Vulnerability-Lookup

WID-SEC-W-2026-0809

Vulnerability from csaf_certbund - Published: 2026-03-19 23:00 - Updated: 2026-05-20 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff: Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, die möglicherweise zu einem Denial-of-Service-Zustand, zur Manipulation und Offenlegung von Daten oder zu einer Speicherbeschädigung führen können.

Betroffene Betriebssysteme: - Linux

CVE-2026-23271

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23272

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23273

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23274

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23275

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23276

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23277

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

CVE-2026-23278

Affected products

Known affected 9 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Google Cloud Platform Google	`cpe:/a:google:cloud_platform:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Google Container-Optimized OS Google	`cpe:/o:google:container-optimized_os:-`	—
Open Source Linux Kernel Open Source	`cpe:/o:linux:linux_kernel:-`	—

References

58 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lore.kernel.org/linux-cve-announce/	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://lore.kernel.org/linux-cve-announce/202603…	external
https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-…	external
https://docs.cloud.google.com/support/bulletins#g…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-…	external
https://docs.cloud.google.com/support/bulletins#g…	external
https://lists.debian.org/debian-security-announce…	external
https://docs.cloud.google.com/container-optimized…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://lists.debian.org/debian-security-announce…	external
https://ubuntu.com/security/notices/USN-8244-1	external
https://ubuntu.com/security/notices/USN-8260-1	external
https://ubuntu.com/security/notices/USN-8257-1	external
https://ubuntu.com/security/notices/USN-8255-1	external
https://ubuntu.com/security/notices/USN-8254-1	external
https://ubuntu.com/security/notices/USN-8254-2	external
https://ubuntu.com/security/notices/USN-8255-2	external
https://linux.oracle.com/errata/ELSA-2026-50260.html	external
https://linux.oracle.com/errata/ELSA-2026-50262.html	external
https://oss.oracle.com/pipermail/el-errata/2026-M…	external
https://oss.oracle.com/pipermail/el-errata/2026-M…	external
https://ubuntu.com/security/notices/USN-8275-1	external
https://ubuntu.com/security/notices/USN-8255-3	external
https://ubuntu.com/security/notices/USN-8254-3	external
https://ubuntu.com/security/notices/USN-8279-1	external
https://ubuntu.com/security/notices/USN-8278-1	external
https://ubuntu.com/security/notices/USN-8277-1	external
https://ubuntu.com/security/notices/USN-8289-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren, die m\u00f6glicherweise zu einem Denial-of-Service-Zustand, zur Manipulation und Offenlegung von Daten oder zu einer Speicherbesch\u00e4digung f\u00fchren k\u00f6nnen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0809 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0809.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0809 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0809"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23271",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032031-CVE-2026-23271-657a@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23272",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23272-8ad1@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23273",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23273-3669@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23274",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032034-CVE-2026-23274-ba1d@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23275",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23275-33fe@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23276",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032035-CVE-2026-23276-7fd3@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23277",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032036-CVE-2026-23277-e478@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2026-23278",
        "url": "https://lore.kernel.org/linux-cve-announce/2026032036-CVE-2026-23278-4dcc@gregkh/"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.10-2026-115 vom 2026-04-01",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-115.html"
      },
      {
        "category": "external",
        "summary": "Google Cloud Platform Security Bulletin GCP-2026-017 vom 2026-04-03",
        "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-017"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1342-1 vom 2026-04-15",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025348.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21114-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025429.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21129-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025416.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21131-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025414.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21123-1 vom 2026-04-17",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025421.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20572-1 vom 2026-04-21",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/STWYWECAV6YINBQYRNTOUWNIHBOUY3YT/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21230-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025560.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21237-1 vom 2026-04-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025557.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1557-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025570.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1573-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025596.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1563-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025575.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21255-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025583.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1574-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025600.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1575-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025599.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21241-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025595.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1606-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025614.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21361-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025743.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21352-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025751.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1643-1 vom 2026-04-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025762.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2KERNEL-5.15-2026-100 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.15-2026-100.html"
      },
      {
        "category": "external",
        "summary": "Google Cloud Platform Security Bulletin GCP-2026-025 vom 2026-04-30",
        "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-025"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6238 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00148.html"
      },
      {
        "category": "external",
        "summary": "Container-Optimized OS release notes vom 2026-05-02",
        "url": "https://docs.cloud.google.com/container-optimized-os/docs/release-notes#May_01_2026"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1668-1 vom 2026-05-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025791.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1661-1 vom 2026-04-30",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025787.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4561 vom 2026-05-02",
        "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00005.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6243 vom 2026-05-04",
        "url": "https://lists.debian.org/debian-security-announce/2026/msg00154.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8244-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8244-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8260-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8260-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8257-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8257-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8255-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8255-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-1 vom 2026-05-07",
        "url": "https://ubuntu.com/security/notices/USN-8254-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-2 vom 2026-05-11",
        "url": "https://ubuntu.com/security/notices/USN-8254-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8255-2 vom 2026-05-11",
        "url": "https://ubuntu.com/security/notices/USN-8255-2"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50260 vom 2026-05-12",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50260.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50262 vom 2026-05-12",
        "url": "https://linux.oracle.com/errata/ELSA-2026-50262.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50270 vom 2026-05-15",
        "url": "https://oss.oracle.com/pipermail/el-errata/2026-May/020483.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-50270 vom 2026-05-15",
        "url": "https://oss.oracle.com/pipermail/el-errata/2026-May/020485.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8275-1 vom 2026-05-19",
        "url": "https://ubuntu.com/security/notices/USN-8275-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8255-3 vom 2026-05-19",
        "url": "https://ubuntu.com/security/notices/USN-8255-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8254-3 vom 2026-05-19",
        "url": "https://ubuntu.com/security/notices/USN-8254-3"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8279-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8279-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8278-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8278-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8277-1 vom 2026-05-20",
        "url": "https://ubuntu.com/security/notices/USN-8277-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-8289-1 vom 2026-05-21",
        "url": "https://ubuntu.com/security/notices/USN-8289-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-20T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-21T07:56:37.537+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-0809",
      "initial_release_date": "2026-03-19T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-19T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-22T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-13607"
        },
        {
          "date": "2026-04-01T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-04-06T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Google aufgenommen"
        },
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-19T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-21T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-22T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-29T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Google, Debian und SUSE aufgenommen"
        },
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-07T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-11T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-18T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "21"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Google Cloud Platform",
            "product": {
              "name": "Google Cloud Platform",
              "product_id": "393401",
              "product_identification_helper": {
                "cpe": "cpe:/a:google:cloud_platform:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Google Container-Optimized OS",
            "product": {
              "name": "Google Container-Optimized OS",
              "product_id": "1607324",
              "product_identification_helper": {
                "cpe": "cpe:/o:google:container-optimized_os:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Google"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T051982",
              "product_identification_helper": {
                "cpe": "cpe:/o:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23271",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23271"
    },
    {
      "cve": "CVE-2026-23272",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23272"
    },
    {
      "cve": "CVE-2026-23273",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23273"
    },
    {
      "cve": "CVE-2026-23274",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23274"
    },
    {
      "cve": "CVE-2026-23275",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23275"
    },
    {
      "cve": "CVE-2026-23276",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23276"
    },
    {
      "cve": "CVE-2026-23277",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23277"
    },
    {
      "cve": "CVE-2026-23278",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T000126",
          "T027843",
          "398363",
          "393401",
          "T004914",
          "1607324",
          "T051982"
        ]
      },
      "release_date": "2026-03-19T23:00:00.000+00:00",
      "title": "CVE-2026-23278"
    }
  ]
}

