Search criteria
24780 vulnerabilities found for Linux by Linux
CVE-2026-46273 (GCVE-0-2026-46273)
Vulnerability from nvd – Published: 2026-06-03 16:19 – Updated: 2026-06-03 16:19
VLAI
Title
ibmveth: Disable GSO for packets with small MSS
Summary
In the Linux kernel, the following vulnerability has been resolved:
ibmveth: Disable GSO for packets with small MSS
Some physical adapters on Power systems do not support segmentation
offload when the MSS is less than 224 bytes. Attempting to send such
packets causes the adapter to freeze, stopping all traffic until
manually reset.
Implement ndo_features_check to disable GSO for packets with small MSS
values. The network stack will perform software segmentation instead.
The 224-byte minimum matches ibmvnic
commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks
on GSO packets")
which uses the same physical adapters in SEA configurations.
The issue occurs specifically when the hardware attempts to perform
segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets
(gso_segs == 1) do not trigger the problematic LSO code path and are
transmitted normally without segmentation.
Add an ndo_features_check callback to disable GSO when MSS < 224 bytes.
Also call vlan_features_check() to ensure proper handling of VLAN packets,
particularly QinQ (802.1ad) configurations where the hardware parser may
not support certain offload features.
Validated using iptables to force small MSS values. Without the fix,
the adapter freezes. With the fix, packets are segmented in software
and transmission succeeds. Comprehensive regression testing completedd
(MSS tests, performance, stability).
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 86fc64584811d43c9ccd74447de58620189d8b77
(git)
Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 9a5e984d7af910e46dcbed3ce77873e000a4f77d (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 1cdf5dbcec988d06f5f720bdf89e91073f77fa10 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 82bc89fbb82d9396fb4eaee8720ea85e2e787957 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < db8012c631cb845e9ae2b4b531e17d86c9519755 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < c1f261863e65b508f37416dfbc5c5d911c9b9233 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < 3af24f0c4c31f18a4a2d927990759194832bb6e9 (git) Affected: 8641dd85799f85bef5f0d1f87356aaa12cb2195e , < cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmveth.c",
"drivers/net/ethernet/ibm/ibmveth.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "86fc64584811d43c9ccd74447de58620189d8b77",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "9a5e984d7af910e46dcbed3ce77873e000a4f77d",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "1cdf5dbcec988d06f5f720bdf89e91073f77fa10",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "82bc89fbb82d9396fb4eaee8720ea85e2e787957",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "db8012c631cb845e9ae2b4b531e17d86c9519755",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "c1f261863e65b508f37416dfbc5c5d911c9b9233",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "3af24f0c4c31f18a4a2d927990759194832bb6e9",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
},
{
"lessThan": "cc427d24ac6442ffdeafd157a63c7c5b73ed4de4",
"status": "affected",
"version": "8641dd85799f85bef5f0d1f87356aaa12cb2195e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/ibm/ibmveth.c",
"drivers/net/ethernet/ibm/ibmveth.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmveth: Disable GSO for packets with small MSS\n\nSome physical adapters on Power systems do not support segmentation\noffload when the MSS is less than 224 bytes. Attempting to send such\npackets causes the adapter to freeze, stopping all traffic until\nmanually reset.\n\nImplement ndo_features_check to disable GSO for packets with small MSS\nvalues. The network stack will perform software segmentation instead.\n\nThe 224-byte minimum matches ibmvnic\ncommit \u003cf10b09ef687f\u003e (\"ibmvnic: Enforce stronger sanity checks\non GSO packets\")\nwhich uses the same physical adapters in SEA configurations.\n\nThe issue occurs specifically when the hardware attempts to perform\nsegmentation (gso_segs \u003e 1) with a small MSS. Single-segment GSO packets\n(gso_segs == 1) do not trigger the problematic LSO code path and are\ntransmitted normally without segmentation.\n\nAdd an ndo_features_check callback to disable GSO when MSS \u003c 224 bytes.\nAlso call vlan_features_check() to ensure proper handling of VLAN packets,\nparticularly QinQ (802.1ad) configurations where the hardware parser may\nnot support certain offload features.\n\nValidated using iptables to force small MSS values. Without the fix,\nthe adapter freezes. With the fix, packets are segmented in software\nand transmission succeeds. Comprehensive regression testing completedd\n(MSS tests, performance, stability)."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T16:19:18.056Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/86fc64584811d43c9ccd74447de58620189d8b77"
},
{
"url": "https://git.kernel.org/stable/c/9a5e984d7af910e46dcbed3ce77873e000a4f77d"
},
{
"url": "https://git.kernel.org/stable/c/1cdf5dbcec988d06f5f720bdf89e91073f77fa10"
},
{
"url": "https://git.kernel.org/stable/c/82bc89fbb82d9396fb4eaee8720ea85e2e787957"
},
{
"url": "https://git.kernel.org/stable/c/db8012c631cb845e9ae2b4b531e17d86c9519755"
},
{
"url": "https://git.kernel.org/stable/c/c1f261863e65b508f37416dfbc5c5d911c9b9233"
},
{
"url": "https://git.kernel.org/stable/c/3af24f0c4c31f18a4a2d927990759194832bb6e9"
},
{
"url": "https://git.kernel.org/stable/c/cc427d24ac6442ffdeafd157a63c7c5b73ed4de4"
}
],
"title": "ibmveth: Disable GSO for packets with small MSS",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46273",
"datePublished": "2026-06-03T16:19:18.056Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T16:19:18.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46272 (GCVE-0-2026-46272)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
coresight: tmc-etr: Fix race condition between sysfs and perf mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
coresight: tmc-etr: Fix race condition between sysfs and perf mode
When trying to run perf and sysfs mode simultaneously, the WARN_ON()
in tmc_etr_enable_hw() is triggered sometimes:
WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]
[..snip..]
Call trace:
tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)
tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)
tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]
coresight_enable_path+0x1c8/0x218 [coresight]
coresight_enable_sysfs+0xa4/0x228 [coresight]
enable_source_store+0x58/0xa8 [coresight]
dev_attr_store+0x20/0x40
sysfs_kf_write+0x4c/0x68
kernfs_fop_write_iter+0x120/0x1b8
vfs_write+0x2c8/0x388
ksys_write+0x74/0x108
__arm64_sys_write+0x24/0x38
el0_svc_common.constprop.0+0x64/0x148
do_el0_svc+0x24/0x38
el0_svc+0x3c/0x130
el0t_64_sync_handler+0xc8/0xd0
el0t_64_sync+0x1ac/0x1b0
---[ end trace 0000000000000000 ]---
Since the enablement of sysfs mode is separeted into two critical regions,
one for sysfs buffer allocation and another for hardware enablement, it's
possible to race with the perf mode. Fix this by double check whether
the perf mode's been used before enabling the hardware in sysfs mode.
mode:
[sysfs mode] [perf mode]
tmc_etr_get_sysfs_buffer()
spin_lock(&drvdata->spinlock)
[sysfs buffer allocation]
spin_unlock(&drvdata->spinlock)
spin_lock(&drvdata->spinlock)
tmc_etr_enable_hw()
drvdata->etr_buf = etr_perf->etr_buf
spin_unlock(&drvdata->spinlock)
spin_lock(&drvdata->spinlock)
tmc_etr_enable_hw()
WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at
the perf side
spin_unlock(&drvdata->spinlock)
With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.
This ensures we verify whether the perf mode's already running before we
actually allocate the buffer. Then we can save the time of
allocating/freeing the sysfs buffer if race with the perf mode.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
296b01fd106e787d4463974a7f42d286a5df08cd , < 38a07194bbcddb18d77dad40ba9978d994c0b74c
(git)
Affected: 296b01fd106e787d4463974a7f42d286a5df08cd , < 6906aa70d4fc5900b954136e20e27c2be6d1acab (git) Affected: 296b01fd106e787d4463974a7f42d286a5df08cd , < e6e43e82c79c97917cbe356c07e8a6f3f982ab53 (git) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38a07194bbcddb18d77dad40ba9978d994c0b74c",
"status": "affected",
"version": "296b01fd106e787d4463974a7f42d286a5df08cd",
"versionType": "git"
},
{
"lessThan": "6906aa70d4fc5900b954136e20e27c2be6d1acab",
"status": "affected",
"version": "296b01fd106e787d4463974a7f42d286a5df08cd",
"versionType": "git"
},
{
"lessThan": "e6e43e82c79c97917cbe356c07e8a6f3f982ab53",
"status": "affected",
"version": "296b01fd106e787d4463974a7f42d286a5df08cd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hwtracing/coresight/coresight-tmc-etr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncoresight: tmc-etr: Fix race condition between sysfs and perf mode\n\nWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()\nin tmc_etr_enable_hw() is triggered sometimes:\n\n WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc]\n [..snip..]\n Call trace:\n tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P)\n tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L)\n tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc]\n coresight_enable_path+0x1c8/0x218 [coresight]\n coresight_enable_sysfs+0xa4/0x228 [coresight]\n enable_source_store+0x58/0xa8 [coresight]\n dev_attr_store+0x20/0x40\n sysfs_kf_write+0x4c/0x68\n kernfs_fop_write_iter+0x120/0x1b8\n vfs_write+0x2c8/0x388\n ksys_write+0x74/0x108\n __arm64_sys_write+0x24/0x38\n el0_svc_common.constprop.0+0x64/0x148\n do_el0_svc+0x24/0x38\n el0_svc+0x3c/0x130\n el0t_64_sync_handler+0xc8/0xd0\n el0t_64_sync+0x1ac/0x1b0\n ---[ end trace 0000000000000000 ]---\n\nSince the enablement of sysfs mode is separeted into two critical regions,\none for sysfs buffer allocation and another for hardware enablement, it\u0027s\npossible to race with the perf mode. Fix this by double check whether\nthe perf mode\u0027s been used before enabling the hardware in sysfs mode.\n\n mode:\n [sysfs mode] [perf mode]\n tmc_etr_get_sysfs_buffer()\n spin_lock(\u0026drvdata-\u003espinlock)\n [sysfs buffer allocation]\n spin_unlock(\u0026drvdata-\u003espinlock)\n spin_lock(\u0026drvdata-\u003espinlock)\n tmc_etr_enable_hw()\n drvdata-\u003eetr_buf = etr_perf-\u003eetr_buf\n spin_unlock(\u0026drvdata-\u003espinlock)\n spin_lock(\u0026drvdata-\u003espinlock)\n tmc_etr_enable_hw()\n WARN_ON(drvdata-\u003eetr_buf) // WARN sicne etr_buf initialized at\n the perf side\n spin_unlock(\u0026drvdata-\u003espinlock)\n\nWith this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.\nThis ensures we verify whether the perf mode\u0027s already running before we\nactually allocate the buffer. Then we can save the time of\nallocating/freeing the sysfs buffer if race with the perf mode."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:14.618Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c"
},
{
"url": "https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab"
},
{
"url": "https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53"
}
],
"title": "coresight: tmc-etr: Fix race condition between sysfs and perf mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46272",
"datePublished": "2026-06-03T15:50:14.618Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T15:50:14.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46271 (GCVE-0-2026-46271)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
wifi: ath12k: do WoW offloads only on primary link
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: do WoW offloads only on primary link
In case of multi-link connection, WCN7850 firmware crashes due to WoW
offloads enabled on both primary and secondary links.
Change to do it only on primary link to fix it.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
32f7b19668bd2894f1a236580c2132fc4b9f4449 , < 7379837c3f9efa576dc2d716ebfaa3a113b3112f
(git)
Affected: 32f7b19668bd2894f1a236580c2132fc4b9f4449 , < e042da1085d9f1686c58a4378d5840f52a36598e (git) Affected: 32f7b19668bd2894f1a236580c2132fc4b9f4449 , < e62102ac9b773bdb08475aa9ca24dea61ae98708 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/wow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7379837c3f9efa576dc2d716ebfaa3a113b3112f",
"status": "affected",
"version": "32f7b19668bd2894f1a236580c2132fc4b9f4449",
"versionType": "git"
},
{
"lessThan": "e042da1085d9f1686c58a4378d5840f52a36598e",
"status": "affected",
"version": "32f7b19668bd2894f1a236580c2132fc4b9f4449",
"versionType": "git"
},
{
"lessThan": "e62102ac9b773bdb08475aa9ca24dea61ae98708",
"status": "affected",
"version": "32f7b19668bd2894f1a236580c2132fc4b9f4449",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/wow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: do WoW offloads only on primary link\n\nIn case of multi-link connection, WCN7850 firmware crashes due to WoW\noffloads enabled on both primary and secondary links.\n\nChange to do it only on primary link to fix it.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:13.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7379837c3f9efa576dc2d716ebfaa3a113b3112f"
},
{
"url": "https://git.kernel.org/stable/c/e042da1085d9f1686c58a4378d5840f52a36598e"
},
{
"url": "https://git.kernel.org/stable/c/e62102ac9b773bdb08475aa9ca24dea61ae98708"
}
],
"title": "wifi: ath12k: do WoW offloads only on primary link",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46271",
"datePublished": "2026-06-03T15:50:13.645Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T15:50:13.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46270 (GCVE-0-2026-46270)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
power: supply: rt9455: Fix use-after-free in power_supply_changed()
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: rt9455: Fix use-after-free in power_supply_changed()
Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `power_supply` handle, means that
the `power_supply` handle will be deallocated/unregistered _before_ the
interrupt handler (since `devm_` naturally deallocates in reverse
allocation order). This means that during removal, there is a race
condition where an interrupt can fire just _after_ the `power_supply`
handle has been freed, *but* just _before_ the corresponding
unregistration of the IRQ handler has run.
This will lead to the IRQ handler calling `power_supply_changed()` with
a freed `power_supply` handle. Which usually crashes the system or
otherwise silently corrupts the memory...
Note that there is a similar situation which can also happen during
`probe()`; the possibility of an interrupt firing _before_ registering
the `power_supply` handle. This would then lead to the nasty situation
of using the `power_supply` handle *uninitialized* in
`power_supply_changed()`.
Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `power_supply` handle.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc
(git)
Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < 62d753b916bd500bb269b7078cdab73198ab4718 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < a39f8f06216f73ef40e71e2fe4ad071964c1fd36 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < af261f218a7606f93d2c786353d60bb4feb56ef0 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < 2178dc65d45e2f7bcaa8af8d80d100419bdab251 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < 64e15155095f39f4dec9b4659da1238ef8fc54d4 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < 721449a15170fc5f028a7576d7f65b9f60d53482 (git) Affected: e86d69dd786e94046b8f5be7df1b9a8226a40b2a , < e2febe375e5ea5afed92f4cd9711bde8f24ee6d2 (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/rt9455_charger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "62d753b916bd500bb269b7078cdab73198ab4718",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "a39f8f06216f73ef40e71e2fe4ad071964c1fd36",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "af261f218a7606f93d2c786353d60bb4feb56ef0",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "2178dc65d45e2f7bcaa8af8d80d100419bdab251",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "64e15155095f39f4dec9b4659da1238ef8fc54d4",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "721449a15170fc5f028a7576d7f65b9f60d53482",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
},
{
"lessThan": "e2febe375e5ea5afed92f4cd9711bde8f24ee6d2",
"status": "affected",
"version": "e86d69dd786e94046b8f5be7df1b9a8226a40b2a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/rt9455_charger.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: rt9455: Fix use-after-free in power_supply_changed()\n\nUsing the `devm_` variant for requesting IRQ _before_ the `devm_`\nvariant for allocating/registering the `power_supply` handle, means that\nthe `power_supply` handle will be deallocated/unregistered _before_ the\ninterrupt handler (since `devm_` naturally deallocates in reverse\nallocation order). This means that during removal, there is a race\ncondition where an interrupt can fire just _after_ the `power_supply`\nhandle has been freed, *but* just _before_ the corresponding\nunregistration of the IRQ handler has run.\n\nThis will lead to the IRQ handler calling `power_supply_changed()` with\na freed `power_supply` handle. Which usually crashes the system or\notherwise silently corrupts the memory...\n\nNote that there is a similar situation which can also happen during\n`probe()`; the possibility of an interrupt firing _before_ registering\nthe `power_supply` handle. This would then lead to the nasty situation\nof using the `power_supply` handle *uninitialized* in\n`power_supply_changed()`.\n\nFix this racy use-after-free by making sure the IRQ is requested _after_\nthe registration of the `power_supply` handle."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:12.537Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d4e2e3c3caa26b93aa9f36d0a6824b584e2a8dfc"
},
{
"url": "https://git.kernel.org/stable/c/62d753b916bd500bb269b7078cdab73198ab4718"
},
{
"url": "https://git.kernel.org/stable/c/a39f8f06216f73ef40e71e2fe4ad071964c1fd36"
},
{
"url": "https://git.kernel.org/stable/c/af261f218a7606f93d2c786353d60bb4feb56ef0"
},
{
"url": "https://git.kernel.org/stable/c/2178dc65d45e2f7bcaa8af8d80d100419bdab251"
},
{
"url": "https://git.kernel.org/stable/c/64e15155095f39f4dec9b4659da1238ef8fc54d4"
},
{
"url": "https://git.kernel.org/stable/c/721449a15170fc5f028a7576d7f65b9f60d53482"
},
{
"url": "https://git.kernel.org/stable/c/e2febe375e5ea5afed92f4cd9711bde8f24ee6d2"
}
],
"title": "power: supply: rt9455: Fix use-after-free in power_supply_changed()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46270",
"datePublished": "2026-06-03T15:50:12.537Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T15:50:12.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46269 (GCVE-0-2026-46269)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree
Summary
In the Linux kernel, the following vulnerability has been resolved:
pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree
When probing the k230 pinctrl driver, the kernel triggers a NULL pointer
dereference. The crash trace showed:
[ 0.732084] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068
[ 0.740737] ...
[ 0.776296] epc : k230_pinctrl_probe+0x1be/0x4fc
In k230_pinctrl_parse_functions(), we attempt to retrieve the device
pointer via info->pctl_dev->dev, but info->pctl_dev is only initialized
after k230_pinctrl_parse_dt() completes.
At the time of DT parsing, info->pctl_dev is still NULL, leading to
the invalid dereference of info->pctl_dev->dev.
Use the already available device pointer from platform_device
instead of accessing through uninitialized pctl_dev.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d94a32ac688f953dc9a9f12b5b4139ecad841bbb , < 3c7d637bfc3dfbd6471c68bd767f7eb8b5b09eba
(git)
Affected: d94a32ac688f953dc9a9f12b5b4139ecad841bbb , < 1d0d361f4dbc2bb2003594f84e4b101fc6b508c0 (git) Affected: d94a32ac688f953dc9a9f12b5b4139ecad841bbb , < d8c128fb6c2277d95f3f6a4ce28b82c8370031f6 (git) Affected: 02c1deb1bff2b6d242e29a51e56107495979a2b8 (git) Affected: 0ec03251d01494ef207089b5bd626becfd05fd86 (git) Affected: 6.15.10 , < 6.16 (semver) Affected: 6.16.1 , < 6.17 (semver) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-k230.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c7d637bfc3dfbd6471c68bd767f7eb8b5b09eba",
"status": "affected",
"version": "d94a32ac688f953dc9a9f12b5b4139ecad841bbb",
"versionType": "git"
},
{
"lessThan": "1d0d361f4dbc2bb2003594f84e4b101fc6b508c0",
"status": "affected",
"version": "d94a32ac688f953dc9a9f12b5b4139ecad841bbb",
"versionType": "git"
},
{
"lessThan": "d8c128fb6c2277d95f3f6a4ce28b82c8370031f6",
"status": "affected",
"version": "d94a32ac688f953dc9a9f12b5b4139ecad841bbb",
"versionType": "git"
},
{
"status": "affected",
"version": "02c1deb1bff2b6d242e29a51e56107495979a2b8",
"versionType": "git"
},
{
"status": "affected",
"version": "0ec03251d01494ef207089b5bd626becfd05fd86",
"versionType": "git"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThan": "6.17",
"status": "affected",
"version": "6.16.1",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pinctrl/pinctrl-k230.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree\n\nWhen probing the k230 pinctrl driver, the kernel triggers a NULL pointer\ndereference. The crash trace showed:\n[ 0.732084] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068\n[ 0.740737] ...\n[ 0.776296] epc : k230_pinctrl_probe+0x1be/0x4fc\n\nIn k230_pinctrl_parse_functions(), we attempt to retrieve the device\npointer via info-\u003epctl_dev-\u003edev, but info-\u003epctl_dev is only initialized\nafter k230_pinctrl_parse_dt() completes.\n\nAt the time of DT parsing, info-\u003epctl_dev is still NULL, leading to\nthe invalid dereference of info-\u003epctl_dev-\u003edev.\n\nUse the already available device pointer from platform_device\ninstead of accessing through uninitialized pctl_dev."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:11.254Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c7d637bfc3dfbd6471c68bd767f7eb8b5b09eba"
},
{
"url": "https://git.kernel.org/stable/c/1d0d361f4dbc2bb2003594f84e4b101fc6b508c0"
},
{
"url": "https://git.kernel.org/stable/c/d8c128fb6c2277d95f3f6a4ce28b82c8370031f6"
}
],
"title": "pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46269",
"datePublished": "2026-06-03T15:50:11.254Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T15:50:11.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46268 (GCVE-0-2026-46268)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition
Summary
In the Linux kernel, the following vulnerability has been resolved:
PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition
Commit b7e282378773 has already changed the initial page refcount of
p2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses
"VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial page
refcount should not be zero and the following will be reported when
CONFIG_DEBUG_VM is enabled:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000
flags: 0x20000000002000(reserved|node=0|zone=4)
raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))
------------[ cut here ]------------
WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60
Fix by using "page_ref_count(page)" as the assertion condition.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b7e2823787735ca009e63f35f164b46df0ef096c , < eb9aa9f8010465d927864f5a35bdc5604b0ff51a
(git)
Affected: b7e2823787735ca009e63f35f164b46df0ef096c , < 9b69243983fb2f4d4d1f4ef0989bc1296547dc2c (git) Affected: b7e2823787735ca009e63f35f164b46df0ef096c , < cb500023a75246f60b79af9f7321d6e75330c5b5 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pci/p2pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb9aa9f8010465d927864f5a35bdc5604b0ff51a",
"status": "affected",
"version": "b7e2823787735ca009e63f35f164b46df0ef096c",
"versionType": "git"
},
{
"lessThan": "9b69243983fb2f4d4d1f4ef0989bc1296547dc2c",
"status": "affected",
"version": "b7e2823787735ca009e63f35f164b46df0ef096c",
"versionType": "git"
},
{
"lessThan": "cb500023a75246f60b79af9f7321d6e75330c5b5",
"status": "affected",
"version": "b7e2823787735ca009e63f35f164b46df0ef096c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pci/p2pdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition\n\nCommit b7e282378773 has already changed the initial page refcount of\np2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses\n\"VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))\" to assert the initial page\nrefcount should not be zero and the following will be reported when\nCONFIG_DEBUG_VM is enabled:\n\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000\n flags: 0x20000000002000(reserved|node=0|zone=4)\n raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\n page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))\n ------------[ cut here ]------------\n WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60\n\nFix by using \"page_ref_count(page)\" as the assertion condition."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:10.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb9aa9f8010465d927864f5a35bdc5604b0ff51a"
},
{
"url": "https://git.kernel.org/stable/c/9b69243983fb2f4d4d1f4ef0989bc1296547dc2c"
},
{
"url": "https://git.kernel.org/stable/c/cb500023a75246f60b79af9f7321d6e75330c5b5"
}
],
"title": "PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46268",
"datePublished": "2026-06-03T15:50:10.101Z",
"dateReserved": "2026-05-13T15:03:33.109Z",
"dateUpdated": "2026-06-03T15:50:10.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46267 (GCVE-0-2026-46267)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
nfc: hci: shdlc: Stop timers and work before freeing context
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfc: hci: shdlc: Stop timers and work before freeing context
llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc
structure while its timers and state machine work may still be active.
Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state
and the skb queues. If teardown happens in parallel with a queued/running
work item, it can lead to UAF and other shutdown races.
Stop all SHDLC timers and cancel sm_work synchronously before purging the
queues and freeing the context.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4a61cd6687fc6348d08724676d34e38160d6cf9b , < c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e
(git)
Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < a24a676329d40481b2331bfa1418a679577dfd3a (git) Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < 77eef9f2eef045c3c37a3df82d3e661afb866b98 (git) Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < cf70cedce327833296ebe6043364d1e44b76a2ab (git) Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < 276820278e9717cc7d4bb32381892dd3ddf418d4 (git) Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < 1cb97b1225450af3f7b728777929ba50c6a58ced (git) Affected: 4a61cd6687fc6348d08724676d34e38160d6cf9b , < c9efde1e537baed7648a94022b43836a348a074f (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/hci/llc_shdlc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "a24a676329d40481b2331bfa1418a679577dfd3a",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "77eef9f2eef045c3c37a3df82d3e661afb866b98",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "cf70cedce327833296ebe6043364d1e44b76a2ab",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "276820278e9717cc7d4bb32381892dd3ddf418d4",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "1cb97b1225450af3f7b728777929ba50c6a58ced",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
},
{
"lessThan": "c9efde1e537baed7648a94022b43836a348a074f",
"status": "affected",
"version": "4a61cd6687fc6348d08724676d34e38160d6cf9b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/hci/llc_shdlc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: hci: shdlc: Stop timers and work before freeing context\n\nllc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc\nstructure while its timers and state machine work may still be active.\n\nTimer callbacks can schedule sm_work, and sm_work accesses SHDLC state\nand the skb queues. If teardown happens in parallel with a queued/running\nwork item, it can lead to UAF and other shutdown races.\n\nStop all SHDLC timers and cancel sm_work synchronously before purging the\nqueues and freeing the context.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:09.035Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e"
},
{
"url": "https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a"
},
{
"url": "https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98"
},
{
"url": "https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab"
},
{
"url": "https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4"
},
{
"url": "https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced"
},
{
"url": "https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f"
}
],
"title": "nfc: hci: shdlc: Stop timers and work before freeing context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46267",
"datePublished": "2026-06-03T15:50:09.035Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:09.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46266 (GCVE-0-2026-46266)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
Summary
In the Linux kernel, the following vulnerability has been resolved:
inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
Yizhou Zhao reported that simply having one RAW socket on protocol
IPPROTO_RAW (255) was dangerous.
socket(AF_INET, SOCK_RAW, 255);
A malicious incoming ICMP packet can set the protocol field to 255
and match this socket, leading to FNHE cache changes.
inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST")
pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner
"man 7 raw" states:
A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able
to send any IP protocol that is specified in the passed header.
Receiving of all IP protocols via IPPROTO_RAW is not possible
using raw sockets.
Make sure we drop these malicious packets.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db76b75ede3810e7cf9cfea5067d4f3e0993768b
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 19e42490c89bac9a388f28179e66bebbef350f99 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 531c1aec81bfe19d00af13da5531fbb8209e4bd2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 719d3932b8f6e3348ce2f0ac58e278301fc17575 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c89477ad79446867394360b29bb801010fc3ff22 (git) |
|
| Linux | Linux |
Affected:
2.6.12
Unaffected: 0 , < 2.6.12 (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db76b75ede3810e7cf9cfea5067d4f3e0993768b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "19e42490c89bac9a388f28179e66bebbef350f99",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "531c1aec81bfe19d00af13da5531fbb8209e4bd2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "719d3932b8f6e3348ce2f0ac58e278301fc17575",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c89477ad79446867394360b29bb801010fc3ff22",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c",
"net/ipv6/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP\n\nYizhou Zhao reported that simply having one RAW socket on protocol\nIPPROTO_RAW (255) was dangerous.\n\n socket(AF_INET, SOCK_RAW, 255);\n\nA malicious incoming ICMP packet can set the protocol field to 255\nand match this socket, leading to FNHE cache changes.\n\ninner = IP(src=\"192.168.2.1\", dst=\"8.8.8.8\", proto=255)/Raw(\"TEST\")\npkt = IP(src=\"192.168.1.1\", dst=\"192.168.2.1\")/ICMP(type=3, code=4, nexthopmtu=576)/inner\n\n\"man 7 raw\" states:\n\n A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able\n to send any IP protocol that is specified in the passed header.\n Receiving of all IP protocols via IPPROTO_RAW is not possible\n using raw sockets.\n\nMake sure we drop these malicious packets."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:07.907Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db76b75ede3810e7cf9cfea5067d4f3e0993768b"
},
{
"url": "https://git.kernel.org/stable/c/19e42490c89bac9a388f28179e66bebbef350f99"
},
{
"url": "https://git.kernel.org/stable/c/531c1aec81bfe19d00af13da5531fbb8209e4bd2"
},
{
"url": "https://git.kernel.org/stable/c/719d3932b8f6e3348ce2f0ac58e278301fc17575"
},
{
"url": "https://git.kernel.org/stable/c/c89477ad79446867394360b29bb801010fc3ff22"
}
],
"title": "inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46266",
"datePublished": "2026-06-03T15:50:07.907Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:07.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46265 (GCVE-0-2026-46265)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
RDMA/hns: Fix WQ_MEM_RECLAIM warning
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/hns: Fix WQ_MEM_RECLAIM warning
When sunrpc is used, if a reset triggered, our wq may lead the
following trace:
workqueue: WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma]
is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle
[hns_roce_hw_v2]
WARNING: CPU: 0 PID: 8250 at kernel/workqueue.c:2644 check_flush_dependency+0xe0/0x144
Call trace:
check_flush_dependency+0xe0/0x144
start_flush_work.constprop.0+0x1d0/0x2f0
__flush_work.isra.0+0x40/0xb0
flush_work+0x14/0x30
hns_roce_v2_destroy_qp+0xac/0x1e0 [hns_roce_hw_v2]
ib_destroy_qp_user+0x9c/0x2b4
rdma_destroy_qp+0x34/0xb0
rpcrdma_ep_destroy+0x28/0xcc [rpcrdma]
rpcrdma_ep_put+0x74/0xb4 [rpcrdma]
rpcrdma_xprt_disconnect+0x1d8/0x260 [rpcrdma]
xprt_rdma_connect_worker+0xc0/0x120 [rpcrdma]
process_one_work+0x1cc/0x4d0
worker_thread+0x154/0x414
kthread+0x104/0x144
ret_from_fork+0x10/0x18
Since QP destruction frees memory, this wq should have the WQ_MEM_RECLAIM.
