling and resolves the syzbot reported bug.
Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a06ec283e125e334155fe13005c76c9f484ce759 , < b6536c1ced315fa645576d3a39c6e07f2a472962
(git)
Affected: a06ec283e125e334155fe13005c76c9f484ce759 , < b226804532a875c10276168dc55ce752944096bd (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hfs/dir.c",
"fs/hfs/hfs_fs.h",
"fs/hfs/inode.c",
"fs/hfs/mdb.c",
"fs/hfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6536c1ced315fa645576d3a39c6e07f2a472962",
"status": "affected",
"version": "a06ec283e125e334155fe13005c76c9f484ce759",
"versionType": "git"
},
{
"lessThan": "b226804532a875c10276168dc55ce752944096bd",
"status": "affected",
"version": "a06ec283e125e334155fe13005c76c9f484ce759",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hfs/dir.c",
"fs/hfs/hfs_fs.h",
"fs/hfs/inode.c",
"fs/hfs/mdb.c",
"fs/hfs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: Replace BUG_ON with error handling for CNID count checks\n\nIn a06ec283e125 next_id, folder_count, and file_count in the super block\ninfo were expanded to 64 bits, and BUG_ONs were added to detect\noverflow. This triggered an error reported by syzbot: if the MDB is\ncorrupted, the BUG_ON is triggered. This patch replaces this mechanism\nwith proper error handling and resolves the syzbot reported bug.\n\nSinged-off-by: Jori Koolstra \u003cjkoolstra@xs4all.nl\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:20:28.976Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962"
},
{
"url": "https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd"
}
],
"title": "hfs: Replace BUG_ON with error handling for CNID count checks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43228",
"datePublished": "2026-05-06T11:28:26.292Z",
"dateReserved": "2026-05-01T14:12:55.994Z",
"dateUpdated": "2026-05-11T22:20:28.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43320 (GCVE-0-2026-43320)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:26 – Updated: 2026-05-11 22:22
VLAI?
EPSS
Title
drm/amd/display: Fix dsc eDP issue
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix dsc eDP issue
[why]
Need to add function hook check before use
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3766a840e093d30e1a2522f650d8a6ac892a8719 , < 11718976c53a258c4d107aa05d68773379d0006f
(git)
Affected: 3766a840e093d30e1a2522f650d8a6ac892a8719 , < c10fe9471f3aa352bb9d9329d0b25e28e0672243 (git) Affected: 3766a840e093d30e1a2522f650d8a6ac892a8719 , < 0481be9f12d8324789ccebf1e5fd0704b6e3fc99 (git) Affected: 3766a840e093d30e1a2522f650d8a6ac892a8719 , < 878a4b73c11111ff5f820730f59a7f8c6fd59374 (git) Affected: c9a3c3e2bffe43304fcda9190d17f6b327e538b4 (git) Affected: 9437d60dd00f3caa15e71f84dd5eb3404b141372 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "11718976c53a258c4d107aa05d68773379d0006f",
"status": "affected",
"version": "3766a840e093d30e1a2522f650d8a6ac892a8719",
"versionType": "git"
},
{
"lessThan": "c10fe9471f3aa352bb9d9329d0b25e28e0672243",
"status": "affected",
"version": "3766a840e093d30e1a2522f650d8a6ac892a8719",
"versionType": "git"
},
{
"lessThan": "0481be9f12d8324789ccebf1e5fd0704b6e3fc99",
"status": "affected",
"version": "3766a840e093d30e1a2522f650d8a6ac892a8719",
"versionType": "git"
},
{
"lessThan": "878a4b73c11111ff5f820730f59a7f8c6fd59374",
"status": "affected",
"version": "3766a840e093d30e1a2522f650d8a6ac892a8719",
"versionType": "git"
},
{
"status": "affected",
"version": "c9a3c3e2bffe43304fcda9190d17f6b327e538b4",
"versionType": "git"
},
{
"status": "affected",
"version": "9437d60dd00f3caa15e71f84dd5eb3404b141372",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dsc eDP issue\n\n[why]\nNeed to add function hook check before use"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:17.034Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/11718976c53a258c4d107aa05d68773379d0006f"
},
{
"url": "https://git.kernel.org/stable/c/c10fe9471f3aa352bb9d9329d0b25e28e0672243"
},
{
"url": "https://git.kernel.org/stable/c/0481be9f12d8324789ccebf1e5fd0704b6e3fc99"
},
{
"url": "https://git.kernel.org/stable/c/878a4b73c11111ff5f820730f59a7f8c6fd59374"
}
],
"title": "drm/amd/display: Fix dsc eDP issue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43320",
"datePublished": "2026-05-08T13:26:14.930Z",
"dateReserved": "2026-05-01T14:12:56.001Z",
"dateUpdated": "2026-05-11T22:22:17.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43237 (GCVE-0-2026-43237)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
EPSS
Title
drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4
This commit simplifies the amdgpu_gem_va_ioctl function, key updates
include:
- Moved the logic for managing the last update fence directly into
amdgpu_gem_va_update_vm.
- Introduced checks for the timeline point to enable conditional
replacement or addition of fences.
v2: Addressed review comments from Christian.
v3: Updated comments (Christian).
v4: The previous version selected the fence too early and did not manage its
reference correctly, which could lead to stale or freed fences being used.
This resulted in refcount underflows and could crash when updating GPU
timelines.
