Search criteria
39097 vulnerabilities found for linux_kernel by linux
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from nvd – Published: 2026-05-11 06:26 – Updated: 2026-05-17 15:21
VLAI?
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.29 , ≤ 6.18.* (semver) Unaffected: 7.0.6 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:39.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-17T15:21:39.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43377 (GCVE-0-2026-43377)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Don't log keys in SMB3 signing and encryption key generation
When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and
generate_smb3encryptionkey() log the session, signing, encryption, and
decryption key bytes. Remove the logs to avoid exposing credentials.
Severity ?
8.1 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 4084ed720d7d5f4e975c9e4a6267a552dad3b24a
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < fec5c70b82af3f59f15bb984df94e5ad1fccfb1e (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 407cc37c21d51f9b9d4d20204b04890880cfa6ae (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c6b01b997a2094969e315f1ebfc1d64b8ae2163d (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 441336115df26b966575de56daf7107ed474faed (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4084ed720d7d5f4e975c9e4a6267a552dad3b24a",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "fec5c70b82af3f59f15bb984df94e5ad1fccfb1e",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "407cc37c21d51f9b9d4d20204b04890880cfa6ae",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c6b01b997a2094969e315f1ebfc1d64b8ae2163d",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "441336115df26b966575de56daf7107ed474faed",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Don\u0027t log keys in SMB3 signing and encryption key generation\n\nWhen KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and\ngenerate_smb3encryptionkey() log the session, signing, encryption, and\ndecryption key bytes. Remove the logs to avoid exposing credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:24.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4084ed720d7d5f4e975c9e4a6267a552dad3b24a"
},
{
"url": "https://git.kernel.org/stable/c/fec5c70b82af3f59f15bb984df94e5ad1fccfb1e"
},
{
"url": "https://git.kernel.org/stable/c/3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f"
},
{
"url": "https://git.kernel.org/stable/c/407cc37c21d51f9b9d4d20204b04890880cfa6ae"
},
{
"url": "https://git.kernel.org/stable/c/c6b01b997a2094969e315f1ebfc1d64b8ae2163d"
},
{
"url": "https://git.kernel.org/stable/c/441336115df26b966575de56daf7107ed474faed"
}
],
"title": "ksmbd: Don\u0027t log keys in SMB3 signing and encryption key generation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43377",
"datePublished": "2026-05-08T14:21:26.618Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:24.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43376 (GCVE-0-2026-43376)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
ksmbd: fix use-after-free by using call_rcu() for oplock_info
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix use-after-free by using call_rcu() for oplock_info
ksmbd currently frees oplock_info immediately using kfree(), even
though it is accessed under RCU read-side critical sections in places
like opinfo_get() and proc_show_files().
Since there is no RCU grace period delay between nullifying the pointer
and freeing the memory, a reader can still access oplock_info
structure after it has been freed. This can leads to a use-after-free
especially in opinfo_get() where atomic_inc_not_zero() is called on
already freed memory.
Fix this by switching to deferred freeing using call_rcu().
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
296cb5457cc6f4a754c4ae29855f8a253d52bcc6 , < 302fef75512b2c8329a3f5efab1ae7ba2562387a
(git)
Affected: d54ab1520d43e95f9b2e22d7a05fc9614192e5a5 , < 08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c (git) Affected: 18b4fac5ef17f77fed9417d22210ceafd6525fc7 , < 1d6abf145615dbfe267ce3b0a271f95e3780e18e (git) Affected: 18b4fac5ef17f77fed9417d22210ceafd6525fc7 , < ce8507ee82c888126d8e7565e27c016308d24cde (git) Affected: 18b4fac5ef17f77fed9417d22210ceafd6525fc7 , < 1dfd062caa165ec9d7ee0823087930f3ab8a6294 (git) Affected: d73686367ad68534257cd88a36ca3c52cb8b81d8 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "302fef75512b2c8329a3f5efab1ae7ba2562387a",
"status": "affected",
"version": "296cb5457cc6f4a754c4ae29855f8a253d52bcc6",
"versionType": "git"
},
{
"lessThan": "08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c",
"status": "affected",
"version": "d54ab1520d43e95f9b2e22d7a05fc9614192e5a5",
"versionType": "git"
},
{
"lessThan": "1d6abf145615dbfe267ce3b0a271f95e3780e18e",
"status": "affected",
"version": "18b4fac5ef17f77fed9417d22210ceafd6525fc7",
"versionType": "git"
},
{
"lessThan": "ce8507ee82c888126d8e7565e27c016308d24cde",
"status": "affected",
"version": "18b4fac5ef17f77fed9417d22210ceafd6525fc7",
"versionType": "git"
},
{
"lessThan": "1dfd062caa165ec9d7ee0823087930f3ab8a6294",
"status": "affected",
"version": "18b4fac5ef17f77fed9417d22210ceafd6525fc7",
"versionType": "git"
},
{
"status": "affected",
"version": "d73686367ad68534257cd88a36ca3c52cb8b81d8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/oplock.c",
"fs/smb/server/oplock.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.14.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free by using call_rcu() for oplock_info\n\nksmbd currently frees oplock_info immediately using kfree(), even\nthough it is accessed under RCU read-side critical sections in places\nlike opinfo_get() and proc_show_files().\n\nSince there is no RCU grace period delay between nullifying the pointer\nand freeing the memory, a reader can still access oplock_info\nstructure after it has been freed. This can leads to a use-after-free\nespecially in opinfo_get() where atomic_inc_not_zero() is called on\nalready freed memory.\n\nFix this by switching to deferred freeing using call_rcu()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:23.503Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a"
},
{
"url": "https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c"
},
{
"url": "https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e"
},
{
"url": "https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde"
},
{
"url": "https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294"
}
],
"title": "ksmbd: fix use-after-free by using call_rcu() for oplock_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43376",
"datePublished": "2026-05-08T14:21:25.854Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:23.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43375 (GCVE-0-2026-43375)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
net: mctp: fix device leak on probe failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mctp: fix device leak on probe failure
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
This driver takes a reference to the USB device during probe but does
not to release it on probe failures.