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ffd541d45726341c1830ff595fd7352b6d1cfbcd , < 12761bd0ae16a80f237c2a65ab1b1064076cc74a
(git)
Affected: ffd541d45726341c1830ff595fd7352b6d1cfbcd , < 70a5eb757ace5bd627a36f04d871eaf85def424d (git) Affected: ffd541d45726341c1830ff595fd7352b6d1cfbcd , < 562c96b1393da2df3ea62173c84117b39da353b9 (git) Affected: ffd541d45726341c1830ff595fd7352b6d1cfbcd , < 0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27 (git) Affected: ffd541d45726341c1830ff595fd7352b6d1cfbcd , < c5ef9a1bcf5b597695d9c2e6ac452e9f89521862 (git) Affected: ffd541d45726341c1830ff595fd7352b6d1cfbcd , < c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_hw_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "12761bd0ae16a80f237c2a65ab1b1064076cc74a",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
},
{
"lessThan": "70a5eb757ace5bd627a36f04d871eaf85def424d",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
},
{
"lessThan": "562c96b1393da2df3ea62173c84117b39da353b9",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
},
{
"lessThan": "0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
},
{
"lessThan": "c5ef9a1bcf5b597695d9c2e6ac452e9f89521862",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
},
{
"lessThan": "c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6",
"status": "affected",
"version": "ffd541d45726341c1830ff595fd7352b6d1cfbcd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/hns/hns_roce_hw_v2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/hns: Fix WQ_MEM_RECLAIM warning\n\nWhen sunrpc is used, if a reset triggered, our wq may lead the\nfollowing trace:\n\nworkqueue: WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma]\nis flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle\n[hns_roce_hw_v2]\nWARNING: CPU: 0 PID: 8250 at kernel/workqueue.c:2644 check_flush_dependency+0xe0/0x144\nCall trace:\n check_flush_dependency+0xe0/0x144\n start_flush_work.constprop.0+0x1d0/0x2f0\n __flush_work.isra.0+0x40/0xb0\n flush_work+0x14/0x30\n hns_roce_v2_destroy_qp+0xac/0x1e0 [hns_roce_hw_v2]\n ib_destroy_qp_user+0x9c/0x2b4\n rdma_destroy_qp+0x34/0xb0\n rpcrdma_ep_destroy+0x28/0xcc [rpcrdma]\n rpcrdma_ep_put+0x74/0xb4 [rpcrdma]\n rpcrdma_xprt_disconnect+0x1d8/0x260 [rpcrdma]\n xprt_rdma_connect_worker+0xc0/0x120 [rpcrdma]\n process_one_work+0x1cc/0x4d0\n worker_thread+0x154/0x414\n kthread+0x104/0x144\n ret_from_fork+0x10/0x18\n\nSince QP destruction frees memory, this wq should have the WQ_MEM_RECLAIM."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:05.933Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/12761bd0ae16a80f237c2a65ab1b1064076cc74a"
},
{
"url": "https://git.kernel.org/stable/c/70a5eb757ace5bd627a36f04d871eaf85def424d"
},
{
"url": "https://git.kernel.org/stable/c/562c96b1393da2df3ea62173c84117b39da353b9"
},
{
"url": "https://git.kernel.org/stable/c/0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27"
},
{
"url": "https://git.kernel.org/stable/c/c5ef9a1bcf5b597695d9c2e6ac452e9f89521862"
},
{
"url": "https://git.kernel.org/stable/c/c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6"
}
],
"title": "RDMA/hns: Fix WQ_MEM_RECLAIM warning",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46265",
"datePublished": "2026-06-03T15:50:05.933Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:05.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46264 (GCVE-0-2026-46264)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
drm/xe/pf: Fix sysfs initialization
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/pf: Fix sysfs initialization
In case of devm_add_action_or_reset() failure the provided cleanup
action will be run immediately on the not yet initialized kobject.
This may lead to errors like:
[ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called.
[ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9
[ ] RIP: 0010:kobject_put+0xdf/0x250
[ ] Call Trace:
[ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]
[ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]
[ ] xe_sriov_init_late+0x5f/0x2c0 [xe]
[ ] xe_device_probe+0x5f2/0xc20 [xe]
[ ] xe_pci_probe+0x396/0x610 [xe]
[ ] local_pci_probe+0x47/0xb0
[ ] refcount_t: underflow; use-after-free.
[ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9
[ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0
[ ] Call Trace:
[ ] kobject_put+0x174/0x250
[ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]
[ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]
[ ] xe_sriov_init_late+0x5f/0x2c0 [xe]
[ ] xe_device_probe+0x5f2/0xc20 [xe]
[ ] xe_pci_probe+0x396/0x610 [xe]
[ ] local_pci_probe+0x47/0xb0
Fix that by calling kobject_init() and kobject_add() separately
and register cleanup action after the kobject is initialized.
Also make this cleanup registration a part of the create helper to
fix another mistake, as in the loop we were wrongly passing parent
kobject while registering cleanup action, and this resulted in some
undetected leaks.
(cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5c170a4d9c530e872f2f788d95258fbaa39b4415 , < 6ae479b1919ee9bd0560fc7af649932dd420d010
(git)
Affected: 5c170a4d9c530e872f2f788d95258fbaa39b4415 , < bf7172cd25ed182f30af2cbb9f80c730dc717d8e (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_sriov_pf_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ae479b1919ee9bd0560fc7af649932dd420d010",
"status": "affected",
"version": "5c170a4d9c530e872f2f788d95258fbaa39b4415",
"versionType": "git"
},
{
"lessThan": "bf7172cd25ed182f30af2cbb9f80c730dc717d8e",
"status": "affected",
"version": "5c170a4d9c530e872f2f788d95258fbaa39b4415",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_sriov_pf_sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/pf: Fix sysfs initialization\n\nIn case of devm_add_action_or_reset() failure the provided cleanup\naction will be run immediately on the not yet initialized kobject.\nThis may lead to errors like:\n\n [ ] kobject: \u0027(null)\u0027 (ff110001393608e0): is not initialized, yet kobject_put() is being called.\n [ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9\n [ ] RIP: 0010:kobject_put+0xdf/0x250\n [ ] Call Trace:\n [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]\n [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]\n [ ] xe_sriov_init_late+0x5f/0x2c0 [xe]\n [ ] xe_device_probe+0x5f2/0xc20 [xe]\n [ ] xe_pci_probe+0x396/0x610 [xe]\n [ ] local_pci_probe+0x47/0xb0\n\n [ ] refcount_t: underflow; use-after-free.\n [ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9\n [ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0\n [ ] Call Trace:\n [ ] kobject_put+0x174/0x250\n [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe]\n [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe]\n [ ] xe_sriov_init_late+0x5f/0x2c0 [xe]\n [ ] xe_device_probe+0x5f2/0xc20 [xe]\n [ ] xe_pci_probe+0x396/0x610 [xe]\n [ ] local_pci_probe+0x47/0xb0\n\nFix that by calling kobject_init() and kobject_add() separately\nand register cleanup action after the kobject is initialized.\n\nAlso make this cleanup registration a part of the create helper to\nfix another mistake, as in the loop we were wrongly passing parent\nkobject while registering cleanup action, and this resulted in some\nundetected leaks.\n\n(cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:04.620Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ae479b1919ee9bd0560fc7af649932dd420d010"
},
{
"url": "https://git.kernel.org/stable/c/bf7172cd25ed182f30af2cbb9f80c730dc717d8e"
}
],
"title": "drm/xe/pf: Fix sysfs initialization",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46264",
"datePublished": "2026-06-03T15:50:04.620Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:04.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46263 (GCVE-0-2026-46263)
Vulnerability from nvd – Published: 2026-06-03 15:50 – Updated: 2026-06-03 15:50
VLAI
Title
drm/amd/display: Fix out-of-bounds stream encoder index v3
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix out-of-bounds stream encoder index v3
eng_id can be negative and that stream_enc_regs[]
can be indexed out of bounds.
eng_id is used directly as an index into stream_enc_regs[], which has
only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can
access memory past the end of the array.
Add a bounds check using ARRAY_SIZE() before using eng_id as an index.
The unsigned cast also rejects negative values.
This avoids out-of-bounds access.
Fixes the below smatch error:
dcn*_resource.c: stream_encoder_create() may index
stream_enc_regs[eng_id] out of bounds (size 5).
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c
1246 static struct stream_encoder *dcn35_stream_encoder_create(
1247 enum engine_id eng_id,
1248 struct dc_context *ctx)
1249 {
...
1255
1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */
1257 if (eng_id <= ENGINE_ID_DIGF) {
ENGINE_ID_DIGF is 5. should <= be <?
Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative?
end_id is type signed long, but there are checks in the caller which prevent it from being negative.
1258 vpg_inst = eng_id;
1259 afmt_inst = eng_id;
1260 } else
1261 return NULL;
1262
...
1281
1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios,
1283 eng_id, vpg, afmt,
--> 1284 &stream_enc_regs[eng_id],
^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.
...
1287 return &enc1->base;
1288 }
v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast
v3: The compiler already knows how to compare the two values, so the
cast (int) is not needed. (Roman)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < 29f3824b08a98d41ecbbfd33580630d7607f962e
(git)
Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < 263e28add4f4472cfa95150d218955d1945aa413 (git) Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < ca3808d560ad946ab6d089fd1f5bee04b952ead4 (git) Affected: 2728e9c7c84235d2d7bc1403174d071ffc82d6d2 , < abde491143e4e12eecc41337910aace4e8d59603 (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29f3824b08a98d41ecbbfd33580630d7607f962e",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "263e28add4f4472cfa95150d218955d1945aa413",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "ca3808d560ad946ab6d089fd1f5bee04b952ead4",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
},
{
"lessThan": "abde491143e4e12eecc41337910aace4e8d59603",
"status": "affected",
"version": "2728e9c7c84235d2d7bc1403174d071ffc82d6d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c",
"drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bounds stream encoder index v3\n\neng_id can be negative and that stream_enc_regs[]\ncan be indexed out of bounds.\n\neng_id is used directly as an index into stream_enc_regs[], which has\nonly 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can\naccess memory past the end of the array.\n\nAdd a bounds check using ARRAY_SIZE() before using eng_id as an index.\nThe unsigned cast also rejects negative values.\n\nThis avoids out-of-bounds access.\n\nFixes the below smatch error:\ndcn*_resource.c: stream_encoder_create() may index\nstream_enc_regs[eng_id] out of bounds (size 5).\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c\n 1246 static struct stream_encoder *dcn35_stream_encoder_create(\n 1247 enum engine_id eng_id,\n 1248 struct dc_context *ctx)\n 1249 {\n\n ...\n\n 1255\n 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */\n 1257 if (eng_id \u003c= ENGINE_ID_DIGF) {\n\nENGINE_ID_DIGF is 5. should \u003c= be \u003c?\n\nUnrelated but, ugh, why is Smatch saying that \"eng_id\" can be negative?\nend_id is type signed long, but there are checks in the caller which prevent it from being negative.\n\n 1258 vpg_inst = eng_id;\n 1259 afmt_inst = eng_id;\n 1260 } else\n 1261 return NULL;\n 1262\n\n ...\n\n 1281\n 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx-\u003edc_bios,\n 1283 eng_id, vpg, afmt,\n--\u003e 1284 \u0026stream_enc_regs[eng_id],\n ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array.\n\n ...\n\n 1287 return \u0026enc1-\u003ebase;\n 1288 }\n\nv2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast\n\nv3: The compiler already knows how to compare the two values, so the\n cast (int) is not needed. (Roman)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:50:02.572Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29f3824b08a98d41ecbbfd33580630d7607f962e"
},
{
"url": "https://git.kernel.org/stable/c/263e28add4f4472cfa95150d218955d1945aa413"
},
{
"url": "https://git.kernel.org/stable/c/ca3808d560ad946ab6d089fd1f5bee04b952ead4"
},
{
"url": "https://git.kernel.org/stable/c/abde491143e4e12eecc41337910aace4e8d59603"
}
],
"title": "drm/amd/display: Fix out-of-bounds stream encoder index v3",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46263",
"datePublished": "2026-06-03T15:50:02.572Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:50:02.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46262 (GCVE-0-2026-46262)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()
This reverts commit f51424872760 ("ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()").
The original patch attempted to acquire the card->controls_rwsem lock in
fsl_xcvr_mode_put(). However, this function is called from the upper ALSA
core function snd_ctl_elem_write(), which already holds the write lock on
controls_rwsem for the whole put operation. So there is no need to simply
hold the lock for fsl_xcvr_activate_ctl() again.
Acquiring the read lock while holding the write lock in the same thread
results in a deadlock and a hung task, as reported by Alexander Stein.
Severity
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
612ffe1f4f0499b3011f16d06e354a76dae2e2d1 , < ae5a70e3e87c28edbaf9939cfef1bcbd9615420f
(git)
Affected: 38354c82abe7bcbcd1182a06af89d3cc16d3e2c7 , < 30ffcad5edb56947dccc26f6816ab7a55b21a711 (git) Affected: 61e007657bf7740d54ca2aadce0fb5997839818e , < 29b2fbe3498da3681a01b34e4a2259f8a1b89448 (git) Affected: daaf4fe333e0d48b2037cd2270bf1ff8f70d5068 , < b0f74f5d24fe3c73ef1369a811891198b54c1e8e (git) Affected: cab928242853a832ffa7efda270ecfb9efeebb6e , < 9a2a5da002775376498e8814df4a87cd629a3a0c (git) Affected: f514248727606b9087bc38a284ff686e0093abf1 , < 0886dc6326c3cc596799c4340d342898301cf52a (git) Affected: f514248727606b9087bc38a284ff686e0093abf1 , < 9f16d96e1222391a6b996a1b676bec14fb91e3b2 (git) Affected: 5.15.201 , < 5.15.202 (semver) Affected: 6.1.164 , < 6.1.165 (semver) Affected: 6.6.127 , < 6.6.128 (semver) Affected: 6.12.74 , < 6.12.75 (semver) Affected: 6.18.13 , < 6.18.14 (semver) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/fsl_xcvr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae5a70e3e87c28edbaf9939cfef1bcbd9615420f",
"status": "affected",
"version": "612ffe1f4f0499b3011f16d06e354a76dae2e2d1",
"versionType": "git"
},
{
"lessThan": "30ffcad5edb56947dccc26f6816ab7a55b21a711",
"status": "affected",
"version": "38354c82abe7bcbcd1182a06af89d3cc16d3e2c7",
"versionType": "git"
},
{
"lessThan": "29b2fbe3498da3681a01b34e4a2259f8a1b89448",
"status": "affected",
"version": "61e007657bf7740d54ca2aadce0fb5997839818e",
"versionType": "git"
},
{
"lessThan": "b0f74f5d24fe3c73ef1369a811891198b54c1e8e",
"status": "affected",
"version": "daaf4fe333e0d48b2037cd2270bf1ff8f70d5068",
"versionType": "git"
},
{
"lessThan": "9a2a5da002775376498e8814df4a87cd629a3a0c",
"status": "affected",
"version": "cab928242853a832ffa7efda270ecfb9efeebb6e",
"versionType": "git"
},
{
"lessThan": "0886dc6326c3cc596799c4340d342898301cf52a",
"status": "affected",
"version": "f514248727606b9087bc38a284ff686e0093abf1",
"versionType": "git"
},
{
"lessThan": "9f16d96e1222391a6b996a1b676bec14fb91e3b2",
"status": "affected",
"version": "f514248727606b9087bc38a284ff686e0093abf1",
"versionType": "git"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "6.18.13",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/fsl/fsl_xcvr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "5.15.201",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()\n\nThis reverts commit f51424872760 (\"ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()\").\n\nThe original patch attempted to acquire the card-\u003econtrols_rwsem lock in\nfsl_xcvr_mode_put(). However, this function is called from the upper ALSA\ncore function snd_ctl_elem_write(), which already holds the write lock on\ncontrols_rwsem for the whole put operation. So there is no need to simply\nhold the lock for fsl_xcvr_activate_ctl() again.\n\nAcquiring the read lock while holding the write lock in the same thread\nresults in a deadlock and a hung task, as reported by Alexander Stein."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:59.980Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae5a70e3e87c28edbaf9939cfef1bcbd9615420f"
},
{
"url": "https://git.kernel.org/stable/c/30ffcad5edb56947dccc26f6816ab7a55b21a711"
},
{
"url": "https://git.kernel.org/stable/c/29b2fbe3498da3681a01b34e4a2259f8a1b89448"
},
{
"url": "https://git.kernel.org/stable/c/b0f74f5d24fe3c73ef1369a811891198b54c1e8e"
},
{
"url": "https://git.kernel.org/stable/c/9a2a5da002775376498e8814df4a87cd629a3a0c"
},
{
"url": "https://git.kernel.org/stable/c/0886dc6326c3cc596799c4340d342898301cf52a"
},
{
"url": "https://git.kernel.org/stable/c/9f16d96e1222391a6b996a1b676bec14fb91e3b2"
}
],
"title": "ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46262",
"datePublished": "2026-06-03T15:49:59.980Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:59.980Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46261 (GCVE-0-2026-46261)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()
Summary
In the Linux kernel, the following vulnerability has been resolved:
spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()
platform_get_resource_byname() can return NULL, which would cause a crash
when passed the pointer to resource_size().