The fence is now chosen only after the VA mapping work is completed, and its
reference is taken safely. After exporting it to the VM timeline syncobj, the
driver always drops its local fence reference, ensuring balanced refcounting
and avoiding use-after-free on dma_fence.
Crash signature:
[ 205.828135] refcount_t: underflow; use-after-free.
[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110
...
[ 206.074014] Call Trace:
[ 206.076488] <TASK>
[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]
[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]
[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]
[ 206.094415] drm_ioctl+0x26e/0x520 [drm]
[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]
[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]
[ 206.109387] __x64_sys_ioctl+0x96/0xe0
[ 206.113156] do_syscall_64+0x66/0x2d0
...
[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90
...
[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0
...
[ 206.553405] Call Trace:
[ 206.553409] <IRQ>
[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]
[ 206.553424] dma_fence_signal+0x30/0x60
[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]
[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0
[ 206.553437] dma_fence_signal+0x30/0x60
[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]
[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]
[ 206.554353] edac_mce_amd(E) ee1004(E)
[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]
[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]
[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]
[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0
[ 206.555506] handle_irq_event+0x38/0x80
[ 206.555509] handle_edge_irq+0x92/0x1e0
[ 206.555513] __common_interrupt+0x3e/0xb0
[ 206.555519] common_interrupt+0x80/0xa0
[ 206.555525] </IRQ>
[ 206.555527] <TASK>
...
[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0
...
[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
70773bef4e091ff6d2a91e3dfb4f29013eb81f1f , < e9e477d3197f7d8955a042c0d7f53f78f13218ba
(git)
Affected: 70773bef4e091ff6d2a91e3dfb4f29013eb81f1f , < 0399b8416ecf64ef86ad23401fe23eabdb07831a (git) Affected: 70773bef4e091ff6d2a91e3dfb4f29013eb81f1f , < bd8150a1b3370a9f7761c5814202a3fe5a79f44f (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e9e477d3197f7d8955a042c0d7f53f78f13218ba",
"status": "affected",
"version": "70773bef4e091ff6d2a91e3dfb4f29013eb81f1f",
"versionType": "git"
},
{
"lessThan": "0399b8416ecf64ef86ad23401fe23eabdb07831a",
"status": "affected",
"version": "70773bef4e091ff6d2a91e3dfb4f29013eb81f1f",
"versionType": "git"
},
{
"lessThan": "bd8150a1b3370a9f7761c5814202a3fe5a79f44f",
"status": "affected",
"version": "70773bef4e091ff6d2a91e3dfb4f29013eb81f1f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4\n\nThis commit simplifies the amdgpu_gem_va_ioctl function, key updates\ninclude:\n - Moved the logic for managing the last update fence directly into\n amdgpu_gem_va_update_vm.\n - Introduced checks for the timeline point to enable conditional\n replacement or addition of fences.\n\nv2: Addressed review comments from Christian.\nv3: Updated comments (Christian).\nv4: The previous version selected the fence too early and did not manage its\n reference correctly, which could lead to stale or freed fences being used.\n This resulted in refcount underflows and could crash when updating GPU\n timelines.\n The fence is now chosen only after the VA mapping work is completed, and its\n reference is taken safely. After exporting it to the VM timeline syncobj, the\n driver always drops its local fence reference, ensuring balanced refcounting\n and avoiding use-after-free on dma_fence.\n\n\tCrash signature:\n\t[ 205.828135] refcount_t: underflow; use-after-free.\n\t[ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\t...\n\t[ 206.074014] Call Trace:\n\t[ 206.076488] \u003cTASK\u003e\n\t[ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu]\n\t[ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm]\n\t[ 206.094415] drm_ioctl+0x26e/0x520 [drm]\n\t[ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu]\n\t[ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu]\n\t[ 206.109387] __x64_sys_ioctl+0x96/0xe0\n\t[ 206.113156] do_syscall_64+0x66/0x2d0\n\t...\n\t[ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90\n\t...\n\t[ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.553405] Call Trace:\n\t[ 206.553409] \u003cIRQ\u003e\n\t[ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched]\n\t[ 206.553424] dma_fence_signal+0x30/0x60\n\t[ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched]\n\t[ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0\n\t[ 206.553437] dma_fence_signal+0x30/0x60\n\t[ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu]\n\t[ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu]\n\t[ 206.554353] edac_mce_amd(E) ee1004(E)\n\t[ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu]\n\t[ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu]\n\t[ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu]\n\t[ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0\n\t[ 206.555506] handle_irq_event+0x38/0x80\n\t[ 206.555509] handle_edge_irq+0x92/0x1e0\n\t[ 206.555513] __common_interrupt+0x3e/0xb0\n\t[ 206.555519] common_interrupt+0x80/0xa0\n\t[ 206.555525] \u003c/IRQ\u003e\n\t[ 206.555527] \u003cTASK\u003e\n\t...\n\t[ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0\n\t...\n\t[ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:20:39.452Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba"
},
{
"url": "https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a"
},
{
"url": "https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f"
}
],
"title": "drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43237",
"datePublished": "2026-05-06T11:28:32.300Z",
"dateReserved": "2026-05-01T14:12:55.995Z",
"dateUpdated": "2026-05-11T22:20:39.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43176 (GCVE-0-2026-43176)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
wifi: rtw89: pci: validate release report content before using for RTL8922DE
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: pci: validate release report content before using for RTL8922DE
The commit 957eda596c76
("wifi: rtw89: pci: validate sequence number of TX release report")
does validation on existing chips, which somehow a release report of SKB
becomes malformed. As no clear cause found, add rules ahead for RTL8922DE
to avoid crash if it happens.