Drop the redundant device reference to fix the leak, reduce cargo
culting, make it easier to spot drivers where an extra reference is
needed, and reduce the risk of further memory leaks.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0791c0327a6e4e7691d6fc5ad334c215de04dcc9 , < 3224990fb16a831aabc50b67c74f5d0074ce80dd
(git)
Affected: 0791c0327a6e4e7691d6fc5ad334c215de04dcc9 , < ec9538f9b5cd1db5e8c612aa636b6119b6355c5d (git) Affected: 0791c0327a6e4e7691d6fc5ad334c215de04dcc9 , < 224a0d284c3caf1951302d1744a714784febed71 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/mctp/mctp-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3224990fb16a831aabc50b67c74f5d0074ce80dd",
"status": "affected",
"version": "0791c0327a6e4e7691d6fc5ad334c215de04dcc9",
"versionType": "git"
},
{
"lessThan": "ec9538f9b5cd1db5e8c612aa636b6119b6355c5d",
"status": "affected",
"version": "0791c0327a6e4e7691d6fc5ad334c215de04dcc9",
"versionType": "git"
},
{
"lessThan": "224a0d284c3caf1951302d1744a714784febed71",
"status": "affected",
"version": "0791c0327a6e4e7691d6fc5ad334c215de04dcc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/mctp/mctp-usb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: fix device leak on probe failure\n\nDriver core holds a reference to the USB interface and its parent USB\ndevice while the interface is bound to a driver and there is no need to\ntake additional references unless the structures are needed after\ndisconnect.\n\nThis driver takes a reference to the USB device during probe but does\nnot to release it on probe failures.\n\nDrop the redundant device reference to fix the leak, reduce cargo\nculting, make it easier to spot drivers where an extra reference is\nneeded, and reduce the risk of further memory leaks."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:22.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3224990fb16a831aabc50b67c74f5d0074ce80dd"
},
{
"url": "https://git.kernel.org/stable/c/ec9538f9b5cd1db5e8c612aa636b6119b6355c5d"
},
{
"url": "https://git.kernel.org/stable/c/224a0d284c3caf1951302d1744a714784febed71"
}
],
"title": "net: mctp: fix device leak on probe failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43375",
"datePublished": "2026-05-08T14:21:25.193Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:22.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43374 (GCVE-0-2026-43374)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nexthop: fix percpu use-after-free in remove_nh_grp_entry
When removing a nexthop from a group, remove_nh_grp_entry() publishes
the new group via rcu_assign_pointer() then immediately frees the
removed entry's percpu stats with free_percpu(). However, the
synchronize_net() grace period in the caller remove_nexthop_from_groups()
runs after the free. RCU readers that entered before the publish still
see the old group and can dereference the freed stats via
nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a
use-after-free on percpu memory.
Fix by deferring the free_percpu() until after synchronize_net() in the
caller. Removed entries are chained via nh_list onto a local deferred
free list. After the grace period completes and all RCU readers have
finished, the percpu stats are safely freed.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f4676ea74b8549cd88dbfe2a592ce4530039e61f , < abf4feaee6405f1441929c6ebe7a250f2cd170a7
(git)
Affected: f4676ea74b8549cd88dbfe2a592ce4530039e61f , < ab5ebab9664214ba41a7633cb4e72f128204f924 (git) Affected: f4676ea74b8549cd88dbfe2a592ce4530039e61f , < 9e08ad731862b22a87cc55f752e16d66cdc9e231 (git) Affected: f4676ea74b8549cd88dbfe2a592ce4530039e61f , < b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "abf4feaee6405f1441929c6ebe7a250f2cd170a7",
"status": "affected",
"version": "f4676ea74b8549cd88dbfe2a592ce4530039e61f",
"versionType": "git"
},
{
"lessThan": "ab5ebab9664214ba41a7633cb4e72f128204f924",
"status": "affected",
"version": "f4676ea74b8549cd88dbfe2a592ce4530039e61f",
"versionType": "git"
},
{
"lessThan": "9e08ad731862b22a87cc55f752e16d66cdc9e231",
"status": "affected",
"version": "f4676ea74b8549cd88dbfe2a592ce4530039e61f",
"versionType": "git"
},
{
"lessThan": "b2662e7593e94ae09b1cf7ee5f09160a3612bcb2",
"status": "affected",
"version": "f4676ea74b8549cd88dbfe2a592ce4530039e61f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/nexthop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nexthop: fix percpu use-after-free in remove_nh_grp_entry\n\nWhen removing a nexthop from a group, remove_nh_grp_entry() publishes\nthe new group via rcu_assign_pointer() then immediately frees the\nremoved entry\u0027s percpu stats with free_percpu(). However, the\nsynchronize_net() grace period in the caller remove_nexthop_from_groups()\nruns after the free. RCU readers that entered before the publish still\nsee the old group and can dereference the freed stats via\nnh_grp_entry_stats_inc() -\u003e get_cpu_ptr(nhge-\u003estats), causing a\nuse-after-free on percpu memory.\n\nFix by deferring the free_percpu() until after synchronize_net() in the\ncaller. Removed entries are chained via nh_list onto a local deferred\nfree list. After the grace period completes and all RCU readers have\nfinished, the percpu stats are safely freed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:21.250Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7"
},
{
"url": "https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924"
},
{
"url": "https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231"
},
{
"url": "https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2"
}
],
"title": "net: nexthop: fix percpu use-after-free in remove_nh_grp_entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43374",
"datePublished": "2026-05-08T14:21:24.537Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:21.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43373 (GCVE-0-2026-43373)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
net: ncsi: fix skb leak in error paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: ncsi: fix skb leak in error paths
Early return paths in NCSI RX and AEN handlers fail to release
the received skb, resulting in a memory leak.
Specifically, ncsi_aen_handler() returns on invalid AEN packets
without consuming the skb. Similarly, ncsi_rcv_rsp() exits early
when failing to resolve the NCSI device, response handler, or
request, leaving the skb unfreed.
Severity ?