Move the fiu->memory_size assignment after the error check for
devm_ioremap_resource() to prevent the potential NULL pointer dereference.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9838c182471ee5532824bae7f2669d3539719f78 , < 9e5cb7e67fbdb8320d68d87db882a92b36f6a1d9
(git)
Affected: 9838c182471ee5532824bae7f2669d3539719f78 , < 2c538a0b3472e99c892c26f4940da38b7d87f632 (git) Affected: 9838c182471ee5532824bae7f2669d3539719f78 , < 0f93a80eb3fd596ddc5730d05e0e8c88e1aa2891 (git) Affected: 9838c182471ee5532824bae7f2669d3539719f78 , < cb9b2dc34a9eef0855edb00ae9c9b7f72394281b (git) Affected: 9838c182471ee5532824bae7f2669d3539719f78 , < 888a0a802c467bbe34a42167bdf9d7331333440a (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-wpcm-fiu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9e5cb7e67fbdb8320d68d87db882a92b36f6a1d9",
"status": "affected",
"version": "9838c182471ee5532824bae7f2669d3539719f78",
"versionType": "git"
},
{
"lessThan": "2c538a0b3472e99c892c26f4940da38b7d87f632",
"status": "affected",
"version": "9838c182471ee5532824bae7f2669d3539719f78",
"versionType": "git"
},
{
"lessThan": "0f93a80eb3fd596ddc5730d05e0e8c88e1aa2891",
"status": "affected",
"version": "9838c182471ee5532824bae7f2669d3539719f78",
"versionType": "git"
},
{
"lessThan": "cb9b2dc34a9eef0855edb00ae9c9b7f72394281b",
"status": "affected",
"version": "9838c182471ee5532824bae7f2669d3539719f78",
"versionType": "git"
},
{
"lessThan": "888a0a802c467bbe34a42167bdf9d7331333440a",
"status": "affected",
"version": "9838c182471ee5532824bae7f2669d3539719f78",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/spi/spi-wpcm-fiu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()\n\nplatform_get_resource_byname() can return NULL, which would cause a crash\nwhen passed the pointer to resource_size().\n\nMove the fiu-\u003ememory_size assignment after the error check for\ndevm_ioremap_resource() to prevent the potential NULL pointer dereference."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:58.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9e5cb7e67fbdb8320d68d87db882a92b36f6a1d9"
},
{
"url": "https://git.kernel.org/stable/c/2c538a0b3472e99c892c26f4940da38b7d87f632"
},
{
"url": "https://git.kernel.org/stable/c/0f93a80eb3fd596ddc5730d05e0e8c88e1aa2891"
},
{
"url": "https://git.kernel.org/stable/c/cb9b2dc34a9eef0855edb00ae9c9b7f72394281b"
},
{
"url": "https://git.kernel.org/stable/c/888a0a802c467bbe34a42167bdf9d7331333440a"
}
],
"title": "spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46261",
"datePublished": "2026-06-03T15:49:58.684Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:58.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46260 (GCVE-0-2026-46260)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
ipv6: Fix out-of-bound access in fib6_add_rt2node().
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: Fix out-of-bound access in fib6_add_rt2node().
syzbot reported out-of-bound read in fib6_add_rt2node(). [0]
When IPv6 route is created with RTA_NH_ID, struct fib6_info
does not have the trailing struct fib6_nh.
The cited commit started to check !iter->fib6_nh->fib_nh_gw_family
to ensure that rt6_qualify_for_ecmp() will return false for iter.
If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.
Let's check iter->nh before reading iter->fib6_nh and avoid OOB read.
[0]:
BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500
CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]
fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531
__ip6_ins_rt net/ipv6/route.c:1351 [inline]
ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957
inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
__sys_sendmsg net/socket.c:2678 [inline]
__do_sys_sendmsg net/socket.c:2683 [inline]
__se_sys_sendmsg net/socket.c:2681 [inline]
__x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9316b9aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9
RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0
</TASK>
Allocated by task 5499:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__do_kmalloc_node mm/slub.c:5657 [inline]
__kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820
ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949
inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
___sys_s
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
50b7c7a255858a85c4636a1e990ca04591153dca , < bcc60ad129ae1837cf809c81bff56ec8bfdb6b11
(git)
Affected: d8143c54ceeba232dc8a13aa0afa14a44b371d93 , < bf5009a06e03ee9a51052bb59f2228a5e4e66260 (git) Affected: b8ad2d53f706aeea833d23d45c0758398fede580 , < 03b5051e02f5a3772eee57493ad697d4b505b0c2 (git) Affected: bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 , < 500e54615c97bc3c427e52305a6fcd38a0e008a3 (git) Affected: bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25 , < 8244f959e2c125c849e569f5b23ed49804cce695 (git) Affected: 6.6.124 , < 6.6.128 (semver) Affected: 6.12.70 , < 6.12.75 (semver) Affected: 6.18.10 , < 6.18.14 (semver) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bcc60ad129ae1837cf809c81bff56ec8bfdb6b11",
"status": "affected",
"version": "50b7c7a255858a85c4636a1e990ca04591153dca",
"versionType": "git"
},
{
"lessThan": "bf5009a06e03ee9a51052bb59f2228a5e4e66260",
"status": "affected",
"version": "d8143c54ceeba232dc8a13aa0afa14a44b371d93",
"versionType": "git"
},
{
"lessThan": "03b5051e02f5a3772eee57493ad697d4b505b0c2",
"status": "affected",
"version": "b8ad2d53f706aeea833d23d45c0758398fede580",
"versionType": "git"
},
{
"lessThan": "500e54615c97bc3c427e52305a6fcd38a0e008a3",
"status": "affected",
"version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
"versionType": "git"
},
{
"lessThan": "8244f959e2c125c849e569f5b23ed49804cce695",
"status": "affected",
"version": "bbf4a17ad9ffc4e3d7ec13d73ecd59dea149ed25",
"versionType": "git"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "6.18.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/ip6_fib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6.124",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.18.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix out-of-bound access in fib6_add_rt2node().\n\nsyzbot reported out-of-bound read in fib6_add_rt2node(). [0]\n\nWhen IPv6 route is created with RTA_NH_ID, struct fib6_info\ndoes not have the trailing struct fib6_nh.\n\nThe cited commit started to check !iter-\u003efib6_nh-\u003efib_nh_gw_family\nto ensure that rt6_qualify_for_ecmp() will return false for iter.\n\nIf iter-\u003enh is not NULL, rt6_qualify_for_ecmp() returns false anyway.\n\nLet\u0027s check iter-\u003enh before reading iter-\u003efib6_nh and avoid OOB read.\n\n[0]:\nBUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\nRead of size 1 at addr ffff8880384ba6de by task syz.0.18/5500\n\nCPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xba/0x230 mm/kasan/report.c:482\n kasan_report+0x117/0x150 mm/kasan/report.c:595\n fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142\n fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]\n fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531\n __ip6_ins_rt net/ipv6/route.c:1351 [inline]\n ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646\n __sys_sendmsg net/socket.c:2678 [inline]\n __do_sys_sendmsg net/socket.c:2683 [inline]\n __se_sys_sendmsg net/socket.c:2681 [inline]\n __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f9316b9aeb9\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9\nRDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003\nRBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0\n \u003c/TASK\u003e\n\nAllocated by task 5499:\n kasan_save_stack mm/kasan/common.c:57 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:78\n poison_kmalloc_redzone mm/kasan/common.c:398 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415\n kasan_kmalloc include/linux/kasan.h:263 [inline]\n __do_kmalloc_node mm/slub.c:5657 [inline]\n __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669\n kmalloc_noprof include/linux/slab.h:961 [inline]\n kzalloc_noprof include/linux/slab.h:1094 [inline]\n fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820\n ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949\n inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660\n rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958\n netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550\n netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\n netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344\n netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg net/socket.c:742 [inline]\n ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592\n ___sys_s\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:57.561Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bcc60ad129ae1837cf809c81bff56ec8bfdb6b11"
},
{
"url": "https://git.kernel.org/stable/c/bf5009a06e03ee9a51052bb59f2228a5e4e66260"
},
{
"url": "https://git.kernel.org/stable/c/03b5051e02f5a3772eee57493ad697d4b505b0c2"
},
{
"url": "https://git.kernel.org/stable/c/500e54615c97bc3c427e52305a6fcd38a0e008a3"
},
{
"url": "https://git.kernel.org/stable/c/8244f959e2c125c849e569f5b23ed49804cce695"
}
],
"title": "ipv6: Fix out-of-bound access in fib6_add_rt2node().",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46260",
"datePublished": "2026-06-03T15:49:57.561Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:57.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46259 (GCVE-0-2026-46259)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
procfs: fix missing RCU protection when reading real_parent in do_task_stat()
Summary
In the Linux kernel, the following vulnerability has been resolved:
procfs: fix missing RCU protection when reading real_parent in do_task_stat()
When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent
without proper RCU protection, which leads to:
cpu 0 cpu 1
----- -----
do_task_stat
var = task->real_parent
release_task
call_rcu(delayed_put_task_struct)
task_tgid_nr_ns(var)
rcu_read_lock <--- Too late to protect task->real_parent!
task_pid_ptr <--- UAF!
rcu_read_unlock
This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add
proper RCU protection for accessing task->real_parent.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
06fffb1267c9d986687b69d74a46ee332a50575e , < fefa0fcd78be465b7ad4c497fa6ec90d64194c04
(git)
Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < c93a33f28f915d446eea6fb3f0e1def0b3af1982 (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < 1c8dc5b5517546c68ffae40b948336122bb61306 (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < 0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < 73ec7c96601d61d52310c659145bb06d933a0fa6 (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < 4f9ae386861e280b7631ca252f798d25575627ee (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < dd8b13cb4ff1a4545a214ed897fdf2bc341155b6 (git) Affected: 06fffb1267c9d986687b69d74a46ee332a50575e , < 76149d53502cf17ef3ae454ff384551236fba867 (git) |
|
| Linux | Linux |
Affected:
2.6.26
Unaffected: 0 , < 2.6.26 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/proc/array.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fefa0fcd78be465b7ad4c497fa6ec90d64194c04",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "c93a33f28f915d446eea6fb3f0e1def0b3af1982",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "1c8dc5b5517546c68ffae40b948336122bb61306",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "73ec7c96601d61d52310c659145bb06d933a0fa6",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "4f9ae386861e280b7631ca252f798d25575627ee",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "dd8b13cb4ff1a4545a214ed897fdf2bc341155b6",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
},
{
"lessThan": "76149d53502cf17ef3ae454ff384551236fba867",
"status": "affected",
"version": "06fffb1267c9d986687b69d74a46ee332a50575e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/proc/array.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprocfs: fix missing RCU protection when reading real_parent in do_task_stat()\n\nWhen reading /proc/[pid]/stat, do_task_stat() accesses task-\u003ereal_parent\nwithout proper RCU protection, which leads to:\n\n cpu 0 cpu 1\n ----- -----\n do_task_stat\n var = task-\u003ereal_parent\n release_task\n call_rcu(delayed_put_task_struct)\n task_tgid_nr_ns(var)\n rcu_read_lock \u003c--- Too late to protect task-\u003ereal_parent!\n task_pid_ptr \u003c--- UAF!\n rcu_read_unlock\n\nThis patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add\nproper RCU protection for accessing task-\u003ereal_parent."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:56.428Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fefa0fcd78be465b7ad4c497fa6ec90d64194c04"
},
{
"url": "https://git.kernel.org/stable/c/c93a33f28f915d446eea6fb3f0e1def0b3af1982"
},
{
"url": "https://git.kernel.org/stable/c/1c8dc5b5517546c68ffae40b948336122bb61306"
},
{
"url": "https://git.kernel.org/stable/c/0e64bd46a04a4fd61279aca9f53a664e9e5f7e7e"
},
{
"url": "https://git.kernel.org/stable/c/73ec7c96601d61d52310c659145bb06d933a0fa6"
},
{
"url": "https://git.kernel.org/stable/c/4f9ae386861e280b7631ca252f798d25575627ee"
},
{
"url": "https://git.kernel.org/stable/c/dd8b13cb4ff1a4545a214ed897fdf2bc341155b6"
},
{
"url": "https://git.kernel.org/stable/c/76149d53502cf17ef3ae454ff384551236fba867"
}
],
"title": "procfs: fix missing RCU protection when reading real_parent in do_task_stat()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46259",
"datePublished": "2026-06-03T15:49:56.428Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:56.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46258 (GCVE-0-2026-46258)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
gpio: cdev: Avoid NULL dereference in linehandle_create()
Summary
In the Linux kernel, the following vulnerability has been resolved:
gpio: cdev: Avoid NULL dereference in linehandle_create()
In linehandle_create(), there is a statement like this:
retain_and_null_ptr(lh);
Soon after, there is a debug printout that dereferences "lh", which
will crash things.
Avoid the crash by using handlereq.lines, which is the same value.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
da7e394bf58f94e9783379fef7c7fb4411b03208 , < 87b9d7a4cfbed5f42af440372026270af997c766
(git)
Affected: da7e394bf58f94e9783379fef7c7fb4411b03208 , < 6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87b9d7a4cfbed5f42af440372026270af997c766",
"status": "affected",
"version": "da7e394bf58f94e9783379fef7c7fb4411b03208",
"versionType": "git"
},
{
"lessThan": "6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e",
"status": "affected",
"version": "da7e394bf58f94e9783379fef7c7fb4411b03208",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpio/gpiolib-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: cdev: Avoid NULL dereference in linehandle_create()\n\nIn linehandle_create(), there is a statement like this:\n retain_and_null_ptr(lh);\n\nSoon after, there is a debug printout that dereferences \"lh\", which\nwill crash things.\n\nAvoid the crash by using handlereq.lines, which is the same value."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:55.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87b9d7a4cfbed5f42af440372026270af997c766"
},
{
"url": "https://git.kernel.org/stable/c/6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e"
}
],
"title": "gpio: cdev: Avoid NULL dereference in linehandle_create()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46258",
"datePublished": "2026-06-03T15:49:55.372Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:55.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46257 (GCVE-0-2026-46257)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.
Summary
In the Linux kernel, the following vulnerability has been resolved:
clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.
On SP804, the delay timer shares the same clkevt instance with
sched_clock. On some platforms, when
sp804_clocksource_and_sched_clock_init is called with use_sched_clock
not set to 1, sched_clkevt is not properly initialized. However,
sp804_register_delay_timer is invoked unconditionally, and
read_current_timer() subsequently calls sp804_read on an uninitialized
sched_clkevt, leading to a kernel Oops when accessing
sched_clkevt->value.