CVE-2026-23271 (GCVE-0-2026-23271)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-11 22:03

Title

perf: Fix __perf_event_overflow() vs perf_remove_from_context() race

Summary

In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and friends that will go and free various things the overflow path expects to be present, like the BPF program.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

6 references

URL	Tags
https://git.kernel.org/stable/c/4df1a45819e50993c…
https://git.kernel.org/stable/c/4f8d5812337871227…
https://git.kernel.org/stable/c/5c48fdc4b4623533d…
https://git.kernel.org/stable/c/3f89b61dd504c5b67…
https://git.kernel.org/stable/c/bb190628fe5f2a73b…
https://git.kernel.org/stable/c/c9bc1753b3cc41d0e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 4df1a45819e50993cb351682a6ae8e7ed2d233a0 (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 4f8d5812337871227bb2c98669a87c306a2f86ef (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 5c48fdc4b4623533d86e279f51531a7ba212eb87 (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < 3f89b61dd504c5b6711de9759e053b082f9abf12 (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < bb190628fe5f2a73ba762a9972ba16c5e895f73e (git) Affected: 592903cdcbf606a838056bae6d03fc557806c914 , < c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae (git)
Linux	Linux	Affected: 2.6.31 Unaffected: 0 , < 2.6.31 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.77 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4df1a45819e50993cb351682a6ae8e7ed2d233a0",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            },
            {
              "lessThan": "4f8d5812337871227bb2c98669a87c306a2f86ef",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            },
            {
              "lessThan": "5c48fdc4b4623533d86e279f51531a7ba212eb87",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            },
            {
              "lessThan": "3f89b61dd504c5b6711de9759e053b082f9abf12",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            },
            {
              "lessThan": "bb190628fe5f2a73ba762a9972ba16c5e895f73e",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            },
            {
              "lessThan": "c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae",
              "status": "affected",
              "version": "592903cdcbf606a838056bae6d03fc557806c914",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/events/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.77",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix __perf_event_overflow() vs perf_remove_from_context() race\n\nMake sure that __perf_event_overflow() runs with IRQs disabled for all\npossible callchains. Specifically the software events can end up running\nit with only preemption disabled.\n\nThis opens up a race vs perf_event_exit_event() and friends that will go\nand free various things the overflow path expects to be present, like\nthe BPF program."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:38.124Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4df1a45819e50993cb351682a6ae8e7ed2d233a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f8d5812337871227bb2c98669a87c306a2f86ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c48fdc4b4623533d86e279f51531a7ba212eb87"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f89b61dd504c5b6711de9759e053b082f9abf12"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb190628fe5f2a73ba762a9972ba16c5e895f73e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9bc1753b3cc41d0e01fbca7f035258b5f4db0ae"
        }
      ],
      "title": "perf: Fix __perf_event_overflow() vs perf_remove_from_context() race",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23271",
    "datePublished": "2026-03-20T08:08:46.711Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-11T22:03:38.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23272 (GCVE-0-2026-23272)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04

Title

netfilter: nf_tables: unconditionally bump set->nelems before insertion

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be walking over it already. To address this issue, add the element transaction even if set is full, but toggle the set_full flag to report -ENFILE so the abort path safely unwinds the set to its previous state. As for element updates, decrement set->nelems to restore it. A simpler fix is to call synchronize_rcu() in the error path. However, with a large batch adding elements to already maxed-out set, this could cause noticeable slowdown of such batches.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