Severity ?
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
110f3c11f440d78ef8a181f75456e24e428f69e4 , < ebeaa3b24ba568ff8505165f954dba15cc53e4b3
(git)
Affected: 110f3c11f440d78ef8a181f75456e24e428f69e4 , < 3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3 (git) Affected: 110f3c11f440d78ef8a181f75456e24e428f69e4 , < 5f93d611b33a05bd03d6843c8efe8cb6a1992620 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ebeaa3b24ba568ff8505165f954dba15cc53e4b3",
"status": "affected",
"version": "110f3c11f440d78ef8a181f75456e24e428f69e4",
"versionType": "git"
},
{
"lessThan": "3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3",
"status": "affected",
"version": "110f3c11f440d78ef8a181f75456e24e428f69e4",
"versionType": "git"
},
{
"lessThan": "5f93d611b33a05bd03d6843c8efe8cb6a1992620",
"status": "affected",
"version": "110f3c11f440d78ef8a181f75456e24e428f69e4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/pci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: pci: validate release report content before using for RTL8922DE\n\nThe commit 957eda596c76\n(\"wifi: rtw89: pci: validate sequence number of TX release report\")\ndoes validation on existing chips, which somehow a release report of SKB\nbecomes malformed. As no clear cause found, add rules ahead for RTL8922DE\nto avoid crash if it happens."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:15.630Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ebeaa3b24ba568ff8505165f954dba15cc53e4b3"
},
{
"url": "https://git.kernel.org/stable/c/3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3"
},
{
"url": "https://git.kernel.org/stable/c/5f93d611b33a05bd03d6843c8efe8cb6a1992620"
}
],
"title": "wifi: rtw89: pci: validate release report content before using for RTL8922DE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43176",
"datePublished": "2026-05-06T11:27:50.150Z",
"dateReserved": "2026-05-01T14:12:55.991Z",
"dateUpdated": "2026-05-11T22:19:15.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43305 (GCVE-0-2026-43305)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path
[Why]
The evaluation for whether we need to use the DMUB HW lock isn't the
same as whether we need to unlock which results in a hang when the
fast path is used for ASIC without FAMS support.
[How]
Store a flag that indicates whether we should use the lock and use
that same flag to specify whether unlocking is needed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7d041982fe11fff29b32a09228c4d52f159b56ad , < 4e387ad67efb100b645630ffbce7716786f52283
(git)
Affected: 7d041982fe11fff29b32a09228c4d52f159b56ad , < af3303970da5ce5bfe6dffdd07f38f42aad603e0 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4e387ad67efb100b645630ffbce7716786f52283",
"status": "affected",
"version": "7d041982fe11fff29b32a09228c4d52f159b56ad",
"versionType": "git"
},
{
"lessThan": "af3303970da5ce5bfe6dffdd07f38f42aad603e0",
"status": "affected",
"version": "7d041982fe11fff29b32a09228c4d52f159b56ad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path\n\n[Why]\nThe evaluation for whether we need to use the DMUB HW lock isn\u0027t the\nsame as whether we need to unlock which results in a hang when the\nfast path is used for ASIC without FAMS support.\n\n[How]\nStore a flag that indicates whether we should use the lock and use\nthat same flag to specify whether unlocking is needed."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:59.194Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4e387ad67efb100b645630ffbce7716786f52283"
},
{
"url": "https://git.kernel.org/stable/c/af3303970da5ce5bfe6dffdd07f38f42aad603e0"
}
],
"title": "drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43305",
"datePublished": "2026-05-08T13:11:24.952Z",
"dateReserved": "2026-05-01T14:12:56.000Z",
"dateUpdated": "2026-05-11T22:21:59.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43474 (GCVE-0-2026-43474)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
EPSS
Title
fs: init flags_valid before calling vfs_fileattr_get
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: init flags_valid before calling vfs_fileattr_get
syzbot reported a uninit-value bug in [1].
Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.