7.5 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
138635cc27c9737f940c3aa80912ff7a61c825af , < 9891d7f4f1ede473c54b49776ae07755083eef06
(git)
Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < fef5aa6e3bcf3c8053307642663a63b7362d7552 (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < 81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < 59962588197863d0d746879f193905c0c6b3df49 (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < 553366c271479c0d571dd1bb5d1bcde4747fb82e (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < b70c4e5e711931cdd56e6e905737b72f1e649189 (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < 87138dde2d6937b12b967f28fe598a7d59000ae4 (git) Affected: 138635cc27c9737f940c3aa80912ff7a61c825af , < 5c3398a54266541610c8d0a7082e654e9ff3e259 (git) |
|
| Linux | Linux |
Affected:
4.8
Unaffected: 0 , < 4.8 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ncsi/ncsi-aen.c",
"net/ncsi/ncsi-rsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9891d7f4f1ede473c54b49776ae07755083eef06",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "fef5aa6e3bcf3c8053307642663a63b7362d7552",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "59962588197863d0d746879f193905c0c6b3df49",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "553366c271479c0d571dd1bb5d1bcde4747fb82e",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "b70c4e5e711931cdd56e6e905737b72f1e649189",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "87138dde2d6937b12b967f28fe598a7d59000ae4",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
},
{
"lessThan": "5c3398a54266541610c8d0a7082e654e9ff3e259",
"status": "affected",
"version": "138635cc27c9737f940c3aa80912ff7a61c825af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ncsi/ncsi-aen.c",
"net/ncsi/ncsi-rsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ncsi: fix skb leak in error paths\n\nEarly return paths in NCSI RX and AEN handlers fail to release\nthe received skb, resulting in a memory leak.\n\nSpecifically, ncsi_aen_handler() returns on invalid AEN packets\nwithout consuming the skb. Similarly, ncsi_rcv_rsp() exits early\nwhen failing to resolve the NCSI device, response handler, or\nrequest, leaving the skb unfreed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:20.054Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06"
},
{
"url": "https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552"
},
{
"url": "https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a"
},
{
"url": "https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49"
},
{
"url": "https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e"
},
{
"url": "https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189"
},
{
"url": "https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4"
},
{
"url": "https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259"
}
],
"title": "net: ncsi: fix skb leak in error paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43373",
"datePublished": "2026-05-08T14:21:23.875Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:20.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43372 (GCVE-0-2026-43372)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
net: dsa: microchip: Fix error path in PTP IRQ setup
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: dsa: microchip: Fix error path in PTP IRQ setup
If request_threaded_irq() fails during the PTP message IRQ setup, the
newly created IRQ mapping is never disposed. Indeed, the
ksz_ptp_irq_setup()'s error path only frees the mappings that were
successfully set up.
Dispose the newly created mapping if the associated
request_threaded_irq() fails at setup.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3b5a6115d6ea45df1ea65dc9b832b23db5d593ba , < 3704ac6a0d9a78f66a187515a8ca3faedaf01cc5
(git)
Affected: 1ba6da6ca3db76f6a39004fd33a9c990e428515e , < e80fef36c676c947072dabeb5803ae59d92ba493 (git) Affected: d0b8fec8ae50525b57139393d0bb1f446e82ff7e , < 6c58a9fdb0d0e1011aa02455d26d6ebea251979b (git) Affected: d0b8fec8ae50525b57139393d0bb1f446e82ff7e , < c2d1d41e0e8ec447d40a5752844fc5fb0b23db27 (git) Affected: d0b8fec8ae50525b57139393d0bb1f446e82ff7e , < 99c8c16a4aad0b37293cae213e15957c573cf79b (git) Affected: ae12e4e0ca231475bcef841c6a6722fa185fd520 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3704ac6a0d9a78f66a187515a8ca3faedaf01cc5",
"status": "affected",
"version": "3b5a6115d6ea45df1ea65dc9b832b23db5d593ba",
"versionType": "git"
},
{
"lessThan": "e80fef36c676c947072dabeb5803ae59d92ba493",
"status": "affected",
"version": "1ba6da6ca3db76f6a39004fd33a9c990e428515e",
"versionType": "git"
},
{
"lessThan": "6c58a9fdb0d0e1011aa02455d26d6ebea251979b",
"status": "affected",
"version": "d0b8fec8ae50525b57139393d0bb1f446e82ff7e",
"versionType": "git"
},
{
"lessThan": "c2d1d41e0e8ec447d40a5752844fc5fb0b23db27",
"status": "affected",
"version": "d0b8fec8ae50525b57139393d0bb1f446e82ff7e",
"versionType": "git"
},
{
"lessThan": "99c8c16a4aad0b37293cae213e15957c573cf79b",
"status": "affected",
"version": "d0b8fec8ae50525b57139393d0bb1f446e82ff7e",
"versionType": "git"
},
{
"status": "affected",
"version": "ae12e4e0ca231475bcef841c6a6722fa185fd520",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/dsa/microchip/ksz_ptp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.119",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: microchip: Fix error path in PTP IRQ setup\n\nIf request_threaded_irq() fails during the PTP message IRQ setup, the\nnewly created IRQ mapping is never disposed. Indeed, the\nksz_ptp_irq_setup()\u0027s error path only frees the mappings that were\nsuccessfully set up.\n\nDispose the newly created mapping if the associated\nrequest_threaded_irq() fails at setup."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:18.896Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3704ac6a0d9a78f66a187515a8ca3faedaf01cc5"
},
{
"url": "https://git.kernel.org/stable/c/e80fef36c676c947072dabeb5803ae59d92ba493"
},
{
"url": "https://git.kernel.org/stable/c/6c58a9fdb0d0e1011aa02455d26d6ebea251979b"
},
{
"url": "https://git.kernel.org/stable/c/c2d1d41e0e8ec447d40a5752844fc5fb0b23db27"
},
{
"url": "https://git.kernel.org/stable/c/99c8c16a4aad0b37293cae213e15957c573cf79b"
}
],
"title": "net: dsa: microchip: Fix error path in PTP IRQ setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43372",
"datePublished": "2026-05-08T14:21:23.221Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:18.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43371 (GCVE-0-2026-43371)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
net: macb: Shuffle the tx ring before enabling tx
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: macb: Shuffle the tx ring before enabling tx
Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board,
the rootfs may take an extended time to recover after a suspend.
Upon investigation, it was determined that the issue originates from a
problem in the macb driver.
According to the Zynq UltraScale TRM [1], when transmit is disabled,
the transmit buffer queue pointer resets to point to the address
specified by the transmit buffer queue base address register.
In the current implementation, the code merely resets `queue->tx_head`
and `queue->tx_tail` to '0'. This approach presents several issues:
- Packets already queued in the tx ring are silently lost,
leading to memory leaks since the associated skbs cannot be released.
- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may
occur from `macb_tx_poll()` or `macb_start_xmit()` when these values
are reset to '0'.
- The transmission may become stuck on a packet that has already been sent
out, with its 'TX_USED' bit set, but has not yet been processed. However,
due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',
`macb_tx_poll()` incorrectly assumes there are no packets to handle
because `queue->tx_head == queue->tx_tail`. This issue is only resolved
when a new packet is placed at this position. This is the root cause of
the prolonged recovery time observed for the NFS root filesystem.