5 references

URL	Tags
https://git.kernel.org/stable/c/e3ccb11fc8249759d…
https://git.kernel.org/stable/c/86bc4b1a0f672d47a…
https://git.kernel.org/stable/c/6826131c767432933…
https://git.kernel.org/stable/c/ccb8c8f3c1127cf34…
https://git.kernel.org/stable/c/def602e498a4f951d…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < e3ccb11fc8249759d23326038c8db987ddaabc77 (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 86bc4b1a0f672d47ac19f9022432cb6a2e01cb33 (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < 6826131c7674329335ca25df2550163eb8a1fd0c (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < ccb8c8f3c1127cf34d18c737309897c68046bf21 (git) Affected: 35d0ac9070ef619e3bf44324375878a1c540387b , < def602e498a4f951da95c95b1b8ce8ae68aa733a (git) Affected: fefdd79403e89b0c673965343b92e2e01e2713a8 (git) Affected: 4.9.33 , < 4.10 (semver)
Linux	Linux	Affected: 4.10 Unaffected: 0 , < 4.10 (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.17 , ≤ 6.18.* (semver) Unaffected: 6.19.7 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e3ccb11fc8249759d23326038c8db987ddaabc77",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "86bc4b1a0f672d47ac19f9022432cb6a2e01cb33",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "6826131c7674329335ca25df2550163eb8a1fd0c",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "ccb8c8f3c1127cf34d18c737309897c68046bf21",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "lessThan": "def602e498a4f951da95c95b1b8ce8ae68aa733a",
              "status": "affected",
              "version": "35d0ac9070ef619e3bf44324375878a1c540387b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fefdd79403e89b0c673965343b92e2e01e2713a8",
              "versionType": "git"
            },
            {
              "lessThan": "4.10",
              "status": "affected",
              "version": "4.9.33",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.141",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.91",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.17",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.7",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: unconditionally bump set-\u003enelems before insertion\n\nIn case that the set is full, a new element gets published then removed\nwithout waiting for the RCU grace period, while RCU reader can be\nwalking over it already.\n\nTo address this issue, add the element transaction even if set is full,\nbut toggle the set_full flag to report -ENFILE so the abort path safely\nunwinds the set to its previous state.\n\nAs for element updates, decrement set-\u003enelems to restore it.\n\nA simpler fix is to call synchronize_rcu() in the error path.\nHowever, with a large batch adding elements to already maxed-out set,\nthis could cause noticeable slowdown of such batches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:26.049Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e3ccb11fc8249759d23326038c8db987ddaabc77"
        },
        {
          "url": "https://git.kernel.org/stable/c/86bc4b1a0f672d47ac19f9022432cb6a2e01cb33"
        },
        {
          "url": "https://git.kernel.org/stable/c/6826131c7674329335ca25df2550163eb8a1fd0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccb8c8f3c1127cf34d18c737309897c68046bf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/def602e498a4f951da95c95b1b8ce8ae68aa733a"
        }
      ],
      "title": "netfilter: nf_tables: unconditionally bump set-\u003enelems before insertion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23272",
    "datePublished": "2026-03-20T08:08:52.946Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-23T16:04:26.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23273 (GCVE-0-2026-23273)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04