[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
be7efb2d20d67f334a7de2aef77ae6c69367e646 , < 379e19e820dd1c6145426b97467728b3b89c0b42
(git)
Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < b8c182b2c8c44c6016b11d8af61715ad7ef958a1 (git) Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < cb184dd19154fc486fa3d9e02afe70a97e54e055 (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "379e19e820dd1c6145426b97467728b3b89c0b42",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "b8c182b2c8c44c6016b11d8af61715ad7ef958a1",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "cb184dd19154fc486fa3d9e02afe70a97e54e055",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: init flags_valid before calling vfs_fileattr_get\n\nsyzbot reported a uninit-value bug in [1].\n\nSimilar to the \"*get\" context where the kernel\u0027s internal file_kattr\nstructure is initialized before calling vfs_fileattr_get(), we should\nuse the same mechanism when using fa.\n\n[1]\nBUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n vfs_fileattr_get fs/file_attr.c:94 [inline]\n __do_sys_file_getattr fs/file_attr.c:416 [inline]\n\nLocal variable fa.i created at:\n __do_sys_file_getattr fs/file_attr.c:380 [inline]\n __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:18.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42"
},
{
"url": "https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1"
},
{
"url": "https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055"
}
],
"title": "fs: init flags_valid before calling vfs_fileattr_get",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43474",
"datePublished": "2026-05-08T14:22:32.871Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:18.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43267 (GCVE-0-2026-43267)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
wifi: rtw89: fix potential zero beacon interval in beacon tracking
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: fix potential zero beacon interval in beacon tracking
During fuzz testing, it was discovered that bss_conf->beacon_int
might be zero, which could result in a division by zero error in
subsequent calculations. Set a default value of 100 TU if the
interval is zero to ensure stability.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < 1260bee01493126cf9c872b6ca2af261173baa6d
(git)
Affected: d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < e00c9a4ec84c0bb067833b34202f457badbbc1c1 (git) Affected: d360551f265e3c942ce06cd6f4d2f7f67741bcbd , < eb57be32f438c57c88d6ce756101c1dfbcc03bba (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1260bee01493126cf9c872b6ca2af261173baa6d",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
},
{
"lessThan": "e00c9a4ec84c0bb067833b34202f457badbbc1c1",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
},
{
"lessThan": "eb57be32f438c57c88d6ce756101c1dfbcc03bba",
"status": "affected",
"version": "d360551f265e3c942ce06cd6f4d2f7f67741bcbd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/realtek/rtw89/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix potential zero beacon interval in beacon tracking\n\nDuring fuzz testing, it was discovered that bss_conf-\u003ebeacon_int\nmight be zero, which could result in a division by zero error in\nsubsequent calculations. Set a default value of 100 TU if the\ninterval is zero to ensure stability."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:15.288Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1260bee01493126cf9c872b6ca2af261173baa6d"
},
{
"url": "https://git.kernel.org/stable/c/e00c9a4ec84c0bb067833b34202f457badbbc1c1"
},
{
"url": "https://git.kernel.org/stable/c/eb57be32f438c57c88d6ce756101c1dfbcc03bba"
}
],
"title": "wifi: rtw89: fix potential zero beacon interval in beacon tracking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43267",
"datePublished": "2026-05-06T11:28:52.887Z",
"dateReserved": "2026-05-01T14:12:55.997Z",
"dateUpdated": "2026-05-11T22:21:15.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43165 (GCVE-0-2026-43165)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:27 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin
Summary
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin
When calling of_parse_phandle_with_args(), the caller is responsible
to call of_node_put() to release the reference of device node.
In nct7363_present_pwm_fanin, it does not release the reference,
causing a resource leak.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
46b94c485ed197bc681da242440c6e2315697c57 , < c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4
(git)
Affected: 46b94c485ed197bc681da242440c6e2315697c57 , < fb99b58763a95e20b214fc1dd86837ae00a400b7 (git) Affected: 46b94c485ed197bc681da242440c6e2315697c57 , < 4923bbff0bcffe488b3aa76829c829bd15b02585 (git) |
|
| Linux | Linux |
Affected:
6.13
Unaffected: 0 , < 6.13 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/nct7363.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4",
"status": "affected",
"version": "46b94c485ed197bc681da242440c6e2315697c57",
"versionType": "git"
},
{
"lessThan": "fb99b58763a95e20b214fc1dd86837ae00a400b7",
"status": "affected",
"version": "46b94c485ed197bc681da242440c6e2315697c57",
"versionType": "git"
},
{
"lessThan": "4923bbff0bcffe488b3aa76829c829bd15b02585",
"status": "affected",
"version": "46b94c485ed197bc681da242440c6e2315697c57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwmon/nct7363.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin\n\nWhen calling of_parse_phandle_with_args(), the caller is responsible\nto call of_node_put() to release the reference of device node.\nIn nct7363_present_pwm_fanin, it does not release the reference,\ncausing a resource leak."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:01.397Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4"
},
{
"url": "https://git.kernel.org/stable/c/fb99b58763a95e20b214fc1dd86837ae00a400b7"
},
{
"url": "https://git.kernel.org/stable/c/4923bbff0bcffe488b3aa76829c829bd15b02585"
}
],
"title": "hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43165",
"datePublished": "2026-05-06T11:27:42.588Z",
"dateReserved": "2026-05-01T14:12:55.990Z",
"dateUpdated": "2026-05-11T22:19:01.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43201 (GCVE-0-2026-43201)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
APEI/GHES: ARM processor Error: don't go past allocated memory
Summary
In the Linux kernel, the following vulnerability has been resolved:
APEI/GHES: ARM processor Error: don't go past allocated memory
If the BIOS generates a very small ARM Processor Error, or
an incomplete one, the current logic will fail to deferrence
err->section_length
and
ctx_info->size
Add checks to avoid that. With such changes, such GHESv2
records won't cause OOPSes like this:
[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP
[ 1.495449] Modules linked in:
[ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT
[ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022
[ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred
[ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 1.497199] pc : log_arm_hw_error+0x5c/0x200
[ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220
0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75).
70 err_info = (struct cper_arm_err_info *)(err + 1);
71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num);
72 ctx_err = (u8 *)ctx_info;
73
74 for (n = 0; n < err->context_info_num; n++) {
75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size;
76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz);
77 ctx_len += sz;
78 }
79
and similar ones while trying to access section_length on an
error dump with too small size.