Declare a dedicated clkevt instance exclusively for delay timer,
instead of sharing the same clkevt with sched_clock. This ensures
that read_current_timer continues to work correctly regardless of
whether SP804 is selected as the sched_clock.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
640594a04f119338019b0aeed70c7301216595b3 , < 693b0b594b0f278bafa784984129c0c0f988e352
(git)
Affected: 640594a04f119338019b0aeed70c7301216595b3 , < 694921a93f3e3621e067afc545cedf6fe3b234a9 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/timer-sp804.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "693b0b594b0f278bafa784984129c0c0f988e352",
"status": "affected",
"version": "640594a04f119338019b0aeed70c7301216595b3",
"versionType": "git"
},
{
"lessThan": "694921a93f3e3621e067afc545cedf6fe3b234a9",
"status": "affected",
"version": "640594a04f119338019b0aeed70c7301216595b3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clocksource/timer-sp804.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.\n\nOn SP804, the delay timer shares the same clkevt instance with\nsched_clock. On some platforms, when\nsp804_clocksource_and_sched_clock_init is called with use_sched_clock\nnot set to 1, sched_clkevt is not properly initialized. However,\nsp804_register_delay_timer is invoked unconditionally, and\nread_current_timer() subsequently calls sp804_read on an uninitialized\nsched_clkevt, leading to a kernel Oops when accessing\nsched_clkevt-\u003evalue.\n\nDeclare a dedicated clkevt instance exclusively for delay timer,\ninstead of sharing the same clkevt with sched_clock. This ensures\nthat read_current_timer continues to work correctly regardless of\nwhether SP804 is selected as the sched_clock."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:54.286Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/693b0b594b0f278bafa784984129c0c0f988e352"
},
{
"url": "https://git.kernel.org/stable/c/694921a93f3e3621e067afc545cedf6fe3b234a9"
}
],
"title": "clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46257",
"datePublished": "2026-06-03T15:49:54.286Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:54.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46256 (GCVE-0-2026-46256)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages
LOCALIO is an NFS loopback mount optimization that avoids using the
network for READ, WRITE and COMMIT if the NFS client and server are
determined to be on the same system. But because LOCALIO is still
fundamentally "just NFS loopback mount" it is susceptible to recursion
deadlock via direct reclaim, e.g.: NFS LOCALIO down to XFS and then
back into NFS via nfs_writepages.
Fix LOCALIO's potential for direct reclaim deadlock by ensuring that
all its page cache allocations are done from GFP_NOFS context.
Thanks to Ben Coddington for pointing out commit ad22c7a043c2 ("xfs:
prevent stack overflows from page cache allocation").
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
70ba381e1a431245c137ed597ec6a05991c79bd9 , < ae26a4cf2baf0a44c538dc093504d1994b02dade
(git)
Affected: 70ba381e1a431245c137ed597ec6a05991c79bd9 , < 6a5de0c4fc0f217eea945d3d72c34ee30d72cbc9 (git) Affected: 70ba381e1a431245c137ed597ec6a05991c79bd9 , < 67435d2d8a33a75f9647724952cb1b18279d2e95 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae26a4cf2baf0a44c538dc093504d1994b02dade",
"status": "affected",
"version": "70ba381e1a431245c137ed597ec6a05991c79bd9",
"versionType": "git"
},
{
"lessThan": "6a5de0c4fc0f217eea945d3d72c34ee30d72cbc9",
"status": "affected",
"version": "70ba381e1a431245c137ed597ec6a05991c79bd9",
"versionType": "git"
},
{
"lessThan": "67435d2d8a33a75f9647724952cb1b18279d2e95",
"status": "affected",
"version": "70ba381e1a431245c137ed597ec6a05991c79bd9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/localio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages\n\nLOCALIO is an NFS loopback mount optimization that avoids using the\nnetwork for READ, WRITE and COMMIT if the NFS client and server are\ndetermined to be on the same system. But because LOCALIO is still\nfundamentally \"just NFS loopback mount\" it is susceptible to recursion\ndeadlock via direct reclaim, e.g.: NFS LOCALIO down to XFS and then\nback into NFS via nfs_writepages.\n\nFix LOCALIO\u0027s potential for direct reclaim deadlock by ensuring that\nall its page cache allocations are done from GFP_NOFS context.\n\nThanks to Ben Coddington for pointing out commit ad22c7a043c2 (\"xfs:\nprevent stack overflows from page cache allocation\")."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:53.168Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae26a4cf2baf0a44c538dc093504d1994b02dade"
},
{
"url": "https://git.kernel.org/stable/c/6a5de0c4fc0f217eea945d3d72c34ee30d72cbc9"
},
{
"url": "https://git.kernel.org/stable/c/67435d2d8a33a75f9647724952cb1b18279d2e95"
}
],
"title": "NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46256",
"datePublished": "2026-06-03T15:49:53.168Z",
"dateReserved": "2026-05-13T15:03:33.108Z",
"dateUpdated": "2026-06-03T15:49:53.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46255 (GCVE-0-2026-46255)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
dmaengine: fsl-edma: don't explicitly disable clocks in .remove()
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: fsl-edma: don't explicitly disable clocks in .remove()
The clocks in fsl_edma_engine::muxclk are allocated and enabled with
devm_clk_get_enabled(), which automatically cleans these resources up,
but these clocks are also manually disabled in fsl_edma_remove(). This
causes warnings on driver removal for each clock:
edma_module already disabled
WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1200 clk_core_disable+0x198/0x1c8
[...]
Call trace:
clk_core_disable+0x198/0x1c8 (P)
clk_disable+0x34/0x58
fsl_edma_remove+0x74/0xe8 [fsl_edma]
[...]
---[ end trace 0000000000000000 ]---
edma_module already unprepared
WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1059 clk_core_unprepare+0x1f8/0x220
[...]
Call trace:
clk_core_unprepare+0x1f8/0x220 (P)
clk_unprepare+0x34/0x58
fsl_edma_remove+0x7c/0xe8 [fsl_edma]
[...]
---[ end trace 0000000000000000 ]---
Fix these warnings by removing the unnecessary fsl_disable_clocks() call
in fsl_edma_remove().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a9903de3aa16731846bf924342eca44bdabe9be6 , < 533d495f15e4c88ad5246c7f90ae026702e28d75
(git)
Affected: a9903de3aa16731846bf924342eca44bdabe9be6 , < 68feac21bd4de7ae4faba05704c404861d991fcf (git) Affected: a9903de3aa16731846bf924342eca44bdabe9be6 , < bda244871179543dd3be7d093236cb33b2fb1765 (git) Affected: a9903de3aa16731846bf924342eca44bdabe9be6 , < b84dba68c4823da452cec99a5d213571a65d06de (git) Affected: a9903de3aa16731846bf924342eca44bdabe9be6 , < 666c53e94c1d0bf0bdf14c49505ece9ddbe725bc (git) |
|
| Linux | Linux |
Affected:
6.6
Unaffected: 0 , < 6.6 (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/fsl-edma-main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "533d495f15e4c88ad5246c7f90ae026702e28d75",
"status": "affected",
"version": "a9903de3aa16731846bf924342eca44bdabe9be6",
"versionType": "git"
},
{
"lessThan": "68feac21bd4de7ae4faba05704c404861d991fcf",
"status": "affected",
"version": "a9903de3aa16731846bf924342eca44bdabe9be6",
"versionType": "git"
},
{
"lessThan": "bda244871179543dd3be7d093236cb33b2fb1765",
"status": "affected",
"version": "a9903de3aa16731846bf924342eca44bdabe9be6",
"versionType": "git"
},
{
"lessThan": "b84dba68c4823da452cec99a5d213571a65d06de",
"status": "affected",
"version": "a9903de3aa16731846bf924342eca44bdabe9be6",
"versionType": "git"
},
{
"lessThan": "666c53e94c1d0bf0bdf14c49505ece9ddbe725bc",
"status": "affected",
"version": "a9903de3aa16731846bf924342eca44bdabe9be6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/fsl-edma-main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.6"
},
{
"lessThan": "6.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-edma: don\u0027t explicitly disable clocks in .remove()\n\nThe clocks in fsl_edma_engine::muxclk are allocated and enabled with\ndevm_clk_get_enabled(), which automatically cleans these resources up,\nbut these clocks are also manually disabled in fsl_edma_remove(). This\ncauses warnings on driver removal for each clock:\n\n edma_module already disabled\n WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1200 clk_core_disable+0x198/0x1c8\n [...]\n Call trace:\n clk_core_disable+0x198/0x1c8 (P)\n clk_disable+0x34/0x58\n fsl_edma_remove+0x74/0xe8 [fsl_edma]\n [...]\n ---[ end trace 0000000000000000 ]---\n edma_module already unprepared\n WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1059 clk_core_unprepare+0x1f8/0x220\n [...]\n Call trace:\n clk_core_unprepare+0x1f8/0x220 (P)\n clk_unprepare+0x34/0x58\n fsl_edma_remove+0x7c/0xe8 [fsl_edma]\n [...]\n ---[ end trace 0000000000000000 ]---\n\nFix these warnings by removing the unnecessary fsl_disable_clocks() call\nin fsl_edma_remove()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:52.091Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/533d495f15e4c88ad5246c7f90ae026702e28d75"
},
{
"url": "https://git.kernel.org/stable/c/68feac21bd4de7ae4faba05704c404861d991fcf"
},
{
"url": "https://git.kernel.org/stable/c/bda244871179543dd3be7d093236cb33b2fb1765"
},
{
"url": "https://git.kernel.org/stable/c/b84dba68c4823da452cec99a5d213571a65d06de"
},
{
"url": "https://git.kernel.org/stable/c/666c53e94c1d0bf0bdf14c49505ece9ddbe725bc"
}
],
"title": "dmaengine: fsl-edma: don\u0027t explicitly disable clocks in .remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46255",
"datePublished": "2026-06-03T15:49:52.091Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:52.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46254 (GCVE-0-2026-46254)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
AppArmor: Allow apparmor to handle unaligned dfa tables
Summary
In the Linux kernel, the following vulnerability has been resolved:
AppArmor: Allow apparmor to handle unaligned dfa tables
The dfa tables can originate from kernel or userspace and 8-byte alignment
isn't always guaranteed and as such may trigger unaligned memory accesses
on various architectures. Resulting in the following
[ 73.901376] WARNING: CPU: 0 PID: 341 at security/apparmor/match.c:316 aa_dfa_unpack+0x6cc/0x720
[ 74.015867] Modules linked in: binfmt_misc evdev flash sg drm drm_panel_orientation_quirks backlight i2c_core configfs nfnetlink autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid sr_mod hid cdrom
sd_mod ata_generic ohci_pci ehci_pci ehci_hcd ohci_hcd pata_ali libata sym53c8xx scsi_transport_spi tg3 scsi_mod usbcore libphy scsi_common mdio_bus usb_common
[ 74.428977] CPU: 0 UID: 0 PID: 341 Comm: apparmor_parser Not tainted 6.18.0-rc6+ #9 NONE
[ 74.536543] Call Trace:
[ 74.568561] [<0000000000434c24>] dump_stack+0x8/0x18
[ 74.633757] [<0000000000476438>] __warn+0xd8/0x100
[ 74.696664] [<00000000004296d4>] warn_slowpath_fmt+0x34/0x74
[ 74.771006] [<00000000008db28c>] aa_dfa_unpack+0x6cc/0x720
[ 74.843062] [<00000000008e643c>] unpack_pdb+0xbc/0x7e0
[ 74.910545] [<00000000008e7740>] unpack_profile+0xbe0/0x1300
[ 74.984888] [<00000000008e82e0>] aa_unpack+0xe0/0x6a0
[ 75.051226] [<00000000008e3ec4>] aa_replace_profiles+0x64/0x1160
[ 75.130144] [<00000000008d4d90>] policy_update+0xf0/0x280
[ 75.201057] [<00000000008d4fc8>] profile_replace+0xa8/0x100
[ 75.274258] [<0000000000766bd0>] vfs_write+0x90/0x420
[ 75.340594] [<00000000007670cc>] ksys_write+0x4c/0xe0
[ 75.406932] [<0000000000767174>] sys_write+0x14/0x40
[ 75.472126] [<0000000000406174>] linux_sparc_syscall+0x34/0x44
[ 75.548802] ---[ end trace 0000000000000000 ]---
[ 75.609503] dfa blob stream 0xfff0000008926b96 not aligned.
[ 75.682695] Kernel unaligned access at TPC[8db2a8] aa_dfa_unpack+0x6e8/0x720
Work around it by using the get_unaligned_xx() helpers.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e6e8bf418850d7958311a96ccfb594f2bcc8313e , < ec737e7fdf2f0ba7b203d4ec72cc915978b10e7e
(git)
Affected: e6e8bf418850d7958311a96ccfb594f2bcc8313e , < 23f112bd6144e815153462e12d313ac3e7027168 (git) Affected: e6e8bf418850d7958311a96ccfb594f2bcc8313e , < cded636008bde2b397a7cf63b8299d7c303aaf6a (git) Affected: e6e8bf418850d7958311a96ccfb594f2bcc8313e , < 64802f731214a51dfe3c6c27636b3ddafd003eb0 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ec737e7fdf2f0ba7b203d4ec72cc915978b10e7e",
"status": "affected",
"version": "e6e8bf418850d7958311a96ccfb594f2bcc8313e",
"versionType": "git"
},
{
"lessThan": "23f112bd6144e815153462e12d313ac3e7027168",
"status": "affected",
"version": "e6e8bf418850d7958311a96ccfb594f2bcc8313e",
"versionType": "git"
},
{
"lessThan": "cded636008bde2b397a7cf63b8299d7c303aaf6a",
"status": "affected",
"version": "e6e8bf418850d7958311a96ccfb594f2bcc8313e",
"versionType": "git"
},
{
"lessThan": "64802f731214a51dfe3c6c27636b3ddafd003eb0",
"status": "affected",
"version": "e6e8bf418850d7958311a96ccfb594f2bcc8313e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nAppArmor: Allow apparmor to handle unaligned dfa tables\n\nThe dfa tables can originate from kernel or userspace and 8-byte alignment\nisn\u0027t always guaranteed and as such may trigger unaligned memory accesses\non various architectures. Resulting in the following\n\n[\u00a0\u00a0 73.901376] WARNING: CPU: 0 PID: 341 at security/apparmor/match.c:316 aa_dfa_unpack+0x6cc/0x720\n[\u00a0\u00a0 74.015867] Modules linked in: binfmt_misc evdev flash sg drm drm_panel_orientation_quirks backlight i2c_core configfs nfnetlink autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid sr_mod hid cdrom\nsd_mod ata_generic ohci_pci ehci_pci ehci_hcd ohci_hcd pata_ali libata sym53c8xx scsi_transport_spi tg3 scsi_mod usbcore libphy scsi_common mdio_bus usb_common\n[\u00a0\u00a0 74.428977] CPU: 0 UID: 0 PID: 341 Comm: apparmor_parser Not tainted 6.18.0-rc6+ #9 NONE\n[\u00a0\u00a0 74.536543] Call Trace:\n[\u00a0\u00a0 74.568561] [\u003c0000000000434c24\u003e] dump_stack+0x8/0x18\n[\u00a0\u00a0 74.633757] [\u003c0000000000476438\u003e] __warn+0xd8/0x100\n[\u00a0\u00a0 74.696664] [\u003c00000000004296d4\u003e] warn_slowpath_fmt+0x34/0x74\n[\u00a0\u00a0 74.771006] [\u003c00000000008db28c\u003e] aa_dfa_unpack+0x6cc/0x720\n[\u00a0\u00a0 74.843062] [\u003c00000000008e643c\u003e] unpack_pdb+0xbc/0x7e0\n[\u00a0\u00a0 74.910545] [\u003c00000000008e7740\u003e] unpack_profile+0xbe0/0x1300\n[\u00a0\u00a0 74.984888] [\u003c00000000008e82e0\u003e] aa_unpack+0xe0/0x6a0\n[\u00a0\u00a0 75.051226] [\u003c00000000008e3ec4\u003e] aa_replace_profiles+0x64/0x1160\n[\u00a0\u00a0 75.130144] [\u003c00000000008d4d90\u003e] policy_update+0xf0/0x280\n[\u00a0\u00a0 75.201057] [\u003c00000000008d4fc8\u003e] profile_replace+0xa8/0x100\n[\u00a0\u00a0 75.274258] [\u003c0000000000766bd0\u003e] vfs_write+0x90/0x420\n[\u00a0\u00a0 75.340594] [\u003c00000000007670cc\u003e] ksys_write+0x4c/0xe0\n[\u00a0\u00a0 75.406932] [\u003c0000000000767174\u003e] sys_write+0x14/0x40\n[\u00a0\u00a0 75.472126] [\u003c0000000000406174\u003e] linux_sparc_syscall+0x34/0x44\n[\u00a0\u00a0 75.548802] ---[ end trace 0000000000000000 ]---\n[\u00a0\u00a0 75.609503] dfa blob stream 0xfff0000008926b96 not aligned.\n[\u00a0\u00a0 75.682695] Kernel unaligned access at TPC[8db2a8] aa_dfa_unpack+0x6e8/0x720\n\nWork around it by using the get_unaligned_xx() helpers."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:50.994Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ec737e7fdf2f0ba7b203d4ec72cc915978b10e7e"
},
{
"url": "https://git.kernel.org/stable/c/23f112bd6144e815153462e12d313ac3e7027168"
},
{
"url": "https://git.kernel.org/stable/c/cded636008bde2b397a7cf63b8299d7c303aaf6a"
},
{
"url": "https://git.kernel.org/stable/c/64802f731214a51dfe3c6c27636b3ddafd003eb0"
}
],
"title": "AppArmor: Allow apparmor to handle unaligned dfa tables",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46254",
"datePublished": "2026-06-03T15:49:50.994Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:50.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46253 (GCVE-0-2026-46253)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
pstore/ram: fix buffer overflow in persistent_ram_save_old()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pstore/ram: fix buffer overflow in persistent_ram_save_old()
persistent_ram_save_old() can be called multiple times for the same
persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz
for PSTORE_TYPE_DMESG records).