Title

macvlan: observe an RCU grace period in macvlan_common_newlink() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before detecting an error, and its caller will directly call free_netdev(dev). We must respect an RCU period, either in macvlan or the core networking stack. After adding a temporary mdelay(1000) in macvlan_forward_source_one() to open the race window, valis repro was: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source (ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 &) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4 PING 1.2.3.4 (1.2.3.4): 56 data bytes RTNETLINK answers: Invalid argument BUG: KASAN: slab-use-after-free in macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) Read of size 8 at addr ffff888016bb89c0 by task e/175 CPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) kasan_report (mm/kasan/report.c:597) ? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444) ? tasklet_init (kernel/softirq.c:983) macvlan_handle_frame (drivers/net/macvlan.c:501) Allocated by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) __kasan_kmalloc (mm/kasan/common.c:419) __kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657 mm/slub.c:7140) alloc_netdev_mqs (net/core/dev.c:12012) rtnl_create_link (net/core/rtnetlink.c:3648) rtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Freed by task 169: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/x86/include/asm/current.h:25 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_free_info (mm/kasan/generic.c:587) __kasan_slab_free (mm/kasan/common.c:287) kfree (mm/slub.c:6674 mm/slub.c:6882) rtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957 net/core/rtnetlink.c:4072) rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) netlink_rcv_skb (net/netlink/af_netlink.c:2550) netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/91e4ff8d966978901…
https://git.kernel.org/stable/c/3d94323c80d7fc4da…
https://git.kernel.org/stable/c/721eb342d9ba19bad…
https://git.kernel.org/stable/c/19c7d8ac51988d053…
https://git.kernel.org/stable/c/a1f686d273d129b45…
https://git.kernel.org/stable/c/d34f7a8aa9a25b7e6…
https://git.kernel.org/stable/c/1e58ae87ad1e6e243…
https://git.kernel.org/stable/c/e3f000f0dee1bfab5…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: da5c6b8ae47e414be47e5e04def15b25d5c962dc , < 91e4ff8d966978901630fc29582c1a76d3c6e46c (git) Affected: 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a , < 3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4 (git) Affected: c43d0e787cbba569ec9d11579ed370b50fab6c9c , < 721eb342d9ba19bad5c4815ea3921465158b7362 (git) Affected: 11ba9f0dc865136174cb98834280fb21bbc950c7 , < 19c7d8ac51988d053709c1e85bd8482076af845d (git) Affected: 986967a162142710076782d5b93daab93a892980 , < a1f686d273d129b45712d95f4095843b864466bd (git) Affected: cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 , < d34f7a8aa9a25b7e64e0e46e444697c0f702374d (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < 1e58ae87ad1e6e24368dea9aec9048c758cd0e2b (git) Affected: f8db6475a83649689c087a8f52486fcc53e627e9 , < e3f000f0dee1bfab52e2e61ca6a3835d9e187e35 (git) Affected: 5.10.250 , < 5.10.252 (semver) Affected: 5.15.200 , < 5.15.202 (semver) Affected: 6.1.163 , < 6.1.165 (semver) Affected: 6.6.124 , < 6.6.128 (semver) Affected: 6.12.70 , < 6.12.75 (semver) Affected: 6.18.10 , < 6.18.14 (semver)
Linux	Linux	Affected: 6.19 Unaffected: 0 , < 6.19 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/macvlan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "91e4ff8d966978901630fc29582c1a76d3c6e46c",
              "status": "affected",
              "version": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
              "versionType": "git"
            },
            {
              "lessThan": "3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4",
              "status": "affected",
              "version": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
              "versionType": "git"
            },
            {
              "lessThan": "721eb342d9ba19bad5c4815ea3921465158b7362",
              "status": "affected",
              "version": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
              "versionType": "git"
            },
            {
              "lessThan": "19c7d8ac51988d053709c1e85bd8482076af845d",
              "status": "affected",
              "version": "11ba9f0dc865136174cb98834280fb21bbc950c7",
              "versionType": "git"
            },
            {
              "lessThan": "a1f686d273d129b45712d95f4095843b864466bd",
              "status": "affected",
              "version": "986967a162142710076782d5b93daab93a892980",
              "versionType": "git"
            },
            {
              "lessThan": "d34f7a8aa9a25b7e64e0e46e444697c0f702374d",
              "status": "affected",
              "version": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
              "versionType": "git"
            },
            {
              "lessThan": "1e58ae87ad1e6e24368dea9aec9048c758cd0e2b",
              "status": "affected",
              "version": "f8db6475a83649689c087a8f52486fcc53e627e9",
              "versionType": "git"
            },
            {
              "lessThan": "e3f000f0dee1bfab52e2e61ca6a3835d9e187e35",
              "status": "affected",
              "version": "f8db6475a83649689c087a8f52486fcc53e627e9",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.252",
              "status": "affected",
              "version": "5.10.250",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.202",
              "status": "affected",
              "version": "5.15.200",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.165",
              "status": "affected",
              "version": "6.1.163",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.128",
              "status": "affected",
              "version": "6.6.124",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.75",
              "status": "affected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.14",
              "status": "affected",
              "version": "6.18.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/macvlan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.19"
            },
            {
              "lessThan": "6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "versionStartIncluding": "5.10.250",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "versionStartIncluding": "5.15.200",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "versionStartIncluding": "6.1.163",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "versionStartIncluding": "6.6.124",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "6.12.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.18.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: observe an RCU grace period in macvlan_common_newlink() error path\n\nvalis reported that a race condition still happens after my prior patch.\n\nmacvlan_common_newlink() might have made @dev visible before\ndetecting an error, and its caller will directly call free_netdev(dev).\n\nWe must respect an RCU period, either in macvlan or the core networking\nstack.\n\nAfter adding a temporary mdelay(1000) in macvlan_forward_source_one()\nto open the race window, valis repro was:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\nip link add mv0 link p2 type macvlan mode source\n\n(ip link add invalid% link p2 type macvlan mode source macaddr add\n00:00:00:00:00:20 \u0026) ; sleep 0.5 ; ping -c1 -I p1 1.2.3.4\nPING 1.2.3.4 (1.2.3.4): 56 data bytes\nRTNETLINK answers: Invalid argument\n\nBUG: KASAN: slab-use-after-free in macvlan_forward_source\n(drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nRead of size 8 at addr ffff888016bb89c0 by task e/175\n\nCPU: 1 UID: 1000 PID: 175 Comm: e Not tainted 6.19.0-rc8+ #33 NONE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n\u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:123)\nprint_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nkasan_report (mm/kasan/report.c:597)\n? macvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\nmacvlan_forward_source (drivers/net/macvlan.c:408 drivers/net/macvlan.c:444)\n? tasklet_init (kernel/softirq.c:983)\nmacvlan_handle_frame (drivers/net/macvlan.c:501)\n\nAllocated by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\n__kasan_kmalloc (mm/kasan/common.c:419)\n__kvmalloc_node_noprof (./include/linux/kasan.h:263 mm/slub.c:5657\nmm/slub.c:7140)\nalloc_netdev_mqs (net/core/dev.c:12012)\nrtnl_create_link (net/core/rtnetlink.c:3648)\nrtnl_newlink (net/core/rtnetlink.c:3830 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)\n\nFreed by task 169:\nkasan_save_stack (mm/kasan/common.c:58)\nkasan_save_track (./arch/x86/include/asm/current.h:25\nmm/kasan/common.c:70 mm/kasan/common.c:79)\nkasan_save_free_info (mm/kasan/generic.c:587)\n__kasan_slab_free (mm/kasan/common.c:287)\nkfree (mm/slub.c:6674 mm/slub.c:6882)\nrtnl_newlink (net/core/rtnetlink.c:3845 net/core/rtnetlink.c:3957\nnet/core/rtnetlink.c:4072)\nrtnetlink_rcv_msg (net/core/rtnetlink.c:6958)\nnetlink_rcv_skb (net/netlink/af_netlink.c:2550)\nnetlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)\nnetlink_sendmsg (net/netlink/af_netlink.c:1894)\n__sys_sendto (net/socket.c:727 net/socket.c:742 net/socket.c:2206)\n__x64_sys_sendto (net/socket.c:2209)\ndo_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:27.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/91e4ff8d966978901630fc29582c1a76d3c6e46c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d94323c80d7fc4da5f10f9bb06a45d39d5d3cc4"
        },
        {
          "url": "https://git.kernel.org/stable/c/721eb342d9ba19bad5c4815ea3921465158b7362"
        },
        {
          "url": "https://git.kernel.org/stable/c/19c7d8ac51988d053709c1e85bd8482076af845d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1f686d273d129b45712d95f4095843b864466bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/d34f7a8aa9a25b7e64e0e46e444697c0f702374d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e58ae87ad1e6e24368dea9aec9048c758cd0e2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3f000f0dee1bfab52e2e61ca6a3835d9e187e35"
        }
      ],
      "title": "macvlan: observe an RCU grace period in macvlan_common_newlink() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23273",
    "datePublished": "2026-03-20T08:08:54.111Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-23T16:04:27.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23274 (GCVE-0-2026-23274)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-11 22:03