[ rjw: Subject tweaks ]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2599ad5e33b629a78a14a463a51afa134e9c5b15 , < 242c652849d979d0133c315a42d9acea0ff88390
(git)
Affected: 22b5096abc9824fb84f0bfe084f5be9f7ea5f2d9 , < 136093ba4161e0080088abff48273f6830a47766 (git) Affected: 05954511b73e748d0370549ad9dd9cd95297d97a , < db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd (git) Affected: 05954511b73e748d0370549ad9dd9cd95297d97a , < 87880af2d24e62a84ed19943dbdd524f097172f2 (git) Affected: 0aa7b12eaa87cd6ffa25d432d3c58986516f8b1c (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c",
"drivers/ras/ras.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "242c652849d979d0133c315a42d9acea0ff88390",
"status": "affected",
"version": "2599ad5e33b629a78a14a463a51afa134e9c5b15",
"versionType": "git"
},
{
"lessThan": "136093ba4161e0080088abff48273f6830a47766",
"status": "affected",
"version": "22b5096abc9824fb84f0bfe084f5be9f7ea5f2d9",
"versionType": "git"
},
{
"lessThan": "db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd",
"status": "affected",
"version": "05954511b73e748d0370549ad9dd9cd95297d97a",
"versionType": "git"
},
{
"lessThan": "87880af2d24e62a84ed19943dbdd524f097172f2",
"status": "affected",
"version": "05954511b73e748d0370549ad9dd9cd95297d97a",
"versionType": "git"
},
{
"status": "affected",
"version": "0aa7b12eaa87cd6ffa25d432d3c58986516f8b1c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/apei/ghes.c",
"drivers/ras/ras.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.18.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nAPEI/GHES: ARM processor Error: don\u0027t go past allocated memory\n\nIf the BIOS generates a very small ARM Processor Error, or\nan incomplete one, the current logic will fail to deferrence\n\n\terr-\u003esection_length\nand\n\tctx_info-\u003esize\n\nAdd checks to avoid that. With such changes, such GHESv2\nrecords won\u0027t cause OOPSes like this:\n\n[ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP\n[ 1.495449] Modules linked in:\n[ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT\n[ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022\n[ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred\n[ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1.497199] pc : log_arm_hw_error+0x5c/0x200\n[ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220\n\n0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75).\n70\t\terr_info = (struct cper_arm_err_info *)(err + 1);\n71\t\tctx_info = (struct cper_arm_ctx_info *)(err_info + err-\u003eerr_info_num);\n72\t\tctx_err = (u8 *)ctx_info;\n73\n74\t\tfor (n = 0; n \u003c err-\u003econtext_info_num; n++) {\n75\t\t\tsz = sizeof(struct cper_arm_ctx_info) + ctx_info-\u003esize;\n76\t\t\tctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz);\n77\t\t\tctx_len += sz;\n78\t\t}\n79\n\nand similar ones while trying to access section_length on an\nerror dump with too small size.\n\n[ rjw: Subject tweaks ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:56.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/242c652849d979d0133c315a42d9acea0ff88390"
},
{
"url": "https://git.kernel.org/stable/c/136093ba4161e0080088abff48273f6830a47766"
},
{
"url": "https://git.kernel.org/stable/c/db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd"
},
{
"url": "https://git.kernel.org/stable/c/87880af2d24e62a84ed19943dbdd524f097172f2"
}
],
"title": "APEI/GHES: ARM processor Error: don\u0027t go past allocated memory",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43201",
"datePublished": "2026-05-06T11:28:07.565Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:56.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43243 (GCVE-0-2026-43243)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:20
VLAI?
EPSS
Title
drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
Trying to access link enc on a dpia link will cause a crash otherwise
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
70839da6360500a82e4d5f78499284474cbed7c1 , < 23e7150afc70da615857f9f07b494ec58540f096
(git)
Affected: 70839da6360500a82e4d5f78499284474cbed7c1 , < 486b2909ac284185900c06f05ffc6eca895f38b8 (git) Affected: 70839da6360500a82e4d5f78499284474cbed7c1 , < e332112255afbce02db67760f5743a1b13aa8541 (git) Affected: 70839da6360500a82e4d5f78499284474cbed7c1 , < c979d8db7b0f293111f2e83795ea353c8ed75de9 (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23e7150afc70da615857f9f07b494ec58540f096",
"status": "affected",
"version": "70839da6360500a82e4d5f78499284474cbed7c1",
"versionType": "git"
},
{
"lessThan": "486b2909ac284185900c06f05ffc6eca895f38b8",
"status": "affected",
"version": "70839da6360500a82e4d5f78499284474cbed7c1",
"versionType": "git"
},
{
"lessThan": "e332112255afbce02db67760f5743a1b13aa8541",
"status": "affected",
"version": "70839da6360500a82e4d5f78499284474cbed7c1",
"versionType": "git"
},
{
"lessThan": "c979d8db7b0f293111f2e83795ea353c8ed75de9",
"status": "affected",
"version": "70839da6360500a82e4d5f78499284474cbed7c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add signal type check for dcn401 get_phyd32clk_src\n\nTrying to access link enc on a dpia link will cause a crash otherwise"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:20:46.641Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23e7150afc70da615857f9f07b494ec58540f096"
},
{
"url": "https://git.kernel.org/stable/c/486b2909ac284185900c06f05ffc6eca895f38b8"
},
{
"url": "https://git.kernel.org/stable/c/e332112255afbce02db67760f5743a1b13aa8541"
},
{
"url": "https://git.kernel.org/stable/c/c979d8db7b0f293111f2e83795ea353c8ed75de9"
}
],
"title": "drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43243",
"datePublished": "2026-05-06T11:28:36.287Z",
"dateReserved": "2026-05-01T14:12:55.995Z",
"dateUpdated": "2026-05-11T22:20:46.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43274 (GCVE-0-2026-43274)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
The cluster_cfg array is dynamically allocated to hold per-CPU
configuration structures, with its size based on the number of online
CPUs. Previously, this array was indexed using hartid, which may be
non-contiguous or exceed the bounds of the array, leading to
out-of-bounds access.