To resolve this issue, shuffle the tx ring and tx skb array so that
the first unsent packet is positioned at the start of the tx ring.
Additionally, ensure that updates to `queue->tx_head` and
`queue->tx_tail` are properly protected with the appropriate lock.
[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d89b8b17057e16fad4564c71160e68ca549c1b42 , < c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7
(git)
Affected: ec4445ae9e58aed88561d3d1dfa849b039c7782e , < 0a47c3889fcd843c72aa57fa8c4d06f5801fced4 (git) Affected: 6e704e89f16fd4a1145756210bc210f14f174f94 , < 88f974fe118cb4653f029929ecbca7cfe06132ae (git) Affected: 316d9fe71fb18bc9b1dba464fdb68dd201315eba , < 58f5d34f88e8f00910b692537f7b2efdb8c3705d (git) Affected: b3a7aa33ca7d46be513fccf832d3540acfe587d0 , < 403182e0771b250cfde0fe7e1081d095ceaf8230 (git) Affected: bf9cf80cab81e39701861a42877a28295ade266f , < 881a0263d502e1a93ebc13a78254e9ad19520232 (git) |
|
| Linux | Linux |
Affected:
6.1.165 , < 6.1.167
(semver)
Affected: 6.6.128 , < 6.6.130 (semver) Affected: 6.12.75 , < 6.12.78 (semver) Affected: 6.18.16 , < 6.18.20 (semver) Affected: 6.19.6 , < 6.19.9 (semver) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7",
"status": "affected",
"version": "d89b8b17057e16fad4564c71160e68ca549c1b42",
"versionType": "git"
},
{
"lessThan": "0a47c3889fcd843c72aa57fa8c4d06f5801fced4",
"status": "affected",
"version": "ec4445ae9e58aed88561d3d1dfa849b039c7782e",
"versionType": "git"
},
{
"lessThan": "88f974fe118cb4653f029929ecbca7cfe06132ae",
"status": "affected",
"version": "6e704e89f16fd4a1145756210bc210f14f174f94",
"versionType": "git"
},
{
"lessThan": "58f5d34f88e8f00910b692537f7b2efdb8c3705d",
"status": "affected",
"version": "316d9fe71fb18bc9b1dba464fdb68dd201315eba",
"versionType": "git"
},
{
"lessThan": "403182e0771b250cfde0fe7e1081d095ceaf8230",
"status": "affected",
"version": "b3a7aa33ca7d46be513fccf832d3540acfe587d0",
"versionType": "git"
},
{
"lessThan": "881a0263d502e1a93ebc13a78254e9ad19520232",
"status": "affected",
"version": "bf9cf80cab81e39701861a42877a28295ade266f",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/cadence/macb_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.167",
"status": "affected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThan": "6.6.130",
"status": "affected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThan": "6.12.78",
"status": "affected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThan": "6.18.20",
"status": "affected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThan": "6.19.9",
"status": "affected",
"version": "6.19.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.1.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.18.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue-\u003etx_head`\nand `queue-\u003etx_tail` to \u00270\u0027. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue-\u003etx_head` and `queue-\u003etx_tail` may\n occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n are reset to \u00270\u0027.\n\n- The transmission may become stuck on a packet that has already been sent\n out, with its \u0027TX_USED\u0027 bit set, but has not yet been processed. However,\n due to the manipulation of \u0027queue-\u003etx_head\u0027 and \u0027queue-\u003etx_tail\u0027,\n `macb_tx_poll()` incorrectly assumes there are no packets to handle\n because `queue-\u003etx_head == queue-\u003etx_tail`. This issue is only resolved\n when a new packet is placed at this position. This is the root cause of\n the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue-\u003etx_head` and\n`queue-\u003etx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:17.582Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7"
},
{
"url": "https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4"
},
{
"url": "https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae"
},
{
"url": "https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d"
},
{
"url": "https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230"
},
{
"url": "https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232"
}
],
"title": "net: macb: Shuffle the tx ring before enabling tx",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43371",
"datePublished": "2026-05-08T14:21:22.577Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:17.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43370 (GCVE-0-2026-43370)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
drm/amdgpu: Fix use-after-free race in VM acquire
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix use-after-free race in VM acquire
Replace non-atomic vm->process_info assignment with cmpxchg()
to prevent race when parent/child processes sharing a drm_file
both try to acquire the same VM after fork().
(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
Severity ?
7.8 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < ae87aea330c24f462fc7058ed543ba8bc6798447
(git)
Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < 46d309996bd9251792d7dafdbaf615cf202b4447 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < e61e355cbe49e585097eee28c15b862bfb1c0668 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < c658c1c85ec235b7ecfbf8dbfee385b1332088f4 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < 904025fa8bba1d028adade33346372b4ac1a9249 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < 7885eb335d8f9e9942925d57e300a85e3f82ded4 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < 94b7782d0c8024f5b88454241c8d4777076c3786 (git) Affected: ede0dd86f45adf2b7083bb161f6bc81da5fe2bad , < 2c1030f2e84885cc58bffef6af67d5b9d2e7098f (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae87aea330c24f462fc7058ed543ba8bc6798447",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "46d309996bd9251792d7dafdbaf615cf202b4447",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "e61e355cbe49e585097eee28c15b862bfb1c0668",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "c658c1c85ec235b7ecfbf8dbfee385b1332088f4",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "904025fa8bba1d028adade33346372b4ac1a9249",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "7885eb335d8f9e9942925d57e300a85e3f82ded4",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "94b7782d0c8024f5b88454241c8d4777076c3786",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
},
{
"lessThan": "2c1030f2e84885cc58bffef6af67d5b9d2e7098f",
"status": "affected",
"version": "ede0dd86f45adf2b7083bb161f6bc81da5fe2bad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix use-after-free race in VM acquire\n\nReplace non-atomic vm-\u003eprocess_info assignment with cmpxchg()\nto prevent race when parent/child processes sharing a drm_file\nboth try to acquire the same VM after fork().\n\n(cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:16.430Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae87aea330c24f462fc7058ed543ba8bc6798447"
},
{
"url": "https://git.kernel.org/stable/c/46d309996bd9251792d7dafdbaf615cf202b4447"
},
{
"url": "https://git.kernel.org/stable/c/e61e355cbe49e585097eee28c15b862bfb1c0668"
},
{
"url": "https://git.kernel.org/stable/c/c658c1c85ec235b7ecfbf8dbfee385b1332088f4"
},
{
"url": "https://git.kernel.org/stable/c/904025fa8bba1d028adade33346372b4ac1a9249"
},
{
"url": "https://git.kernel.org/stable/c/7885eb335d8f9e9942925d57e300a85e3f82ded4"
},
{
"url": "https://git.kernel.org/stable/c/94b7782d0c8024f5b88454241c8d4777076c3786"
},
{
"url": "https://git.kernel.org/stable/c/2c1030f2e84885cc58bffef6af67d5b9d2e7098f"
}
],
"title": "drm/amdgpu: Fix use-after-free race in VM acquire",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43370",
"datePublished": "2026-05-08T14:21:21.926Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:16.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43369 (GCVE-0-2026-43369)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
drm/amd: Fix NULL pointer dereference in device cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd: Fix NULL pointer dereference in device cleanup
When GPU initialization fails due to an unsupported HW block
IP blocks may have a NULL version pointer. During cleanup in
amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and
amdgpu_device_set_cg_state which iterate over all IP blocks and access
adev->ip_blocks[i].version without NULL checks, leading to a kernel
NULL pointer dereference.