Title

netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revision 1 with XT_IDLETIMER_ALARM, the object uses alarm timer semantics and timer->timer is never initialized. Reusing that object from revision 0 causes mod_timer() on an uninitialized timer_list, triggering debugobjects warnings and possible panic when panic_on_warn=1. Fix this by rejecting revision 0 rule insertion when an existing timer with the same label is of ALARM type.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/32e937dc6e97f5ed3…
https://git.kernel.org/stable/c/144f88054ba018046…
https://git.kernel.org/stable/c/28c7cfaf0c0ab17cb…
https://git.kernel.org/stable/c/54080355999381fed…
https://git.kernel.org/stable/c/5e7ece24c5cb75a60…
https://git.kernel.org/stable/c/f5ef97c1316554248…
https://git.kernel.org/stable/c/f228b9ae2a7e84d11…
https://git.kernel.org/stable/c/329f0b9b48ee6ab59…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 144f88054ba0180467356f40895bd660b5dceeec (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 28c7cfaf0c0ab17cbd7754092116fd1af45271f9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 54080355999381fed4a26129579a5765bab87491 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 5e7ece24c5cb75a60402aad4d803c7898ea40aa9 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < f228b9ae2a7e84d1153616d8e71c4236cb1f1309 (git) Affected: 68983a354a655c35d3fb204489d383a2a051fda7 , < 329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf (git)
Linux	Linux	Affected: 5.7 Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "144f88054ba0180467356f40895bd660b5dceeec",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "28c7cfaf0c0ab17cbd7754092116fd1af45271f9",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "54080355999381fed4a26129579a5765bab87491",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "5e7ece24c5cb75a60402aad4d803c7898ea40aa9",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "f228b9ae2a7e84d1153616d8e71c4236cb1f1309",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            },
            {
              "lessThan": "329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf",
              "status": "affected",
              "version": "68983a354a655c35d3fb204489d383a2a051fda7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/xt_IDLETIMER.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels\n\nIDLETIMER revision 0 rules reuse existing timers by label and always call\nmod_timer() on timer-\u003etimer.\n\nIf the label was created first by revision 1 with XT_IDLETIMER_ALARM,\nthe object uses alarm timer semantics and timer-\u003etimer is never initialized.\nReusing that object from revision 0 causes mod_timer() on an uninitialized\ntimer_list, triggering debugobjects warnings and possible panic when\npanic_on_warn=1.\n\nFix this by rejecting revision 0 rule insertion when an existing timer with\nthe same label is of ALARM type."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:41.745Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32e937dc6e97f5ed3cdfe3fc0b2b19a05e23fa44"
        },
        {
          "url": "https://git.kernel.org/stable/c/144f88054ba0180467356f40895bd660b5dceeec"
        },
        {
          "url": "https://git.kernel.org/stable/c/28c7cfaf0c0ab17cbd7754092116fd1af45271f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/54080355999381fed4a26129579a5765bab87491"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e7ece24c5cb75a60402aad4d803c7898ea40aa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5ef97c13165542480a6ffdbe6f09f40bbb7cbf1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f228b9ae2a7e84d1153616d8e71c4236cb1f1309"
        },
        {
          "url": "https://git.kernel.org/stable/c/329f0b9b48ee6ab59d1ab72fef55fe8c6463a6cf"
        }
      ],
      "title": "netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23274",
    "datePublished": "2026-03-20T08:08:54.918Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-11T22:03:41.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23275 (GCVE-0-2026-23275)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-11 22:03

Title

io_uring: ensure ctx->rings is stable for task work flags manipulation

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being freed. Prevent this by adding a 2nd ->rings pointer, ->rings_rcu, which is protected by RCU. The task work flags manipulation is inside RCU already, and if the resize ring freeing is done post an RCU synchronize, then there's no need to add locking to the fast path of task work additions. Note: this is only done for DEFER_TASKRUN, as that's the only setup mode that supports ring resizing. If this ever changes, then they too need to use the io_ctx_mark_taskrun() helper.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/7cc4530b3e952d4a5…
https://git.kernel.org/stable/c/46dc07d5f31411cc0…
https://git.kernel.org/stable/c/96189080265e6bb5d…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 7cc4530b3e952d4a5947e1e55d06620d8845d4f5 (git) Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1 (git) Affected: 79cfe9e59c2a12c3b3faeeefe38d23f3d8030972 , < 96189080265e6bb5dde3a4afbaf947af493e3f82 (git)
Linux	Linux	Affected: 6.13 Unaffected: 0 , < 6.13 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/io_uring_types.h",
            "io_uring/io_uring.c",
            "io_uring/register.c",
            "io_uring/tw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cc4530b3e952d4a5947e1e55d06620d8845d4f5",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            },
            {
              "lessThan": "46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            },
            {
              "lessThan": "96189080265e6bb5dde3a4afbaf947af493e3f82",
              "status": "affected",
              "version": "79cfe9e59c2a12c3b3faeeefe38d23f3d8030972",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/io_uring_types.h",
            "io_uring/io_uring.c",
            "io_uring/register.c",
            "io_uring/tw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: ensure ctx-\u003erings is stable for task work flags manipulation\n\nIf DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while\nthe ring is being resized, it\u0027s possible for the OR\u0027ing of\nIORING_SQ_TASKRUN to happen in the small window of swapping into the\nnew rings and the old rings being freed.\n\nPrevent this by adding a 2nd -\u003erings pointer, -\u003erings_rcu, which is\nprotected by RCU. The task work flags manipulation is inside RCU\nalready, and if the resize ring freeing is done post an RCU synchronize,\nthen there\u0027s no need to add locking to the fast path of task work\nadditions.\n\nNote: this is only done for DEFER_TASKRUN, as that\u0027s the only setup mode\nthat supports ring resizing. If this ever changes, then they too need to\nuse the io_ctx_mark_taskrun() helper."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:42.916Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cc4530b3e952d4a5947e1e55d06620d8845d4f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/46dc07d5f31411cc023f3bf1f4a23a07bf6e0ed1"
        },
        {
          "url": "https://git.kernel.org/stable/c/96189080265e6bb5dde3a4afbaf947af493e3f82"
        }
      ],
      "title": "io_uring: ensure ctx-\u003erings is stable for task work flags manipulation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23275",
    "datePublished": "2026-03-20T08:08:55.857Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-11T22:03:42.916Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23276 (GCVE-0-2026-23276)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04