Switch to using cpuid as the index, as it is guaranteed to be within
the valid range provided by for_each_online_cpu().
Severity ?
8.4 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e4b1d67e71419c4af581890ecea84b04920d4116 , < 95438699c92947155823dcd3918049a07f3cd867
(git)
Affected: e4b1d67e71419c4af581890ecea84b04920d4116 , < 0442b6229e2eedc95a6d3d18ce75dec7f5b5377c (git) Affected: e4b1d67e71419c4af581890ecea84b04920d4116 , < f7c330a8c83c9b0332fd524097eaf3e69148164d (git) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox-mchp-ipc-sbi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95438699c92947155823dcd3918049a07f3cd867",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
},
{
"lessThan": "0442b6229e2eedc95a6d3d18ce75dec7f5b5377c",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
},
{
"lessThan": "f7c330a8c83c9b0332fd524097eaf3e69148164d",
"status": "affected",
"version": "e4b1d67e71419c4af581890ecea84b04920d4116",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/mailbox/mailbox-mchp-ipc-sbi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()\n\nThe cluster_cfg array is dynamically allocated to hold per-CPU\nconfiguration structures, with its size based on the number of online\nCPUs. Previously, this array was indexed using hartid, which may be\nnon-contiguous or exceed the bounds of the array, leading to\nout-of-bounds access.\nSwitch to using cpuid as the index, as it is guaranteed to be within\nthe valid range provided by for_each_online_cpu()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:23.317Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867"
},
{
"url": "https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c"
},
{
"url": "https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d"
}
],
"title": "mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43274",
"datePublished": "2026-05-06T11:28:57.503Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-11T22:21:23.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4948 (GCVE-0-2026-4948)
Vulnerability from cvelistv5 – Published: 2026-03-27 05:30 – Updated: 2026-03-27 11:21
VLAI?
EPSS
Title
Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization
Summary
A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.
Severity ?
5.5 (Medium)
CWE
- CWE-279 - Incorrect Execution-Assigned Permissions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-4948 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2452086 | issue-trackingx_refsource_REDHAT |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public ?
2026-03-27 00:00
Credits
Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T11:21:05.300360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T11:21:20.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unknown",
"packageName": "firewalld",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "firewalld",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unknown",
"packageName": "firewalld",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unknown",
"packageName": "firewalld",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unknown",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue."
}
],
"datePublic": "2026-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-279",
"description": "Incorrect Execution-Assigned Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:35:20.262Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-4948"
},
{
"name": "RHBZ#2452086",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452086"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-27T04:44:51.806Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-27T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, ensure that the firewalld desktop policy is not active on systems where local unprivileged user access is a concern. If firewalld is not required, it can be disabled. Disabling firewalld may impact network services that rely on it.\n\nTo disable firewalld:\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld\n\nA system restart or service reload may be required for changes to take full effect."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-279: Incorrect Execution-Assigned Permissions"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-4948",
"datePublished": "2026-03-27T05:30:23.632Z",
"dateReserved": "2026-03-27T05:23:36.264Z",
"dateUpdated": "2026-03-27T11:21:20.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43284 (GCVE-0-2026-43284)
Vulnerability from cvelistv5 – Published: 2026-05-08 07:21 – Updated: 2026-05-11 22:21
VLAI?
EPSS
Title
xfrm: esp: avoid in-place decrypt on shared skb frags
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Severity ?
8.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/a6cb440f274a22456… | |
| https://git.kernel.org/stable/c/ab8b995323e523704… | |
| https://git.kernel.org/stable/c/fe785bb3a8096dffc… | |
| https://git.kernel.org/stable/c/5d55c7336f8032d43… | |
| https://git.kernel.org/stable/c/8253aab4659ca1611… | |
| https://git.kernel.org/stable/c/50ed1e7873100f77a… | |
| https://git.kernel.org/stable/c/b54edf1e9a3fd3491… | |
| https://git.kernel.org/stable/c/71a1d9d985d26716f… | |
| https://git.kernel.org/stable/c/52646cbd00e765a6d… | |
| https://git.kernel.org/stable/c/f4c50a4034e62ab75… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < a6cb440f274a22456ef3e86b457344f1678f38f9
(git)
Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < ab8b995323e5237041472d07e5055f5f7dcdf15b (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < fe785bb3a8096dffcc4048a85cd0c83337eeecad (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 5d55c7336f8032d434adcc5fab987ccc93a44aec (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 8253aab4659ca16116b522203c2a6b18dccacea7 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 50ed1e7873100f77abad20fd31c51029bc49cd03 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < b54edf1e9a3fd3491bdcb82a21f8d21315271e0d (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 71a1d9d985d26716f74d21f18ee8cac821b06e97 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < 52646cbd00e765a6db9c3afe9535f26218276034 (git) Affected: cac2661c53f35cbe651bef9b07026a5a05ab8ce0 , < f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.10.255 , ≤ 5.10.* (semver) Unaffected: 5.15.205 , ≤ 5.15.* (semver) Unaffected: 5.15.206 , ≤ 5.15.* (semver) Unaffected: 6.1.171 , ≤ 6.1.* (semver) Unaffected: 6.1.172 , ≤ 6.1.* (semver) Unaffected: 6.6.138 , ≤ 6.6.* (semver) Unaffected: 6.12.87 , ≤ 6.12.* (semver) Unaffected: 6.18.28 , ≤ 6.18.* (semver) Unaffected: 7.0.5 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-08T09:32:40.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43284",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:55:46.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6cb440f274a22456ef3e86b457344f1678f38f9",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "ab8b995323e5237041472d07e5055f5f7dcdf15b",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "fe785bb3a8096dffcc4048a85cd0c83337eeecad",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "5d55c7336f8032d434adcc5fab987ccc93a44aec",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "8253aab4659ca16116b522203c2a6b18dccacea7",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "50ed1e7873100f77abad20fd31c51029bc49cd03",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "b54edf1e9a3fd3491bdcb82a21f8d21315271e0d",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "71a1d9d985d26716f74d21f18ee8cac821b06e97",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "52646cbd00e765a6db9c3afe9535f26218276034",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