Add NULL checks for adev->ip_blocks[i].version in both
amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent
dereferencing NULL pointers during GPU teardown when initialization has
failed.
(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fc58ef30e0a1524ce72a8e873d773ba3b0830c7d , < 43025c941aced9a9009f9ff20eea4eb78c61deb8
(git)
Affected: 6d7ac4a0ebb6b7bc885274aa8b2bd9971f07013c , < 767cd24d3c4ae847688877def4891943f6611ecd (git) Affected: 39fc2bc4da0082c226cbee331f0a5d44db3997da , < 062ea905fff7756b2e87143ffccaece5cdb44267 (git) |
|
| Linux | Linux |
Affected:
6.18.16 , < 6.18.19
(semver)
Affected: 6.19.6 , < 6.19.9 (semver) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "43025c941aced9a9009f9ff20eea4eb78c61deb8",
"status": "affected",
"version": "fc58ef30e0a1524ce72a8e873d773ba3b0830c7d",
"versionType": "git"
},
{
"lessThan": "767cd24d3c4ae847688877def4891943f6611ecd",
"status": "affected",
"version": "6d7ac4a0ebb6b7bc885274aa8b2bd9971f07013c",
"versionType": "git"
},
{
"lessThan": "062ea905fff7756b2e87143ffccaece5cdb44267",
"status": "affected",
"version": "39fc2bc4da0082c226cbee331f0a5d44db3997da",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.19",
"status": "affected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThan": "6.19.9",
"status": "affected",
"version": "6.19.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix NULL pointer dereference in device cleanup\n\nWhen GPU initialization fails due to an unsupported HW block\nIP blocks may have a NULL version pointer. During cleanup in\namdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and\namdgpu_device_set_cg_state which iterate over all IP blocks and access\nadev-\u003eip_blocks[i].version without NULL checks, leading to a kernel\nNULL pointer dereference.\n\nAdd NULL checks for adev-\u003eip_blocks[i].version in both\namdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent\ndereferencing NULL pointers during GPU teardown when initialization has\nfailed.\n\n(cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:15.282Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/43025c941aced9a9009f9ff20eea4eb78c61deb8"
},
{
"url": "https://git.kernel.org/stable/c/767cd24d3c4ae847688877def4891943f6611ecd"
},
{
"url": "https://git.kernel.org/stable/c/062ea905fff7756b2e87143ffccaece5cdb44267"
}
],
"title": "drm/amd: Fix NULL pointer dereference in device cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43369",
"datePublished": "2026-05-08T14:21:21.174Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:15.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43368 (GCVE-0-2026-43368)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
drm/i915: Fix potential overflow of shmem scatterlist length
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential overflow of shmem scatterlist length
When a scatterlists table of a GEM shmem object of size 4 GB or more is
populated with pages allocated from a folio, unsigned int .length
attribute of a scatterlist may get overflowed if total byte length of
pages allocated to that single scatterlist happens to reach or cross the
4GB limit. As a consequence, users of the object may suffer from hitting
unexpected, premature end of the object's backing pages.
[278.780187] ------------[ cut here ]------------
[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]
...
[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)
[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024
[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]
...
[278.780786] Call Trace:
[278.780787] <TASK>
[278.780788] ? __apply_to_page_range+0x3e6/0x910
[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]
[278.780906] apply_to_page_range+0x14/0x30
[278.780908] remap_io_sg+0x14d/0x260 [i915]
[278.781013] vm_fault_cpu+0xd2/0x330 [i915]
[278.781137] __do_fault+0x3a/0x1b0
[278.781140] do_fault+0x322/0x640
[278.781143] __handle_mm_fault+0x938/0xfd0
[278.781150] handle_mm_fault+0x12c/0x300
[278.781152] ? lock_mm_and_find_vma+0x4b/0x760
[278.781155] do_user_addr_fault+0x2d6/0x8e0
[278.781160] exc_page_fault+0x96/0x2c0
[278.781165] asm_exc_page_fault+0x27/0x30
...
That issue was apprehended by the author of a change that introduced it,
and potential risk even annotated with a comment, but then never addressed.
When adding folio pages to a scatterlist table, take care of byte length
of any single scatterlist not exceeding max_segment.