Currently, the function only allocates prz->old_log when it is NULL,
but it unconditionally updates prz->old_log_size to the current buffer
size and then performs memcpy_fromio() using this new size. If the
buffer size has grown since the first allocation (which can happen
across different kernel boot cycles), this leads to:
1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls
2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer
using the incorrect (larger) old_log_size
The KASAN splat would look similar to:
BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...
Read of size N at addr ... by task ...
The conditions are likely extremely hard to hit:
0. Crash with a ramoops write of less-than-record-max-size bytes.
1. Reboot: ramoops registers, pstore_get_records(0) reads old crash,
allocates old_log with size X
2. Crash handler registered, timer started (if pstore_update_ms >= 0)
3. Oops happens (non-fatal, system continues)
4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X)
5. pstore_new_entry = 1, pstore_timer_kick() called
6. System continues running (not a panic oops)
7. Timer fires after pstore_update_ms milliseconds
8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1)
9. ramoops_get_next_prz() → persistent_ram_save_old()
10. buffer_size() returns Y, but old_log is X bytes
11. Y > X: memcpy_fromio() overflows heap
Requirements:
- a prior crash record exists that did not fill the record size
(almost impossible since the crash handler writes as much as it
can possibly fit into the record, capped by max record size and
the kmsg buffer almost always exceeds the max record size)
- pstore_update_ms >= 0 (disabled by default)
- Non-fatal oops (system survives)
Free and reallocate the buffer when the new size differs from the
previously allocated size. This ensures old_log always has sufficient
space for the data being copied.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 58bda5a1d1ee98254383ef34f76b2c35140513ea
(git)
Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 06d2c8bd108cea503f6f6e13e47495ed1085275f (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 2fa9a047c6a50ec80c3890dd623b85e237f0d1fd (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < cff0ef043e16feb5a02307c8f9d0117a96c5587c (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 9a6fc69a570c0780834246d52c856cc3dbc2605f (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 4f73486ca822305c1cf5b8ebc0b53a6ab3801a81 (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 7cfe964e61c0ab667abd5f5b68e0acbf783efa4f (git) Affected: 201e4aca5aa179e6c69a4dcd36a3562e56b8d670 , < 5669645c052f235726a85f443769b6fc02f66762 (git) |
|
| Linux | Linux |
Affected:
3.5
Unaffected: 0 , < 3.5 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "58bda5a1d1ee98254383ef34f76b2c35140513ea",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "06d2c8bd108cea503f6f6e13e47495ed1085275f",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "2fa9a047c6a50ec80c3890dd623b85e237f0d1fd",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "cff0ef043e16feb5a02307c8f9d0117a96c5587c",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "9a6fc69a570c0780834246d52c856cc3dbc2605f",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "4f73486ca822305c1cf5b8ebc0b53a6ab3801a81",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "7cfe964e61c0ab667abd5f5b68e0acbf783efa4f",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
},
{
"lessThan": "5669645c052f235726a85f443769b6fc02f66762",
"status": "affected",
"version": "201e4aca5aa179e6c69a4dcd36a3562e56b8d670",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/pstore/ram_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: fix buffer overflow in persistent_ram_save_old()\n\npersistent_ram_save_old() can be called multiple times for the same\npersistent_ram_zone (e.g., via ramoops_pstore_read -\u003e ramoops_get_next_prz\nfor PSTORE_TYPE_DMESG records).\n\nCurrently, the function only allocates prz-\u003eold_log when it is NULL,\nbut it unconditionally updates prz-\u003eold_log_size to the current buffer\nsize and then performs memcpy_fromio() using this new size. If the\nbuffer size has grown since the first allocation (which can happen\nacross different kernel boot cycles), this leads to:\n\n1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls\n2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer\n using the incorrect (larger) old_log_size\n\nThe KASAN splat would look similar to:\n BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x...\n Read of size N at addr ... by task ...\n\nThe conditions are likely extremely hard to hit:\n\n 0. Crash with a ramoops write of less-than-record-max-size bytes.\n 1. Reboot: ramoops registers, pstore_get_records(0) reads old crash,\n allocates old_log with size X\n 2. Crash handler registered, timer started (if pstore_update_ms \u003e= 0)\n 3. Oops happens (non-fatal, system continues)\n 4. pstore_dump() writes oops via ramoops_pstore_write() size Y (\u003eX)\n 5. pstore_new_entry = 1, pstore_timer_kick() called\n 6. System continues running (not a panic oops)\n 7. Timer fires after pstore_update_ms milliseconds\n 8. pstore_timefunc() \u2192 schedule_work() \u2192 pstore_dowork() \u2192 pstore_get_records(1)\n 9. ramoops_get_next_prz() \u2192 persistent_ram_save_old()\n 10. buffer_size() returns Y, but old_log is X bytes\n 11. Y \u003e X: memcpy_fromio() overflows heap\n\n Requirements:\n - a prior crash record exists that did not fill the record size\n (almost impossible since the crash handler writes as much as it\n can possibly fit into the record, capped by max record size and\n the kmsg buffer almost always exceeds the max record size)\n - pstore_update_ms \u003e= 0 (disabled by default)\n - Non-fatal oops (system survives)\n\nFree and reallocate the buffer when the new size differs from the\npreviously allocated size. This ensures old_log always has sufficient\nspace for the data being copied."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:49.864Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/58bda5a1d1ee98254383ef34f76b2c35140513ea"
},
{
"url": "https://git.kernel.org/stable/c/06d2c8bd108cea503f6f6e13e47495ed1085275f"
},
{
"url": "https://git.kernel.org/stable/c/2fa9a047c6a50ec80c3890dd623b85e237f0d1fd"
},
{
"url": "https://git.kernel.org/stable/c/cff0ef043e16feb5a02307c8f9d0117a96c5587c"
},
{
"url": "https://git.kernel.org/stable/c/9a6fc69a570c0780834246d52c856cc3dbc2605f"
},
{
"url": "https://git.kernel.org/stable/c/4f73486ca822305c1cf5b8ebc0b53a6ab3801a81"
},
{
"url": "https://git.kernel.org/stable/c/7cfe964e61c0ab667abd5f5b68e0acbf783efa4f"
},
{
"url": "https://git.kernel.org/stable/c/5669645c052f235726a85f443769b6fc02f66762"
}
],
"title": "pstore/ram: fix buffer overflow in persistent_ram_save_old()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46253",
"datePublished": "2026-06-03T15:49:49.864Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:49.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46252 (GCVE-0-2026-46252)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
regulator: core: fix locking in regulator_resolve_supply() error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
regulator: core: fix locking in regulator_resolve_supply() error path
If late enabling of a supply regulator fails in
regulator_resolve_supply(), the code currently triggers a lockdep
warning:
WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596
...
Call trace:
_regulator_put+0x80/0xa0 (P)
regulator_resolve_supply+0x7cc/0xbe0
regulator_register_resolve_supply+0x28/0xb8
as the regulator_list_mutex must be held when calling _regulator_put().
To solve this, simply switch to using regulator_put().
While at it, we should also make sure that no concurrent access happens
to our rdev while we clear out the supply pointer. Add appropriate
locking to ensure that.
While the code in question will be removed altogether in a follow-up
commit, I believe it is still beneficial to have this corrected before
removal for future reference.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
36a1f1b6ddc6d1442424e29548e790633ca39c7b , < c66e0db0f37290b53c57994f998bb55590364fd0
(git)
Affected: 36a1f1b6ddc6d1442424e29548e790633ca39c7b , < 497330b203d2c59c5ff3fa4c34d14494d7203bc3 (git) |
|
| Linux | Linux |
Affected:
4.2
Unaffected: 0 , < 4.2 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c66e0db0f37290b53c57994f998bb55590364fd0",
"status": "affected",
"version": "36a1f1b6ddc6d1442424e29548e790633ca39c7b",
"versionType": "git"
},
{
"lessThan": "497330b203d2c59c5ff3fa4c34d14494d7203bc3",
"status": "affected",
"version": "36a1f1b6ddc6d1442424e29548e790633ca39c7b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/regulator/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.2"
},
{
"lessThan": "4.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: fix locking in regulator_resolve_supply() error path\n\nIf late enabling of a supply regulator fails in\nregulator_resolve_supply(), the code currently triggers a lockdep\nwarning:\n\n WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596\n ...\n Call trace:\n _regulator_put+0x80/0xa0 (P)\n regulator_resolve_supply+0x7cc/0xbe0\n regulator_register_resolve_supply+0x28/0xb8\n\nas the regulator_list_mutex must be held when calling _regulator_put().\n\nTo solve this, simply switch to using regulator_put().\n\nWhile at it, we should also make sure that no concurrent access happens\nto our rdev while we clear out the supply pointer. Add appropriate\nlocking to ensure that.\n\nWhile the code in question will be removed altogether in a follow-up\ncommit, I believe it is still beneficial to have this corrected before\nremoval for future reference."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:48.784Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c66e0db0f37290b53c57994f998bb55590364fd0"
},
{
"url": "https://git.kernel.org/stable/c/497330b203d2c59c5ff3fa4c34d14494d7203bc3"
}
],
"title": "regulator: core: fix locking in regulator_resolve_supply() error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46252",
"datePublished": "2026-06-03T15:49:48.784Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:48.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46251 (GCVE-0-2026-46251)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
btrfs: fix block_group_tree dirty_list corruption
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix block_group_tree dirty_list corruption
When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the
block group tree to the switch_commits list before calling
switch_commit_roots, as we do for the tree root and the chunk root.
However, the block group tree uses normal root dirty tracking and in any
transaction that does an allocation and dirties a block group, the block
group root will already be linked to a list by the dirty_list field and
this use of list_add_tail() is invalid and corrupts the prev/next
members of block_group_root->dirty_list.
This is apparent on a subsequent list_del on the prev if we enable
CONFIG_DEBUG_LIST:
[32.1571] ------------[ cut here ]------------
[32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)
[32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607
[32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none)
[32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014
[32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120
[32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202
[32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538
[32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00
[32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff
[32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538
[32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538
[32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000
[32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0
[32.1609] Call Trace:
[32.1610] <TASK>
[32.1611] switch_commit_roots+0x82/0x1d0 [btrfs]
[32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs]
[32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs]
[32.1621] __iterate_supers+0xe8/0x190
[32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10
[32.1623] ksys_sync+0x63/0xb0
[32.1624] __do_sys_sync+0xe/0x20
[32.1625] do_syscall_64+0x73/0x450
[32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[32.1627] RIP: 0033:0x7f0c28d05d2b
[32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2
[32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b
[32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d
[32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000
[32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80
[32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034
[32.1643] </TASK>
[32.1644] irq event stamp: 0
[32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0
[32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260
[32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260
[32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0
[32.1652] ---[ end trace 0000000000000000 ]---
Furthermore, this list corruption eventually (when we happen to add a
new block group) results in getting the switch_commits and
dirty_cowonly_roots lists mixed up and attempting to call update_root
on the tree root which can't be found in the tree root, resulting in a
transaction abort:
[87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1
[87.8272] ------------[ cut here ]------------
[87.8274] BTRFS: Transaction aborted (error -117)
[87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703
[87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none)
[87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0
---truncated---
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
14033b08a02916e85ffc5397e4ac15337359f3ae , < 6e10283b5519d987d880d71bec90cdc7f2ec62b3
(git)
Affected: 14033b08a02916e85ffc5397e4ac15337359f3ae , < e3d1fd084319f8f0830b22f014c7af6a96b4497b (git) Affected: 14033b08a02916e85ffc5397e4ac15337359f3ae , < 4eb830847d84276f1c8ea46541cfeeedaba1fb63 (git) Affected: 14033b08a02916e85ffc5397e4ac15337359f3ae , < 80e1fda9c084dcf54819a12bc7682ec0afd2d8f4 (git) Affected: 14033b08a02916e85ffc5397e4ac15337359f3ae , < 201091da34c4f113af6b4a7407091c39bf29d4ca (git) Affected: 14033b08a02916e85ffc5397e4ac15337359f3ae , < 3a1f4264daed4b419c325a7fe35e756cada3cf82 (git) Affected: dabf41db56f378a360ff0219c467f8dfecda7dd6 (git) Affected: 6.0.19 , < 6.1 (semver) |
|
| Linux | Linux |
Affected:
6.1
Unaffected: 0 , < 6.1 (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e10283b5519d987d880d71bec90cdc7f2ec62b3",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"lessThan": "e3d1fd084319f8f0830b22f014c7af6a96b4497b",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"lessThan": "4eb830847d84276f1c8ea46541cfeeedaba1fb63",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"lessThan": "80e1fda9c084dcf54819a12bc7682ec0afd2d8f4",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"lessThan": "201091da34c4f113af6b4a7407091c39bf29d4ca",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"lessThan": "3a1f4264daed4b419c325a7fe35e756cada3cf82",
"status": "affected",
"version": "14033b08a02916e85ffc5397e4ac15337359f3ae",
"versionType": "git"
},
{
"status": "affected",
"version": "dabf41db56f378a360ff0219c467f8dfecda7dd6",
"versionType": "git"
},
{
"lessThan": "6.1",
"status": "affected",
"version": "6.0.19",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block_group_tree dirty_list corruption\n\nWhen the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the\nblock group tree to the switch_commits list before calling\nswitch_commit_roots, as we do for the tree root and the chunk root.\nHowever, the block group tree uses normal root dirty tracking and in any\ntransaction that does an allocation and dirties a block group, the block\ngroup root will already be linked to a list by the dirty_list field and\nthis use of list_add_tail() is invalid and corrupts the prev/next\nmembers of block_group_root-\u003edirty_list.\n\nThis is apparent on a subsequent list_del on the prev if we enable\nCONFIG_DEBUG_LIST:\n\n [32.1571] ------------[ cut here ]------------\n [32.1572] list_del corruption. next-\u003eprev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)\n [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607\n [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none)\n [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014\n [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120\n [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202\n [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538\n [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00\n [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff\n [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538\n [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538\n [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000\n [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0\n [32.1609] Call Trace:\n [32.1610] \u003cTASK\u003e\n [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs]\n [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs]\n [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs]\n [32.1621] __iterate_supers+0xe8/0x190\n [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10\n [32.1623] ksys_sync+0x63/0xb0\n [32.1624] __do_sys_sync+0xe/0x20\n [32.1625] do_syscall_64+0x73/0x450\n [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [32.1627] RIP: 0033:0x7f0c28d05d2b\n [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2\n [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b\n [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d\n [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000\n [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80\n [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034\n [32.1643] \u003c/TASK\u003e\n [32.1644] irq event stamp: 0\n [32.1644] hardirqs last enabled at (0): [\u003c0000000000000000\u003e] 0x0\n [32.1646] hardirqs last disabled at (0): [\u003cffffffff81298817\u003e]copy_process+0xb37/0x2260\n [32.1648] softirqs last enabled at (0): [\u003cffffffff81298817\u003e]copy_process+0xb37/0x2260\n [32.1650] softirqs last disabled at (0): [\u003c0000000000000000\u003e] 0x0\n [32.1652] ---[ end trace 0000000000000000 ]---\n\nFurthermore, this list corruption eventually (when we happen to add a\nnew block group) results in getting the switch_commits and\ndirty_cowonly_roots lists mixed up and attempting to call update_root\non the tree root which can\u0027t be found in the tree root, resulting in a\ntransaction abort:\n\n [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1\n [87.8272] ------------[ cut here ]------------\n [87.8274] BTRFS: Transaction aborted (error -117)\n [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703\n [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none)\n [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:47.684Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3"
},
{
"url": "https://git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497b"
},
{
"url": "https://git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63"
},
{
"url": "https://git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4"
},
{
"url": "https://git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4ca"
},
{
"url": "https://git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82"
}
],
"title": "btrfs: fix block_group_tree dirty_list corruption",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46251",
"datePublished": "2026-06-03T15:49:47.684Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:47.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46250 (GCVE-0-2026-46250)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
MIPS: Work around LLVM bug when gp is used as global register variable
Summary
In the Linux kernel, the following vulnerability has been resolved:
MIPS: Work around LLVM bug when gp is used as global register variable
On MIPS, __current_thread_info is defined as global register variable
locating in $gp, and is simply assigned with new address during kernel
relocation.