},
{
"lessThan": "f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4",
"status": "affected",
"version": "cac2661c53f35cbe651bef9b07026a5a05ab8ce0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/esp4.c",
"net/ipv4/ip_output.c",
"net/ipv6/esp6.c",
"net/ipv6/ip6_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.205",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.206",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.171",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.172",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.255",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.205",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.206",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.171",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.172",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.138",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.87",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.28",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.5",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:21:34.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
},
{
"url": "https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4"
}
],
"title": "xfrm: esp: avoid in-place decrypt on shared skb frags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43284",
"datePublished": "2026-05-08T07:21:47.524Z",
"dateReserved": "2026-05-01T14:12:55.998Z",
"dateUpdated": "2026-05-11T22:21:34.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43398 (GCVE-0-2026-43398)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
EPSS
Title
drm/amdgpu: add upper bound check on user inputs in wait ioctl
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: add upper bound check on user inputs in wait ioctl
Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and
could be exploited.
So check these input value against AMDGPU_USERQ_MAX_HANDLES
which is big enough value for genuine use cases and could
potentially avoid OOM.
v2: squash in Srini's fix
(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a292fdecd72834b3bec380baa5db1e69e7f70679 , < b1d10508da559da2e0ca9cca6505094a7df948e1
(git)
Affected: a292fdecd72834b3bec380baa5db1e69e7f70679 , < 3cd93bc695b3456f26f5ed52753d9071da26202a (git) Affected: a292fdecd72834b3bec380baa5db1e69e7f70679 , < 64ac7c09fc44985ec9bb6a9db740899fa40ca613 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1d10508da559da2e0ca9cca6505094a7df948e1",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
},
{
"lessThan": "3cd93bc695b3456f26f5ed52753d9071da26202a",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
},
{
"lessThan": "64ac7c09fc44985ec9bb6a9db740899fa40ca613",
"status": "affected",
"version": "a292fdecd72834b3bec380baa5db1e69e7f70679",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: add upper bound check on user inputs in wait ioctl\n\nHuge input values in amdgpu_userq_wait_ioctl can lead to a OOM and\ncould be exploited.\n\nSo check these input value against AMDGPU_USERQ_MAX_HANDLES\nwhich is big enough value for genuine use cases and could\npotentially avoid OOM.\n\nv2: squash in Srini\u0027s fix\n\n(cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:48.775Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1d10508da559da2e0ca9cca6505094a7df948e1"
},
{
"url": "https://git.kernel.org/stable/c/3cd93bc695b3456f26f5ed52753d9071da26202a"
},
{
"url": "https://git.kernel.org/stable/c/64ac7c09fc44985ec9bb6a9db740899fa40ca613"
}
],
"title": "drm/amdgpu: add upper bound check on user inputs in wait ioctl",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43398",
"datePublished": "2026-05-08T14:21:40.895Z",
"dateReserved": "2026-05-01T14:12:56.007Z",
"dateUpdated": "2026-05-11T22:23:48.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6842 (GCVE-0-2026-6842)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:34 – Updated: 2026-04-22 13:07
VLAI?
EPSS
Title
Nano: nano: local attacker can inject malicious .desktop launcher due to insecure directory permissions
Summary
A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-6842 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2460018 | issue-trackingx_refsource_REDHAT |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public ?
2026-04-13 00:00
Credits
Red Hat would like to thank Michał Majchrowicz, Marcin Wyczechowski (AFINE Team) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:07:50.621296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:07:57.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Micha\u0142 Majchrowicz, Marcin Wyczechowski (AFINE Team) for reporting this issue."
}
],
"datePublic": "2026-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in nano. In environments with permissive umask settings, a local attacker can exploit incorrect directory permissions (0777 instead of 0700) for the `~/.local` directory. This allows the attacker to inject a malicious `.desktop` launcher, which could lead to unintended actions or information disclosure if the launcher is subsequently processed."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:36:47.825Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-6842"
},
{
"name": "RHBZ#2460018",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460018"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Nano: nano: local attacker can inject malicious .desktop launcher due to insecure directory permissions",
"workarounds": [
{
"lang": "en",
"value": "Ensure that the system\u0027s umask is configured to a secure value, such as `0022` or `0077`, to prevent the creation of world-writable directories. This can be set system-wide in `/etc/profile` or `/etc/bashrc`, or for individual users in their `~/.bashrc` or `~/.profile`. A secure umask will ensure that newly created directories, including `~/.local` by `nano`, have appropriate permissions."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-732: Incorrect Permission Assignment for Critical Resource"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-6842",
"datePublished": "2026-04-22T07:34:26.360Z",
"dateReserved": "2026-04-22T07:20:17.989Z",
"dateUpdated": "2026-04-22T13:07:57.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3219 (GCVE-0-2026-3219)
Vulnerability from cvelistv5 – Published: 2026-04-20 14:55 – Updated: 2026-04-20 20:15
VLAI?