(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0b62af28f249b9c4036a05acfb053058dc02e2e2 , < aeb7255531ba4a5c3a64938577170d08b78de399
(git)
Affected: 0b62af28f249b9c4036a05acfb053058dc02e2e2 , < 1c956f0fccc26fefcbb507516c49d1db41c40471 (git) Affected: 0b62af28f249b9c4036a05acfb053058dc02e2e2 , < eae4bf4107571283031db96ce132e951615e2ae4 (git) Affected: 0b62af28f249b9c4036a05acfb053058dc02e2e2 , < 21a301f12d18797bf889c15497f922edfdaece3a (git) Affected: 0b62af28f249b9c4036a05acfb053058dc02e2e2 , < 029ae067431ab9d0fca479bdabe780fa436706ea (git) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aeb7255531ba4a5c3a64938577170d08b78de399",
"status": "affected",
"version": "0b62af28f249b9c4036a05acfb053058dc02e2e2",
"versionType": "git"
},
{
"lessThan": "1c956f0fccc26fefcbb507516c49d1db41c40471",
"status": "affected",
"version": "0b62af28f249b9c4036a05acfb053058dc02e2e2",
"versionType": "git"
},
{
"lessThan": "eae4bf4107571283031db96ce132e951615e2ae4",
"status": "affected",
"version": "0b62af28f249b9c4036a05acfb053058dc02e2e2",
"versionType": "git"
},
{
"lessThan": "21a301f12d18797bf889c15497f922edfdaece3a",
"status": "affected",
"version": "0b62af28f249b9c4036a05acfb053058dc02e2e2",
"versionType": "git"
},
{
"lessThan": "029ae067431ab9d0fca479bdabe780fa436706ea",
"status": "affected",
"version": "0b62af28f249b9c4036a05acfb053058dc02e2e2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_shmem.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential overflow of shmem scatterlist length\n\nWhen a scatterlists table of a GEM shmem object of size 4 GB or more is\npopulated with pages allocated from a folio, unsigned int .length\nattribute of a scatterlist may get overflowed if total byte length of\npages allocated to that single scatterlist happens to reach or cross the\n4GB limit. As a consequence, users of the object may suffer from hitting\nunexpected, premature end of the object\u0027s backing pages.\n\n[278.780187] ------------[ cut here ]------------\n[278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915]\n...\n[278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary)\n[278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024\n[278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915]\n...\n[278.780786] Call Trace:\n[278.780787] \u003cTASK\u003e\n[278.780788] ? __apply_to_page_range+0x3e6/0x910\n[278.780795] ? __pfx_remap_sg+0x10/0x10 [i915]\n[278.780906] apply_to_page_range+0x14/0x30\n[278.780908] remap_io_sg+0x14d/0x260 [i915]\n[278.781013] vm_fault_cpu+0xd2/0x330 [i915]\n[278.781137] __do_fault+0x3a/0x1b0\n[278.781140] do_fault+0x322/0x640\n[278.781143] __handle_mm_fault+0x938/0xfd0\n[278.781150] handle_mm_fault+0x12c/0x300\n[278.781152] ? lock_mm_and_find_vma+0x4b/0x760\n[278.781155] do_user_addr_fault+0x2d6/0x8e0\n[278.781160] exc_page_fault+0x96/0x2c0\n[278.781165] asm_exc_page_fault+0x27/0x30\n...\n\nThat issue was apprehended by the author of a change that introduced it,\nand potential risk even annotated with a comment, but then never addressed.\n\nWhen adding folio pages to a scatterlist table, take care of byte length\nof any single scatterlist not exceeding max_segment.\n\n(cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:14.115Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aeb7255531ba4a5c3a64938577170d08b78de399"
},
{
"url": "https://git.kernel.org/stable/c/1c956f0fccc26fefcbb507516c49d1db41c40471"
},
{
"url": "https://git.kernel.org/stable/c/eae4bf4107571283031db96ce132e951615e2ae4"
},
{
"url": "https://git.kernel.org/stable/c/21a301f12d18797bf889c15497f922edfdaece3a"
},
{
"url": "https://git.kernel.org/stable/c/029ae067431ab9d0fca479bdabe780fa436706ea"
}
],
"title": "drm/i915: Fix potential overflow of shmem scatterlist length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43368",
"datePublished": "2026-05-08T14:21:20.500Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:14.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43367 (GCVE-0-2026-43367)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
drm/amd: Fix a few more NULL pointer dereference in device cleanup
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd: Fix a few more NULL pointer dereference in device cleanup
I found a few more paths that cleanup fails due to a NULL version pointer
on unsupported hardware.
Add NULL checks as applicable.
(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fc58ef30e0a1524ce72a8e873d773ba3b0830c7d , < 38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e
(git)
Affected: 6d7ac4a0ebb6b7bc885274aa8b2bd9971f07013c , < 5edcb0d6729b88f192ec8b0896aaf581e3593c9c (git) Affected: 39fc2bc4da0082c226cbee331f0a5d44db3997da , < 72ecb1dae72775fa9fea0159d8445d620a0a2295 (git) |
|
| Linux | Linux |
Affected:
6.18.16 , < 6.18.19
(semver)
Affected: 6.19.6 , < 6.19.9 (semver) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e",
"status": "affected",
"version": "fc58ef30e0a1524ce72a8e873d773ba3b0830c7d",
"versionType": "git"
},
{
"lessThan": "5edcb0d6729b88f192ec8b0896aaf581e3593c9c",
"status": "affected",
"version": "6d7ac4a0ebb6b7bc885274aa8b2bd9971f07013c",
"versionType": "git"
},
{
"lessThan": "72ecb1dae72775fa9fea0159d8445d620a0a2295",
"status": "affected",
"version": "39fc2bc4da0082c226cbee331f0a5d44db3997da",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/amdgpu_device.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.18.19",
"status": "affected",
"version": "6.18.16",
"versionType": "semver"
},
{
"lessThan": "6.19.9",
"status": "affected",
"version": "6.19.6",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: Fix a few more NULL pointer dereference in device cleanup\n\nI found a few more paths that cleanup fails due to a NULL version pointer\non unsupported hardware.\n\nAdd NULL checks as applicable.\n\n(cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:12.981Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e"
},
{
"url": "https://git.kernel.org/stable/c/5edcb0d6729b88f192ec8b0896aaf581e3593c9c"
},
{
"url": "https://git.kernel.org/stable/c/72ecb1dae72775fa9fea0159d8445d620a0a2295"
}
],
"title": "drm/amd: Fix a few more NULL pointer dereference in device cleanup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43367",
"datePublished": "2026-05-08T14:21:19.851Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:12.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43366 (GCVE-0-2026-43366)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
io_uring/kbuf: check if target buffer list is still legacy on recycle
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/kbuf: check if target buffer list is still legacy on recycle
There's a gap between when the buffer was grabbed and when it
potentially gets recycled, where if the list is empty, someone could've
upgraded it to a ring provided type. This can happen if the request
is forced via io-wq. The legacy recycling is missing checking if the
buffer_list still exists, and if it's of the correct type. Add those
checks.
Severity ?