Title

net: add xmit recursion limit to tunnel xmit functions

Summary

In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves, and those GRE tunnels route back through the bond, multicast/broadcast traffic triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing kernel stack overflow. The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not sufficient because tunnel recursion involves route lookups and full IP output, consuming much more stack per level. Use a lower limit of 4 (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow. Add recursion detection using dev_xmit_recursion helpers directly in iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.). Move dev_xmit_recursion helpers from net/core/dev.h to public header include/linux/netdevice.h so they can be used by tunnel code. BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160 Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11 Workqueue: mld mld_ifc_work Call Trace: <TASK> __build_flow_key.constprop.0 (net/ipv4/route.c:515) ip_rt_update_pmtu (net/ipv4/route.c:1073) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) ip_finish_output2 (net/ipv4/ip_output.c:237) ip_output (net/ipv4/ip_output.c:438) iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86) ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) gre_tap_xmit (net/ipv4/ip_gre.c:779) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312) bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279) bond_start_xmit (drivers/net/bonding/bond_main.c:5530) dev_hard_start_xmit (net/core/dev.c:3887) __dev_queue_xmit (net/core/dev.c:4841) mld_sendpack mld_ifc_work process_one_work worker_thread </TASK>

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/834c4f645726a25fd…
https://git.kernel.org/stable/c/8a57deeb256069f26…
https://git.kernel.org/stable/c/b56b8d19bd05e2a83…
https://git.kernel.org/stable/c/6f1a9140ecda3baba…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 745e20f1b626b1be4b100af5d4bf7b3439392f8f , < 834c4f645726a25fd71ea50cdfb5c135f8f95d85 (git) Affected: 745e20f1b626b1be4b100af5d4bf7b3439392f8f , < 8a57deeb256069f262957d8012418559ff66c385 (git) Affected: 745e20f1b626b1be4b100af5d4bf7b3439392f8f , < b56b8d19bd05e2a8338385c770bc2b60590bc81e (git) Affected: 745e20f1b626b1be4b100af5d4bf7b3439392f8f , < 6f1a9140ecda3baba3d945b9a6155af4268aafc4 (git) Affected: 3f266b04185de51d8e6446eb1fccec3b5e7ce575 (git) Affected: 2.6.35.9 , < 2.6.36 (semver)
Linux	Linux	Affected: 2.6.37 Unaffected: 0 , < 2.6.37 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/netdevice.h",
            "include/net/ip6_tunnel.h",
            "include/net/ip_tunnels.h",
            "net/core/dev.h",
            "net/ipv4/ip_tunnel_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "834c4f645726a25fd71ea50cdfb5c135f8f95d85",
              "status": "affected",
              "version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
              "versionType": "git"
            },
            {
              "lessThan": "8a57deeb256069f262957d8012418559ff66c385",
              "status": "affected",
              "version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
              "versionType": "git"
            },
            {
              "lessThan": "b56b8d19bd05e2a8338385c770bc2b60590bc81e",
              "status": "affected",
              "version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
              "versionType": "git"
            },
            {
              "lessThan": "6f1a9140ecda3baba3d945b9a6155af4268aafc4",
              "status": "affected",
              "version": "745e20f1b626b1be4b100af5d4bf7b3439392f8f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3f266b04185de51d8e6446eb1fccec3b5e7ce575",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.36",
              "status": "affected",
              "version": "2.6.35.9",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/netdevice.h",
            "include/net/ip6_tunnel.h",
            "include/net/ip_tunnels.h",
            "net/core/dev.h",
            "net/ipv4/ip_tunnel_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.37"
            },
            {
              "lessThan": "2.6.37",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.35.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n  \u003cTASK\u003e\n  __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n  ip_rt_update_pmtu (net/ipv4/route.c:1073)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  mld_sendpack\n  mld_ifc_work\n  process_one_work\n  worker_thread\n  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:28.110Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"
        },
        {
          "url": "https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"
        }
      ],
      "title": "net: add xmit recursion limit to tunnel xmit functions",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23276",
    "datePublished": "2026-03-20T08:08:56.575Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-23T16:04:28.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23277 (GCVE-0-2026-23277)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-11 22:03