EPSS
Title
pip doesn't reject concatenated ZIP and tar archives
Summary
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/pypa/pip/pull/13870 | patch |
| https://mail.python.org/archives/list/security-an… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Python Packaging Authority | pip |
Affected:
0 , < 26.1
(python)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:03:20.592162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:15:12.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-20T20:15:23.710Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/20/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/pip",
"defaultStatus": "unaffected",
"packageName": "pip",
"product": "pip",
"repo": "https://github.com/pypa/pip",
"vendor": "Python Packaging Authority",
"versions": [
{
"lessThan": "26.1",
"status": "affected",
"version": "0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both."
}
],
"value": "pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing \"incorrect\" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T15:02:54.673Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/pypa/pip/pull/13870"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "pip doesn\u0027t reject concatenated ZIP and tar archives",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-3219",
"datePublished": "2026-04-20T14:55:38.282Z",
"dateReserved": "2026-02-25T17:50:26.456Z",
"dateUpdated": "2026-04-20T20:15:23.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6843 (GCVE-0-2026-6843)
Vulnerability from cvelistv5 – Published: 2026-04-22 08:30 – Updated: 2026-04-22 12:04
VLAI?
EPSS
Title
Nano: nano: format string vulnerability leads to denial of service
Summary
A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.
Severity ?
5.5 (Medium)
CWE
- CWE-134 - Use of Externally-Controlled Format String
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-6843 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2460017 | issue-trackingx_refsource_REDHAT |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public ?
2026-04-13 00:00
Credits
Red Hat would like to thank Michał Majchrowicz, Marcin Wyczechowski (AFINE Team) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:04:45.914675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:04:58.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "nano",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Micha\u0142 Majchrowicz, Marcin Wyczechowski (AFINE Team) for reporting this issue."
}
],
"datePublic": "2026-04-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T08:30:04.572Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-6843"
},
{
"name": "RHBZ#2460017",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460017"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Nano: nano: format string vulnerability leads to denial of service",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-134: Use of Externally-Controlled Format String"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-6843",
"datePublished": "2026-04-22T08:30:04.572Z",
"dateReserved": "2026-04-22T07:23:19.148Z",
"dateUpdated": "2026-04-22T12:04:58.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43195 (GCVE-0-2026-43195)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-11 22:19
VLAI?
EPSS
Title
drm/amdgpu: validate user queue size constraints
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: validate user queue size constraints
Add validation to ensure user queue sizes meet hardware requirements:
- Size must be a power of two for efficient ring buffer wrapping
- Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations
This prevents invalid configurations that could lead to GPU faults or
unexpected behavior.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fbf136b932358da1c65eb6fedd064a33a7a96aaa , < cf2a37be899dc1b01f53bf1d0157330eaf3e3f55
(git)
Affected: fbf136b932358da1c65eb6fedd064a33a7a96aaa , < 9f6cc309cd15922fe58cab2dfa1b5993ad31dec7 (git) Affected: fbf136b932358da1c65eb6fedd064a33a7a96aaa , < 8079b87c02e531cc91601f72ea8336dd2262fdf1 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.16 , ≤ 6.18.* (semver) Unaffected: 6.19.6 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf2a37be899dc1b01f53bf1d0157330eaf3e3f55",
"status": "affected",
"version": "fbf136b932358da1c65eb6fedd064a33a7a96aaa",
"versionType": "git"
},
{
"lessThan": "9f6cc309cd15922fe58cab2dfa1b5993ad31dec7",
"status": "affected",
"version": "fbf136b932358da1c65eb6fedd064a33a7a96aaa",
"versionType": "git"
},
{
"lessThan": "8079b87c02e531cc91601f72ea8336dd2262fdf1",
"status": "affected",
"version": "fbf136b932358da1c65eb6fedd064a33a7a96aaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.16",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.6",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate user queue size constraints\n\nAdd validation to ensure user queue sizes meet hardware requirements:\n- Size must be a power of two for efficient ring buffer wrapping\n- Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations\n\nThis prevents invalid configurations that could lead to GPU faults or\nunexpected behavior."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:19:41.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf2a37be899dc1b01f53bf1d0157330eaf3e3f55"
},
{
"url": "https://git.kernel.org/stable/c/9f6cc309cd15922fe58cab2dfa1b5993ad31dec7"
},
{
"url": "https://git.kernel.org/stable/c/8079b87c02e531cc91601f72ea8336dd2262fdf1"
}
],
"title": "drm/amdgpu: validate user queue size constraints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43195",
"datePublished": "2026-05-06T11:28:03.437Z",
"dateReserved": "2026-05-01T14:12:55.992Z",
"dateUpdated": "2026-05-11T22:19:41.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-37457 (GCVE-0-2026-37457)
Vulnerability from cvelistv5 – Published: 2026-05-01 00:00 – Updated: 2026-05-01 18:16
VLAI?
EPSS
Summary
An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-37457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T18:15:57.207525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T18:16:41.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T17:42:07.864Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-37457",
"datePublished": "2026-05-01T00:00:00.000Z",
"dateReserved": "2026-04-06T00:00:00.000Z",
"dateUpdated": "2026-05-01T18:16:41.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…