This however is broken with LLVM, which always restores $gp if it finds
$gp is clobbered in any form, including when intentionally through a
global register variable. This is against GCC's documentation[1], which
requires a callee-saved register used as global register variable not to
be restored if it's clobbered.
As a result, $gp will continue to point to the unrelocated kernel after
the epilog of relocate_kernel(), leading to an early crash in init_idle,
[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90
[ 0.000000] Oops[#1]:
[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY
[ 0.000000] Tainted: [W]=WARN
[ 0.000000] Hardware name: loongson,loongson64v-4core-virtio
[ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000
[ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240
[ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001
[ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002
[ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80
[ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80
[ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90
[ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90
[ 0.000000] Hi : 0000000000000000
[ 0.000000] Lo : 0000000000000000
[ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270
[ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270
[ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL
[ 0.000000] Cause : 00000008 (ExcCode 02)
[ 0.000000] BadVA : 0000000000000000
[ 0.000000] PrId : 00006305 (ICT Loongson-3)
[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)
[ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000
[ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528
[ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000
[ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258
[ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98
[ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000
[ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000
[ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002
[ 0.000000] ...
[ 0.000000] Call Trace:
[ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270
[ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0
[ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8
This bug has been reported to LLVM[2] and affects version from (at
least) 18 to 21. Let's work around this by using inline assembly to
assign $gp before a fix is widely available.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05bff9b0ae095b2420cfebb4a96759a09334bec6
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1fe3b402b1e97a1718df3be0a1d3eee20133e735 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4dc65b40fb80c2020efbf139b9a38d30f9a37b92 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c0155dee51b9f5f48aaf5c71cae005eb0e36521f (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e3a6498a63394218561065a9a7a597a204f52f6a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 561834f6d6f52b8a1791331e94b2aac753491d2a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9bc3b0ae5203aba650297fdf3e1e774125e423f2 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 30bfc2d6a1132a89a5f1c3b96c59cf3e4d076ea3 (git) Affected: 0 , < 5.10.252 (semver) Affected: 0 , < 5.15.202 (semver) Affected: 0 , < 6.1.165 (semver) Affected: 0 , < 6.6.128 (semver) Affected: 0 , < 6.12.75 (semver) Affected: 0 , < 6.18.14 (semver) Affected: 0 , < 6.19.4 (semver) |
|
| Linux | Linux |
Unaffected:
5.10.252 , ≤ 5.10.*
(semver)
Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/relocate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05bff9b0ae095b2420cfebb4a96759a09334bec6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1fe3b402b1e97a1718df3be0a1d3eee20133e735",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4dc65b40fb80c2020efbf139b9a38d30f9a37b92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c0155dee51b9f5f48aaf5c71cae005eb0e36521f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e3a6498a63394218561065a9a7a597a204f52f6a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "561834f6d6f52b8a1791331e94b2aac753491d2a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9bc3b0ae5203aba650297fdf3e1e774125e423f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30bfc2d6a1132a89a5f1c3b96c59cf3e4d076ea3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5.10.252",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "5.15.202",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.1.165",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.6.128",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.18.14",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "6.19.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/mips/kernel/relocate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nMIPS: Work around LLVM bug when gp is used as global register variable\n\nOn MIPS, __current_thread_info is defined as global register variable\nlocating in $gp, and is simply assigned with new address during kernel\nrelocation.\n\nThis however is broken with LLVM, which always restores $gp if it finds\n$gp is clobbered in any form, including when intentionally through a\nglobal register variable. This is against GCC\u0027s documentation[1], which\nrequires a callee-saved register used as global register variable not to\nbe restored if it\u0027s clobbered.\n\nAs a result, $gp will continue to point to the unrelocated kernel after\nthe epilog of relocate_kernel(), leading to an early crash in init_idle,\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY\n[ 0.000000] Tainted: [W]=WARN\n[ 0.000000] Hardware name: loongson,loongson64v-4core-virtio\n[ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000\n[ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240\n[ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001\n[ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002\n[ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80\n[ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80\n[ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90\n[ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90\n[ 0.000000] Hi : 0000000000000000\n[ 0.000000] Lo : 0000000000000000\n[ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270\n[ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270\n[ 0.000000] Status: 540000e2\tKX SX UX KERNEL EXL\n[ 0.000000] Cause : 00000008 (ExcCode 02)\n[ 0.000000] BadVA : 0000000000000000\n[ 0.000000] PrId : 00006305 (ICT Loongson-3)\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)\n[ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528\n[ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000\n[ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258\n[ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98\n[ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [\u003cffffffff81afada8\u003e] init_idle+0x130/0x270\n[ 0.000000] [\u003cffffffff81afb6c0\u003e] sched_init+0x5c8/0x6c0\n[ 0.000000] [\u003cffffffff81ae86dc\u003e] start_kernel+0x27c/0x7a8\n\nThis bug has been reported to LLVM[2] and affects version from (at\nleast) 18 to 21. Let\u0027s work around this by using inline assembly to\nassign $gp before a fix is widely available."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:46.390Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05bff9b0ae095b2420cfebb4a96759a09334bec6"
},
{
"url": "https://git.kernel.org/stable/c/1fe3b402b1e97a1718df3be0a1d3eee20133e735"
},
{
"url": "https://git.kernel.org/stable/c/4dc65b40fb80c2020efbf139b9a38d30f9a37b92"
},
{
"url": "https://git.kernel.org/stable/c/c0155dee51b9f5f48aaf5c71cae005eb0e36521f"
},
{
"url": "https://git.kernel.org/stable/c/e3a6498a63394218561065a9a7a597a204f52f6a"
},
{
"url": "https://git.kernel.org/stable/c/561834f6d6f52b8a1791331e94b2aac753491d2a"
},
{
"url": "https://git.kernel.org/stable/c/9bc3b0ae5203aba650297fdf3e1e774125e423f2"
},
{
"url": "https://git.kernel.org/stable/c/30bfc2d6a1132a89a5f1c3b96c59cf3e4d076ea3"
}
],
"title": "MIPS: Work around LLVM bug when gp is used as global register variable",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46250",
"datePublished": "2026-06-03T15:49:46.390Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:46.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46249 (GCVE-0-2026-46249)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
octeontx2-af: Fix PF driver crash with kexec kernel booting
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-af: Fix PF driver crash with kexec kernel booting
During a kexec reboot the hardware is not power-cycled, so AF state from
the old kernel can persist into the new kernel. When AF and PF drivers
are built as modules, the PF driver may probe before AF reinitializes
the hardware.
The PF driver treats the RVUM block revision as an indication that AF
initialization is complete. If this value is left uncleared at shutdown,
PF may incorrectly assume AF is ready and access stale hardware state,
leading to a crash.
Clear the RVUM block revision during AF shutdown to avoid PF
mis-detecting AF readiness after kexec.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
54494aa5d1e68945dc79feb7c8461cd382e11d8a , < b7605b9301abc18fbbf2b0e23fdd281fc768955d
(git)
Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 9769a09afda20a006b528b9e723effcae45965b2 (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 57821d1436ba1c6a6973aa32d54166fdec35558c (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 8b5ed7c5417b7013d35b6f2507dab739013ba1a9 (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 7d56ba306e93d04696718963fb4cda2883ee7585 (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 9c3398e5b3a914b74276d44ab54c49123b89c61a (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 1370736836a18b5e0cd74bcc9cffe11d21f1fe79 (git) Affected: 54494aa5d1e68945dc79feb7c8461cd382e11d8a , < 2d2d574309e3ae84ee794869a5da8b4c38753a94 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/rvu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7605b9301abc18fbbf2b0e23fdd281fc768955d",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "9769a09afda20a006b528b9e723effcae45965b2",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "57821d1436ba1c6a6973aa32d54166fdec35558c",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "8b5ed7c5417b7013d35b6f2507dab739013ba1a9",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "7d56ba306e93d04696718963fb4cda2883ee7585",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "9c3398e5b3a914b74276d44ab54c49123b89c61a",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "1370736836a18b5e0cd74bcc9cffe11d21f1fe79",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
},
{
"lessThan": "2d2d574309e3ae84ee794869a5da8b4c38753a94",
"status": "affected",
"version": "54494aa5d1e68945dc79feb7c8461cd382e11d8a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/af/rvu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Fix PF driver crash with kexec kernel booting\n\nDuring a kexec reboot the hardware is not power-cycled, so AF state from\nthe old kernel can persist into the new kernel. When AF and PF drivers\nare built as modules, the PF driver may probe before AF reinitializes\nthe hardware.\n\nThe PF driver treats the RVUM block revision as an indication that AF\ninitialization is complete. If this value is left uncleared at shutdown,\nPF may incorrectly assume AF is ready and access stale hardware state,\nleading to a crash.\n\nClear the RVUM block revision during AF shutdown to avoid PF\nmis-detecting AF readiness after kexec."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:45.252Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7605b9301abc18fbbf2b0e23fdd281fc768955d"
},
{
"url": "https://git.kernel.org/stable/c/9769a09afda20a006b528b9e723effcae45965b2"
},
{
"url": "https://git.kernel.org/stable/c/57821d1436ba1c6a6973aa32d54166fdec35558c"
},
{
"url": "https://git.kernel.org/stable/c/8b5ed7c5417b7013d35b6f2507dab739013ba1a9"
},
{
"url": "https://git.kernel.org/stable/c/7d56ba306e93d04696718963fb4cda2883ee7585"
},
{
"url": "https://git.kernel.org/stable/c/9c3398e5b3a914b74276d44ab54c49123b89c61a"
},
{
"url": "https://git.kernel.org/stable/c/1370736836a18b5e0cd74bcc9cffe11d21f1fe79"
},
{
"url": "https://git.kernel.org/stable/c/2d2d574309e3ae84ee794869a5da8b4c38753a94"
}
],
"title": "octeontx2-af: Fix PF driver crash with kexec kernel booting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46249",
"datePublished": "2026-06-03T15:49:45.252Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:45.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46248 (GCVE-0-2026-46248)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
wifi: ath12k: clear stale link mapping of ahvif->links_map
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: clear stale link mapping of ahvif->links_map
When an arvif is initialized in non-AP STA mode but MLO connection
preparation fails before the arvif is created
(arvif->is_created remains false), the error path attempts to delete all
links. However, link deletion only executes when arvif->is_created is true.
As a result, ahvif retains a stale entry of arvif that is initialized but
not created.
When a new arvif is initialized with the same link id, this stale mapping
triggers the following WARN_ON.
WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275
Call trace:
ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P)
drv_change_vif_links+0xbc/0x1a4 [mac80211]
ieee80211_vif_update_links+0x54c/0x6a0 [mac80211]
ieee80211_vif_set_links+0x40/0x70 [mac80211]
ieee80211_prep_connection+0x84/0x450 [mac80211]
ieee80211_mgd_auth+0x200/0x480 [mac80211]
ieee80211_auth+0x14/0x20 [mac80211]
cfg80211_mlme_auth+0x90/0xf0 [cfg80211]
nl80211_authenticate+0x32c/0x380 [cfg80211]
genl_family_rcv_msg_doit+0xc8/0x134
Fix this issue by unassigning the link vif and clearing ahvif->links_map
if arvif is only initialized but not created.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
81e4be30544ee7e8da80e9aae7acd69d3be6d05a , < da289440f04c93048d82d293b180f1cacdfee2d9
(git)
Affected: 81e4be30544ee7e8da80e9aae7acd69d3be6d05a , < acd8319e834be6790e449701cb6df0f636801977 (git) Affected: 81e4be30544ee7e8da80e9aae7acd69d3be6d05a , < 2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da289440f04c93048d82d293b180f1cacdfee2d9",
"status": "affected",
"version": "81e4be30544ee7e8da80e9aae7acd69d3be6d05a",
"versionType": "git"
},
{
"lessThan": "acd8319e834be6790e449701cb6df0f636801977",
"status": "affected",
"version": "81e4be30544ee7e8da80e9aae7acd69d3be6d05a",
"versionType": "git"
},
{
"lessThan": "2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9",
"status": "affected",
"version": "81e4be30544ee7e8da80e9aae7acd69d3be6d05a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/mac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: clear stale link mapping of ahvif-\u003elinks_map\n\nWhen an arvif is initialized in non-AP STA mode but MLO connection\npreparation fails before the arvif is created\n(arvif-\u003eis_created remains false), the error path attempts to delete all\nlinks. However, link deletion only executes when arvif-\u003eis_created is true.\nAs a result, ahvif retains a stale entry of arvif that is initialized but\nnot created.\n\nWhen a new arvif is initialized with the same link id, this stale mapping\ntriggers the following WARN_ON.\n\nWARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275\n\nCall trace:\n ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P)\n drv_change_vif_links+0xbc/0x1a4 [mac80211]\n ieee80211_vif_update_links+0x54c/0x6a0 [mac80211]\n ieee80211_vif_set_links+0x40/0x70 [mac80211]\n ieee80211_prep_connection+0x84/0x450 [mac80211]\n ieee80211_mgd_auth+0x200/0x480 [mac80211]\n ieee80211_auth+0x14/0x20 [mac80211]\n cfg80211_mlme_auth+0x90/0xf0 [cfg80211]\n nl80211_authenticate+0x32c/0x380 [cfg80211]\n genl_family_rcv_msg_doit+0xc8/0x134\n\nFix this issue by unassigning the link vif and clearing ahvif-\u003elinks_map\nif arvif is only initialized but not created.\n\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:43.934Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da289440f04c93048d82d293b180f1cacdfee2d9"
},
{
"url": "https://git.kernel.org/stable/c/acd8319e834be6790e449701cb6df0f636801977"
},
{
"url": "https://git.kernel.org/stable/c/2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9"
}
],
"title": "wifi: ath12k: clear stale link mapping of ahvif-\u003elinks_map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46248",
"datePublished": "2026-06-03T15:49:43.934Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:43.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46247 (GCVE-0-2026-46247)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
clk: qcom: gfx3d: add parent to parent request map
Summary
In the Linux kernel, the following vulnerability has been resolved:
clk: qcom: gfx3d: add parent to parent request map
After commit d228ece36345 ("clk: divider: remove round_rate() in favor
of determine_rate()") determining GFX3D clock rate crashes, because the
passed parent map doesn't provide the expected best_parent_hw clock
(with the roundd_rate path before the offending commit the
best_parent_hw was ignored).