Title

net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit

Summary

In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the slave device beforehand. When a gretap tunnel is a TEQL slave, the transmit path reaches iptunnel_xmit() which saves dev = skb->dev (still pointing to teql0 master) and later calls iptunnel_xmit_stats(dev, pkt_len). This function does: get_cpu_ptr(dev->tstats) Since teql_master_setup() does not set dev->pcpu_stat_type to NETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats for teql0, so dev->tstats is NULL. get_cpu_ptr(NULL) computes NULL + __per_cpu_offset[cpu], resulting in a page fault. BUG: unable to handle page fault for address: ffff8880e6659018 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 68bc067 P4D 68bc067 PUD 0 Oops: Oops: 0002 [#1] SMP KASAN PTI RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89) Call Trace: <TASK> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847) __gre_xmit (net/ipv4/ip_gre.c:478) gre_tap_xmit (net/ipv4/ip_gre.c:779) teql_master_xmit (net/sched/sch_teql.c:319) dev_hard_start_xmit (net/core/dev.c:3887) sch_direct_xmit (net/sched/sch_generic.c:347) __dev_queue_xmit (net/core/dev.c:4802) neigh_direct_output (net/core/neighbour.c:1660) ip_finish_output2 (net/ipv4/ip_output.c:237) __ip_finish_output.part.0 (net/ipv4/ip_output.c:315) ip_mc_output (net/ipv4/ip_output.c:369) ip_send_skb (net/ipv4/ip_output.c:1508) udp_send_skb (net/ipv4/udp.c:1195) udp_sendmsg (net/ipv4/udp.c:1485) inet_sendmsg (net/ipv4/af_inet.c:859) __sys_sendto (net/socket.c:2206) Fix this by setting skb->dev = slave before calling netdev_start_xmit(), so that tunnel xmit functions see the correct slave device with properly allocated tstats.

Severity

No CVSS data available.

Assigner

Linux

References

8 references

URL	Tags
https://git.kernel.org/stable/c/383493b9940e3d1b5…
https://git.kernel.org/stable/c/6b1f563d670162e18…
https://git.kernel.org/stable/c/57c153249143333bb…
https://git.kernel.org/stable/c/59b06d8b9bdb6b64b…
https://git.kernel.org/stable/c/81a43e8005366f16e…
https://git.kernel.org/stable/c/0bad9c86edd22dec4…
https://git.kernel.org/stable/c/21ea283c2750c8307…
https://git.kernel.org/stable/c/0cc0c2e661af418bb…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 383493b9940e3d1b5517424081b3e072e20ec43c (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 6b1f563d670162e188a0f2aec39c24b67b106e17 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 57c153249143333bbf4ecf927bdf8aa2696ee397 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 59b06d8b9bdb6b64b3c534c18da68bce5ccd31be (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 81a43e8005366f16e629d8c95dfe05beaa8d36a7 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 0bad9c86edd22dec4df83c2b29872d66fd8a2ff4 (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 21ea283c2750c8307aa35ee832b0951cc993c27d (git) Affected: 039f50629b7f860f36644ed1f34b27da9aa62f43 , < 0cc0c2e661af418bbf7074179ea5cfffc0a5c466 (git)
Linux	Linux	Affected: 4.5 Unaffected: 0 , < 4.5 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_teql.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "383493b9940e3d1b5517424081b3e072e20ec43c",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "6b1f563d670162e188a0f2aec39c24b67b106e17",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "57c153249143333bbf4ecf927bdf8aa2696ee397",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "59b06d8b9bdb6b64b3c534c18da68bce5ccd31be",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "81a43e8005366f16e629d8c95dfe05beaa8d36a7",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "0bad9c86edd22dec4df83c2b29872d66fd8a2ff4",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "21ea283c2750c8307aa35ee832b0951cc993c27d",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            },
            {
              "lessThan": "0cc0c2e661af418bbf7074179ea5cfffc0a5c466",
              "status": "affected",
              "version": "039f50629b7f860f36644ed1f34b27da9aa62f43",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_teql.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit\n\nteql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit\nthrough slave devices, but does not update skb-\u003edev to the slave device\nbeforehand.\n\nWhen a gretap tunnel is a TEQL slave, the transmit path reaches\niptunnel_xmit() which saves dev = skb-\u003edev (still pointing to teql0\nmaster) and later calls iptunnel_xmit_stats(dev, pkt_len). This\nfunction does:\n\n    get_cpu_ptr(dev-\u003etstats)\n\nSince teql_master_setup() does not set dev-\u003epcpu_stat_type to\nNETDEV_PCPU_STAT_TSTATS, the core network stack never allocates tstats\nfor teql0, so dev-\u003etstats is NULL. get_cpu_ptr(NULL) computes\nNULL + __per_cpu_offset[cpu], resulting in a page fault.\n\n BUG: unable to handle page fault for address: ffff8880e6659018\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 68bc067 P4D 68bc067 PUD 0\n Oops: Oops: 0002 [#1] SMP KASAN PTI\n RIP: 0010:iptunnel_xmit (./include/net/ip_tunnels.h:664 net/ipv4/ip_tunnel_core.c:89)\n Call Trace:\n  \u003cTASK\u003e\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  __gre_xmit (net/ipv4/ip_gre.c:478)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  teql_master_xmit (net/sched/sch_teql.c:319)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  neigh_direct_output (net/core/neighbour.c:1660)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  __ip_finish_output.part.0 (net/ipv4/ip_output.c:315)\n  ip_mc_output (net/ipv4/ip_output.c:369)\n  ip_send_skb (net/ipv4/ip_output.c:1508)\n  udp_send_skb (net/ipv4/udp.c:1195)\n  udp_sendmsg (net/ipv4/udp.c:1485)\n  inet_sendmsg (net/ipv4/af_inet.c:859)\n  __sys_sendto (net/socket.c:2206)\n\nFix this by setting skb-\u003edev = slave before calling\nnetdev_start_xmit(), so that tunnel xmit functions see the correct\nslave device with properly allocated tstats."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:03:45.245Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/383493b9940e3d1b5517424081b3e072e20ec43c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b1f563d670162e188a0f2aec39c24b67b106e17"
        },
        {
          "url": "https://git.kernel.org/stable/c/57c153249143333bbf4ecf927bdf8aa2696ee397"
        },
        {
          "url": "https://git.kernel.org/stable/c/59b06d8b9bdb6b64b3c534c18da68bce5ccd31be"
        },
        {
          "url": "https://git.kernel.org/stable/c/81a43e8005366f16e629d8c95dfe05beaa8d36a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bad9c86edd22dec4df83c2b29872d66fd8a2ff4"
        },
        {
          "url": "https://git.kernel.org/stable/c/21ea283c2750c8307aa35ee832b0951cc993c27d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cc0c2e661af418bbf7074179ea5cfffc0a5c466"
        }
      ],
      "title": "net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23277",
    "datePublished": "2026-03-20T08:08:57.394Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-11T22:03:45.245Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23278 (GCVE-0-2026-23278)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:08 – Updated: 2026-05-23 16:04

Title

netfilter: nf_tables: always walk all pending catchall elements

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required to toggle all catchall elements and not just the first viable candidate. Otherwise, we get: WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404 RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables] [..] __nft_set_elem_destroy+0x106/0x380 [nf_tables] nf_tables_abort_release+0x348/0x8d0 [nf_tables] nf_tables_abort+0xcf2/0x3ac0 [nf_tables] nfnetlink_rcv_batch+0x9c9/0x20e0 [..]

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/eb0948fa13298212c…
https://git.kernel.org/stable/c/de47a88c6b807910f…
https://git.kernel.org/stable/c/77c26b5056d693ffe…
https://git.kernel.org/stable/c/7cb9a23d7ae40a702…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < eb0948fa13298212c5f8b30ee48efdae4389ab09 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < de47a88c6b807910f05703fb6605f7efdaa11417 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 77c26b5056d693ffe5e9f040e946251cdb55ae55 (git) Affected: 628bd3e49cba1c066228e23d71a852c23e26da73 , < 7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9 (git) Affected: bc9f791d2593f17e39f87c6e2b3a36549a3705b1 (git) Affected: 3c7ec098e3b588434a8b07ea9b5b36f04cef1f50 (git) Affected: a136b7942ad2a50de708f76ea299ccb45ac7a7f9 (git) Affected: 25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8 (git) Affected: d60be2da67d172aecf866302c91ea11533eca4d9 (git) Affected: dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41 (git) Affected: 4.19.316 , < 4.20 (semver) Affected: 5.4.262 , < 5.5 (semver) Affected: 5.10.188 , < 5.11 (semver) Affected: 5.15.121 , < 5.16 (semver) Affected: 6.1.36 , < 6.2 (semver) Affected: 6.3.10 , < 6.4 (semver)
Linux	Linux	Affected: 6.4 Unaffected: 0 , < 6.4 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eb0948fa13298212c5f8b30ee48efdae4389ab09",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "de47a88c6b807910f05703fb6605f7efdaa11417",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "77c26b5056d693ffe5e9f040e946251cdb55ae55",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "lessThan": "7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9",
              "status": "affected",
              "version": "628bd3e49cba1c066228e23d71a852c23e26da73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bc9f791d2593f17e39f87c6e2b3a36549a3705b1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3c7ec098e3b588434a8b07ea9b5b36f04cef1f50",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a136b7942ad2a50de708f76ea299ccb45ac7a7f9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "25aa2ad37c2162be1c0bc4fe6397f7e4c13f00f8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d60be2da67d172aecf866302c91ea11533eca4d9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dc7cdf8cbcbf8b13de1df93f356ec04cdeef5c41",
              "versionType": "git"
            },
            {
              "lessThan": "4.20",
              "status": "affected",
              "version": "4.19.316",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.262",
              "versionType": "semver"
            },
            {
              "lessThan": "5.11",
              "status": "affected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThan": "5.16",
              "status": "affected",
              "version": "5.15.121",
              "versionType": "semver"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.36",
              "versionType": "semver"
            },
            {
              "lessThan": "6.4",
              "status": "affected",
              "version": "6.3.10",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_tables_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.316",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: always walk all pending catchall elements\n\nDuring transaction processing we might have more than one catchall element:\n1 live catchall element and 1 pending element that is coming as part of the\nnew batch.\n\nIf the map holding the catchall elements is also going away, its\nrequired to toggle all catchall elements and not just the first viable\ncandidate.\n\nOtherwise, we get:\n WARNING: ./include/net/netfilter/nf_tables.h:1281 at nft_data_release+0xb7/0xe0 [nf_tables], CPU#2: nft/1404\n RIP: 0010:nft_data_release+0xb7/0xe0 [nf_tables]\n [..]\n __nft_set_elem_destroy+0x106/0x380 [nf_tables]\n nf_tables_abort_release+0x348/0x8d0 [nf_tables]\n nf_tables_abort+0xcf2/0x3ac0 [nf_tables]\n nfnetlink_rcv_batch+0x9c9/0x20e0 [..]"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T16:04:29.137Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eb0948fa13298212c5f8b30ee48efdae4389ab09"
        },
        {
          "url": "https://git.kernel.org/stable/c/de47a88c6b807910f05703fb6605f7efdaa11417"
        },
        {
          "url": "https://git.kernel.org/stable/c/77c26b5056d693ffe5e9f040e946251cdb55ae55"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cb9a23d7ae40a702577d3d8bacb7026f04ac2a9"
        }
      ],
      "title": "netfilter: nf_tables: always walk all pending catchall elements",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23278",
    "datePublished": "2026-03-20T08:08:58.566Z",
    "dateReserved": "2026-01-13T15:37:45.991Z",
    "dateUpdated": "2026-05-23T16:04:29.137Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0809

CVE-2026-23271 (GCVE-0-2026-23271)

CVE-2026-23272 (GCVE-0-2026-23272)

CVE-2026-23273 (GCVE-0-2026-23273)

CVE-2026-23274 (GCVE-0-2026-23274)

CVE-2026-23275 (GCVE-0-2026-23275)

CVE-2026-23276 (GCVE-0-2026-23276)

CVE-2026-23277 (GCVE-0-2026-23277)

CVE-2026-23278 (GCVE-0-2026-23278)

Tags

Sightings

Nomenclature