Set the field in parent_req in addition to setting it in the req,
fixing the crash.
clk_hw_round_rate (drivers/clk/clk.c:1764) (P)
clk_divider_bestdiv (drivers/clk/clk-divider.c:336)
divider_determine_rate (drivers/clk/clk-divider.c:358)
clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275)
clk_core_determine_round_nolock (drivers/clk/clk.c:1606)
clk_core_round_rate_nolock (drivers/clk/clk.c:1701)
__clk_determine_rate (drivers/clk/clk.c:1741)
clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268)
clk_core_determine_round_nolock (drivers/clk/clk.c:1606)
clk_core_round_rate_nolock (drivers/clk/clk.c:1701)
clk_core_round_rate_nolock (drivers/clk/clk.c:1710)
clk_round_rate (drivers/clk/clk.c:1804)
dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1))
msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51)
devfreq_set_target (drivers/devfreq/devfreq.c:360)
devfreq_update_target (drivers/devfreq/devfreq.c:426)
devfreq_monitor (drivers/devfreq/devfreq.c:458)
process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284)
worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2))
kthread (kernel/kthread.c:467)
ret_from_fork (arch/arm64/kernel/entry.S:861)
Severity
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
55213e1acec9218580c90d36034aa0370a51daab , < 82cfe5292b11deb1dc33822f67f73cfbe8eafe25
(git)
Affected: 55213e1acec9218580c90d36034aa0370a51daab , < 547ae2f17349c7586953af5ef50de43ef3f65e9e (git) Affected: 55213e1acec9218580c90d36034aa0370a51daab , < 56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8 (git) Affected: 55213e1acec9218580c90d36034aa0370a51daab , < aed53da569fb96eec09b4817b1953bcc2e467eea (git) Affected: 55213e1acec9218580c90d36034aa0370a51daab , < 8aa972eba1f29068d13bec716d33abca30fb3f2a (git) Affected: 55213e1acec9218580c90d36034aa0370a51daab , < 2583cb925ca1ce450aa5d74a05a67448db970193 (git) |
|
| Linux | Linux |
Affected:
4.5
Unaffected: 0 , < 4.5 (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/clk-rcg2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "82cfe5292b11deb1dc33822f67f73cfbe8eafe25",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
},
{
"lessThan": "547ae2f17349c7586953af5ef50de43ef3f65e9e",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
},
{
"lessThan": "56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
},
{
"lessThan": "aed53da569fb96eec09b4817b1953bcc2e467eea",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
},
{
"lessThan": "8aa972eba1f29068d13bec716d33abca30fb3f2a",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
},
{
"lessThan": "2583cb925ca1ce450aa5d74a05a67448db970193",
"status": "affected",
"version": "55213e1acec9218580c90d36034aa0370a51daab",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/clk/qcom/clk-rcg2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gfx3d: add parent to parent request map\n\nAfter commit d228ece36345 (\"clk: divider: remove round_rate() in favor\nof determine_rate()\") determining GFX3D clock rate crashes, because the\npassed parent map doesn\u0027t provide the expected best_parent_hw clock\n(with the roundd_rate path before the offending commit the\nbest_parent_hw was ignored).\n\nSet the field in parent_req in addition to setting it in the req,\nfixing the crash.\n\n clk_hw_round_rate (drivers/clk/clk.c:1764) (P)\n clk_divider_bestdiv (drivers/clk/clk-divider.c:336)\n divider_determine_rate (drivers/clk/clk-divider.c:358)\n clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275)\n clk_core_determine_round_nolock (drivers/clk/clk.c:1606)\n clk_core_round_rate_nolock (drivers/clk/clk.c:1701)\n __clk_determine_rate (drivers/clk/clk.c:1741)\n clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268)\n clk_core_determine_round_nolock (drivers/clk/clk.c:1606)\n clk_core_round_rate_nolock (drivers/clk/clk.c:1701)\n clk_core_round_rate_nolock (drivers/clk/clk.c:1710)\n clk_round_rate (drivers/clk/clk.c:1804)\n dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1))\n msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51)\n devfreq_set_target (drivers/devfreq/devfreq.c:360)\n devfreq_update_target (drivers/devfreq/devfreq.c:426)\n devfreq_monitor (drivers/devfreq/devfreq.c:458)\n process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284)\n worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2))\n kthread (kernel/kthread.c:467)\n ret_from_fork (arch/arm64/kernel/entry.S:861)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:42.833Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/82cfe5292b11deb1dc33822f67f73cfbe8eafe25"
},
{
"url": "https://git.kernel.org/stable/c/547ae2f17349c7586953af5ef50de43ef3f65e9e"
},
{
"url": "https://git.kernel.org/stable/c/56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8"
},
{
"url": "https://git.kernel.org/stable/c/aed53da569fb96eec09b4817b1953bcc2e467eea"
},
{
"url": "https://git.kernel.org/stable/c/8aa972eba1f29068d13bec716d33abca30fb3f2a"
},
{
"url": "https://git.kernel.org/stable/c/2583cb925ca1ce450aa5d74a05a67448db970193"
}
],
"title": "clk: qcom: gfx3d: add parent to parent request map",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46247",
"datePublished": "2026-06-03T15:49:42.833Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:42.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46246 (GCVE-0-2026-46246)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler
Summary
In the Linux kernel, the following vulnerability has been resolved:
power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler
Using the `devm_` variant for requesting IRQ _before_ the `devm_`
variant for allocating/registering the `extcon` handle, means that the
`extcon` handle will be deallocated/unregistered _before_ the interrupt
handler (since `devm_` naturally deallocates in reverse allocation
order). This means that during removal, there is a race condition where
an interrupt can fire just _after_ the `extcon` handle has been
freed, *but* just _before_ the corresponding unregistration of the IRQ
handler has run.
This will lead to the IRQ handler calling `extcon_set_state_sync()` with
a freed `extcon` handle. Which usually crashes the system or otherwise
silently corrupts the memory...
Fix this racy use-after-free by making sure the IRQ is requested _after_
the registration of the `extcon` handle.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f8d7a3d21160a0cab4d15b81231f2a76b0fcee13 , < 9fab0120907e6965168e55b1e17cb9dfaf262b86
(git)
Affected: f8d7a3d21160a0cab4d15b81231f2a76b0fcee13 , < 47abfc207ab02cf1297257e282e8048da63f0d08 (git) Affected: f8d7a3d21160a0cab4d15b81231f2a76b0fcee13 , < 48e0f68b50c344bb2d78d65dd98f93e41276ee00 (git) Affected: f8d7a3d21160a0cab4d15b81231f2a76b0fcee13 , < 23067259919663580c6f81801847cfc7bd54fd1f (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/pm8916_lbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9fab0120907e6965168e55b1e17cb9dfaf262b86",
"status": "affected",
"version": "f8d7a3d21160a0cab4d15b81231f2a76b0fcee13",
"versionType": "git"
},
{
"lessThan": "47abfc207ab02cf1297257e282e8048da63f0d08",
"status": "affected",
"version": "f8d7a3d21160a0cab4d15b81231f2a76b0fcee13",
"versionType": "git"
},
{
"lessThan": "48e0f68b50c344bb2d78d65dd98f93e41276ee00",
"status": "affected",
"version": "f8d7a3d21160a0cab4d15b81231f2a76b0fcee13",
"versionType": "git"
},
{
"lessThan": "23067259919663580c6f81801847cfc7bd54fd1f",
"status": "affected",
"version": "f8d7a3d21160a0cab4d15b81231f2a76b0fcee13",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/power/supply/pm8916_lbc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler\n\nUsing the `devm_` variant for requesting IRQ _before_ the `devm_`\nvariant for allocating/registering the `extcon` handle, means that the\n`extcon` handle will be deallocated/unregistered _before_ the interrupt\nhandler (since `devm_` naturally deallocates in reverse allocation\norder). This means that during removal, there is a race condition where\nan interrupt can fire just _after_ the `extcon` handle has been\nfreed, *but* just _before_ the corresponding unregistration of the IRQ\nhandler has run.\n\nThis will lead to the IRQ handler calling `extcon_set_state_sync()` with\na freed `extcon` handle. Which usually crashes the system or otherwise\nsilently corrupts the memory...\n\nFix this racy use-after-free by making sure the IRQ is requested _after_\nthe registration of the `extcon` handle."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:41.607Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9fab0120907e6965168e55b1e17cb9dfaf262b86"
},
{
"url": "https://git.kernel.org/stable/c/47abfc207ab02cf1297257e282e8048da63f0d08"
},
{
"url": "https://git.kernel.org/stable/c/48e0f68b50c344bb2d78d65dd98f93e41276ee00"
},
{
"url": "https://git.kernel.org/stable/c/23067259919663580c6f81801847cfc7bd54fd1f"
}
],
"title": "power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46246",
"datePublished": "2026-06-03T15:49:41.607Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:41.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46245 (GCVE-0-2026-46245)
Vulnerability from nvd – Published: 2026-06-03 15:49 – Updated: 2026-06-03 15:49
VLAI
Title
drm/amd/display: Fix dc_link NULL handling in HPD init
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix dc_link NULL handling in HPD init
amdgpu_dm_hpd_init() may see connectors without a valid dc_link.
The code already checks dc_link for the polling decision, but later
unconditionally dereferences it when setting up HPD interrupts.
Assign dc_link early and skip connectors where it is NULL.
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init()
error: we previously assumed 'dc_link' could be null (see line 931)
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c
923 /*
924 * Analog connectors may be hot-plugged unlike other connector
925 * types that don't support HPD. Only poll analog connectors.
926 */
927 use_polling |=
928 amdgpu_dm_connector->dc_link &&
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed
929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id);
930
931 dc_link = amdgpu_dm_connector->dc_link;
dc_link assigned here.
932
933 /*
934 * Get a base driver irq reference for hpd ints for the lifetime
935 * of dm. Note that only hpd interrupt types are registered with
936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on
937 * hpd_rx isn't available. DM currently controls hpd_rx
938 * explicitly with dc_interrupt_set()
939 */
--> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) {
^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here.
941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1;
942 /*
943 * TODO: There's a mismatch between mode_info.num_hpd
944 * and what bios reports as the # of connectors with hpd
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a490e4d3c9fed1e690c8de348416eea3a9f054ff
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 226a40c06a183abaeb7529a4f54d6c203bd14407 (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a490e4d3c9fed1e690c8de348416eea3a9f054ff",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "226a40c06a183abaeb7529a4f54d6c203bd14407",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dc_link NULL handling in HPD init\n\namdgpu_dm_hpd_init() may see connectors without a valid dc_link.\n\nThe code already checks dc_link for the polling decision, but later\nunconditionally dereferences it when setting up HPD interrupts.\n\nAssign dc_link early and skip connectors where it is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init()\nerror: we previously assumed \u0027dc_link\u0027 could be null (see line 931)\n\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c\n 923 /*\n 924 * Analog connectors may be hot-plugged unlike other connector\n 925 * types that don\u0027t support HPD. Only poll analog connectors.\n 926 */\n 927 use_polling |=\n 928 amdgpu_dm_connector-\u003edc_link \u0026\u0026\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed\n\n 929 dc_connector_supports_analog(amdgpu_dm_connector-\u003edc_link-\u003elink_id.id);\n 930\n 931 dc_link = amdgpu_dm_connector-\u003edc_link;\n\ndc_link assigned here.\n\n 932\n 933 /*\n 934 * Get a base driver irq reference for hpd ints for the lifetime\n 935 * of dm. Note that only hpd interrupt types are registered with\n 936 * base driver; hpd_rx types aren\u0027t. IOW, amdgpu_irq_get/put on\n 937 * hpd_rx isn\u0027t available. DM currently controls hpd_rx\n 938 * explicitly with dc_interrupt_set()\n 939 */\n--\u003e 940 if (dc_link-\u003eirq_source_hpd != DC_IRQ_SOURCE_INVALID) {\n ^^^^^^^^^^^^^^^^^^^^^^^ If it\u0027s NULL then we are trouble because we dereference it here.\n\n 941 irq_type = dc_link-\u003eirq_source_hpd - DC_IRQ_SOURCE_HPD1;\n 942 /*\n 943 * TODO: There\u0027s a mismatch between mode_info.num_hpd\n 944 * and what bios reports as the # of connectors with hpd"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:49:40.645Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a490e4d3c9fed1e690c8de348416eea3a9f054ff"
},
{
"url": "https://git.kernel.org/stable/c/226a40c06a183abaeb7529a4f54d6c203bd14407"
}
],
"title": "drm/amd/display: Fix dc_link NULL handling in HPD init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46245",
"datePublished": "2026-06-03T15:49:40.645Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:49:40.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46244 (GCVE-0-2026-46244)
Vulnerability from nvd – Published: 2026-06-03 15:48 – Updated: 2026-06-03 15:48
VLAI
Title
netfilter: nft_inner: Fix IPv6 inner_thoff desync
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_inner: Fix IPv6 inner_thoff desync
In nft_inner_parse_l2l3(), when processing inner IPv6 packets,
ipv6_find_hdr() correctly computes the transport header offset
traversing all extension headers, but the result is immediately
overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only
accounts for the IPv6 base header. This creates a desync between
inner_thoff (wrong — points to extension header start) and l4proto
(correct — e.g., IPPROTO_TCP), enabling transport header forgery
and potential firewall bypass. This issue affects stable versions
from Linux 6.2.
For comparison, the normal (non-inner) IPv6 path correctly
preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite
ensures that ipv6_find_hdr()'s calculated transport header offset is
preserved, thereby fixing the desynchronization.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3a07327d10a09379315c844c63f27941f5081e0a , < c161ad9157f5a0429b5ff94d9770faf3bf48d273
(git)
Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 870d59e2cf218e7418491e26bad768cb16654582 (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < 689bbf48c1f45130086ae1c46ab83ea4c753c601 (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce (git) Affected: 3a07327d10a09379315c844c63f27941f5081e0a , < b6a91f68ebfed9c38e0e9150f58a9b85da07181c (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1-rc5 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c161ad9157f5a0429b5ff94d9770faf3bf48d273",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "870d59e2cf218e7418491e26bad768cb16654582",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "689bbf48c1f45130086ae1c46ab83ea4c753c601",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
},
{
"lessThan": "b6a91f68ebfed9c38e0e9150f58a9b85da07181c",
"status": "affected",
"version": "3a07327d10a09379315c844c63f27941f5081e0a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_inner.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc5",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong \u2014 points to extension header start) and l4proto\n(correct \u2014 e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()\u0027s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()\u0027s calculated transport header offset is\npreserved, thereby fixing the desynchronization."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T15:48:59.049Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273"
},
{
"url": "https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582"
},
{
"url": "https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601"
},
{
"url": "https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce"
},
{
"url": "https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c"
}
],
"title": "netfilter: nft_inner: Fix IPv6 inner_thoff desync",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46244",
"datePublished": "2026-06-03T15:48:59.049Z",
"dateReserved": "2026-05-13T15:03:33.107Z",
"dateUpdated": "2026-06-03T15:48:59.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}