7.8 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < a7b33671e418fca507feebd1d56e7f4952a4b25c
(git)
Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 439a6728ec4641ffad1ca796622c19bc525e570f (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 50ad880db3013c6fee0ef13781762a39e2e7ef83 (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < 97b57f69fee1b61b41acbf37e7720cac9d389fa4 (git) Affected: c7fb19428d67dd0a2a78a4f237af01d39c78dc5a , < c2c185be5c85d37215397c8e8781abf0a69bec1f (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7b33671e418fca507feebd1d56e7f4952a4b25c",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "439a6728ec4641ffad1ca796622c19bc525e570f",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "50ad880db3013c6fee0ef13781762a39e2e7ef83",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "97b57f69fee1b61b41acbf37e7720cac9d389fa4",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
},
{
"lessThan": "c2c185be5c85d37215397c8e8781abf0a69bec1f",
"status": "affected",
"version": "c7fb19428d67dd0a2a78a4f237af01d39c78dc5a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/kbuf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/kbuf: check if target buffer list is still legacy on recycle\n\nThere\u0027s a gap between when the buffer was grabbed and when it\npotentially gets recycled, where if the list is empty, someone could\u0027ve\nupgraded it to a ring provided type. This can happen if the request\nis forced via io-wq. The legacy recycling is missing checking if the\nbuffer_list still exists, and if it\u0027s of the correct type. Add those\nchecks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:11.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c"
},
{
"url": "https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f"
},
{
"url": "https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa"
},
{
"url": "https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83"
},
{
"url": "https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4"
},
{
"url": "https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f"
}
],
"title": "io_uring/kbuf: check if target buffer list is still legacy on recycle",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43366",
"datePublished": "2026-05-08T14:21:19.191Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:11.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43365 (GCVE-0-2026-43365)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
xfs: fix undersized l_iclog_roundoff values
Summary
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix undersized l_iclog_roundoff values
If the superblock doesn't list a log stripe unit, we set the incore log
roundoff value to 512. This leads to corrupt logs and unmountable
filesystems in generic/617 on a disk with 4k physical sectors...
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.
XFS (sda1): failed to locate log tail
XFS (sda1): log mount/recovery failed: error -74
XFS (sda1): log mount failed
XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c
XFS (sda1): Ending clean mount
...on the current xfsprogs for-next which has a broken mkfs. xfs_info
shows this...
meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=1, sparse=1, rmapbt=1
= reflink=1 bigtime=1 inobtcount=1 nrext64=1
= exchange=1 metadir=1
data = bsize=4096 blocks=2579968, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
log =internal log bsize=4096 blocks=16384, version=2
= sectsz=4096 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
= rgcount=0 rgsize=268435456 extents
= zoned=0 start=0 reserved=0
...observe that the log section has sectsz=4096 sunit=0, which means
that the roundoff factor is 512, not 4096 as you'd expect. We should
fix mkfs not to generate broken filesystems, but anyone can fuzz the
ondisk superblock so we should be more cautious. I think the inadequate
logic predates commit a6a65fef5ef8d0, but that's clearly going to
require a different backport.
Severity ?
8.2 (High)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 5afae524f83d6a18517298491a5624cb0eae5029
(git)
Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40 (git) Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 41e91dff2d3974730b5ee50daa8e27ec254cbf91 (git) Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d (git) Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 446a1f5bb64ba38adb93cb043ff0f7b85e8937ca (git) Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 5e7148402dfc4a5b7894d8e97b15e5c2e70924aa (git) Affected: a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48 , < 52a8a1ba883defbfe3200baa22cf4cd21985d51a (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5afae524f83d6a18517298491a5624cb0eae5029",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "41e91dff2d3974730b5ee50daa8e27ec254cbf91",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "446a1f5bb64ba38adb93cb043ff0f7b85e8937ca",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "5e7148402dfc4a5b7894d8e97b15e5c2e70924aa",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
},
{
"lessThan": "52a8a1ba883defbfe3200baa22cf4cd21985d51a",
"status": "affected",
"version": "a6a65fef5ef8d0a6a0ce514eb66b2f3dfa777b48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/xfs/xfs_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix undersized l_iclog_roundoff values\n\nIf the superblock doesn\u0027t list a log stripe unit, we set the incore log\nroundoff value to 512. This leads to corrupt logs and unmountable\nfilesystems in generic/617 on a disk with 4k physical sectors...\n\nXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c\nXFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197.\nXFS (sda1): failed to locate log tail\nXFS (sda1): log mount/recovery failed: error -74\nXFS (sda1): log mount failed\nXFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c\nXFS (sda1): Ending clean mount\n\n...on the current xfsprogs for-next which has a broken mkfs. xfs_info\nshows this...\n\nmeta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks\n = sectsz=4096 attr=2, projid32bit=1\n = crc=1 finobt=1, sparse=1, rmapbt=1\n = reflink=1 bigtime=1 inobtcount=1 nrext64=1\n = exchange=1 metadir=1\ndata = bsize=4096 blocks=2579968, imaxpct=25\n = sunit=0 swidth=0 blks\nnaming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1\nlog =internal log bsize=4096 blocks=16384, version=2\n = sectsz=4096 sunit=0 blks, lazy-count=1\nrealtime =none extsz=4096 blocks=0, rtextents=0\n = rgcount=0 rgsize=268435456 extents\n = zoned=0 start=0 reserved=0\n\n...observe that the log section has sectsz=4096 sunit=0, which means\nthat the roundoff factor is 512, not 4096 as you\u0027d expect. We should\nfix mkfs not to generate broken filesystems, but anyone can fuzz the\nondisk superblock so we should be more cautious. I think the inadequate\nlogic predates commit a6a65fef5ef8d0, but that\u0027s clearly going to\nrequire a different backport."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:10.719Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5afae524f83d6a18517298491a5624cb0eae5029"
},
{
"url": "https://git.kernel.org/stable/c/2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40"
},
{
"url": "https://git.kernel.org/stable/c/41e91dff2d3974730b5ee50daa8e27ec254cbf91"
},
{
"url": "https://git.kernel.org/stable/c/e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d"
},
{
"url": "https://git.kernel.org/stable/c/446a1f5bb64ba38adb93cb043ff0f7b85e8937ca"
},
{
"url": "https://git.kernel.org/stable/c/5e7148402dfc4a5b7894d8e97b15e5c2e70924aa"
},
{
"url": "https://git.kernel.org/stable/c/52a8a1ba883defbfe3200baa22cf4cd21985d51a"
}
],
"title": "xfs: fix undersized l_iclog_roundoff values",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43365",
"datePublished": "2026-05-08T14:21:18.405Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:10.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43364 (GCVE-0-2026-43364)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
ublk: fix NULL pointer dereference in ublk_ctrl_set_size()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ublk: fix NULL pointer dereference in ublk_ctrl_set_size()
ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via
set_capacity_and_notify() without checking if it is NULL.
ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only
assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs
(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE
handler performs no state validation, a user can trigger a NULL pointer
dereference by sending UPDATE_SIZE to a device that has been added but
not yet started, or one that has been stopped.
Fix this by checking ub->ub_disk under ub->mutex before dereferencing
it, and returning -ENODEV if the disk is not available.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
98b995660bff011d8e00af03abd74ac7d1ac1390 , < f13fe6794726755a43090cb680c4c58cea6aa5f1
(git)
Affected: 98b995660bff011d8e00af03abd74ac7d1ac1390 , < c28d945bfa92e15147e93b73f95345b9bec979b0 (git) Affected: 98b995660bff011d8e00af03abd74ac7d1ac1390 , < 25966fc097691e5c925ad080f64a2f19c5fd940a (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f13fe6794726755a43090cb680c4c58cea6aa5f1",
"status": "affected",
"version": "98b995660bff011d8e00af03abd74ac7d1ac1390",
"versionType": "git"
},
{
"lessThan": "c28d945bfa92e15147e93b73f95345b9bec979b0",
"status": "affected",
"version": "98b995660bff011d8e00af03abd74ac7d1ac1390",
"versionType": "git"
},
{
"lessThan": "25966fc097691e5c925ad080f64a2f19c5fd940a",
"status": "affected",
"version": "98b995660bff011d8e00af03abd74ac7d1ac1390",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nublk: fix NULL pointer dereference in ublk_ctrl_set_size()\n\nublk_ctrl_set_size() unconditionally dereferences ub-\u003eub_disk via\nset_capacity_and_notify() without checking if it is NULL.\n\nub-\u003eub_disk is NULL before UBLK_CMD_START_DEV completes (it is only\nassigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs\n(ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE\nhandler performs no state validation, a user can trigger a NULL pointer\ndereference by sending UPDATE_SIZE to a device that has been added but\nnot yet started, or one that has been stopped.\n\nFix this by checking ub-\u003eub_disk under ub-\u003emutex before dereferencing\nit, and returning -ENODEV if the disk is not available."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:09.555Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f13fe6794726755a43090cb680c4c58cea6aa5f1"
},
{
"url": "https://git.kernel.org/stable/c/c28d945bfa92e15147e93b73f95345b9bec979b0"
},
{
"url": "https://git.kernel.org/stable/c/25966fc097691e5c925ad080f64a2f19c5fd940a"
}
],
"title": "ublk: fix NULL pointer dereference in ublk_ctrl_set_size()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43364",
"datePublished": "2026-05-08T14:21:17.654Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:09.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43363 (GCVE-0-2026-43363)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
x86/apic: Disable x2apic on resume if the kernel expects so
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/apic: Disable x2apic on resume if the kernel expects so
When resuming from s2ram, firmware may re-enable x2apic mode, which may have
been disabled by the kernel during boot either because it doesn't support IRQ
remapping or for other reasons. This causes the kernel to continue using the
xapic interface, while the hardware is in x2apic mode, which causes hangs.
This happens on defconfig + bare metal + s2ram.
Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be
disabled, i.e. when x2apic_mode = 0.
The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the
pre-sleep configuration or initial boot configuration for each CPU, including
MSR state:
When executing from the power-on reset vector as a result of waking from an
S2 or S3 sleep state, the platform firmware performs only the hardware
initialization required to restore the system to either the state the
platform was in prior to the initial operating system boot, or to the
pre-sleep configuration state. In multiprocessor systems, non-boot
processors should be placed in the same state as prior to the initial
operating system boot.
(further ahead)
If this is an S2 or S3 wake, then the platform runtime firmware restores
minimum context of the system before jumping to the waking vector. This
includes:
CPU configuration. Platform runtime firmware restores the pre-sleep
configuration or initial boot configuration of each CPU (MSR, MTRR,
firmware update, SMBase, and so on). Interrupts must be disabled (for
IA-32 processors, disabled by CLI instruction).
(and other things)
So at least as per the spec, re-enablement of x2apic by the firmware is
allowed if "x2apic on" is a part of the initial boot configuration.
[1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization
[ bp: Massage. ]
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6e1cb38a2aef7680975e71f23de187859ee8b158 , < a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c
(git)
Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 3dd0812a7c764cd8f3b0182441ac22da0a7f3b09 (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 965289b120cc68cca886c75219c68b8c15751d73 (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < f591938072115bf08730b8530c67fab189cc6308 (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 1a85f84214f9d790216547ac6086bf8033cd9e5a (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 11712c4eb384098db4cb08792e223c818b908c1a (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 1d8440c1e7c49715f937416ac90cf260f1f1712c (git) Affected: 6e1cb38a2aef7680975e71f23de187859ee8b158 , < 8cc7dd77a1466f0ec58c03478b2e735a5b289b96 (git) |
|
| Linux | Linux |
Affected:
2.6.28
Unaffected: 0 , < 2.6.28 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/apic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "3dd0812a7c764cd8f3b0182441ac22da0a7f3b09",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "965289b120cc68cca886c75219c68b8c15751d73",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "f591938072115bf08730b8530c67fab189cc6308",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "1a85f84214f9d790216547ac6086bf8033cd9e5a",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "11712c4eb384098db4cb08792e223c818b908c1a",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "1d8440c1e7c49715f937416ac90cf260f1f1712c",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
},
{
"lessThan": "8cc7dd77a1466f0ec58c03478b2e735a5b289b96",
"status": "affected",
"version": "6e1cb38a2aef7680975e71f23de187859ee8b158",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/apic/apic.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Disable x2apic on resume if the kernel expects so\n\nWhen resuming from s2ram, firmware may re-enable x2apic mode, which may have\nbeen disabled by the kernel during boot either because it doesn\u0027t support IRQ\nremapping or for other reasons. This causes the kernel to continue using the\nxapic interface, while the hardware is in x2apic mode, which causes hangs.\nThis happens on defconfig + bare metal + s2ram.\n\nFix this in lapic_resume() by disabling x2apic if the kernel expects it to be\ndisabled, i.e. when x2apic_mode = 0.\n\nThe ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the\npre-sleep configuration or initial boot configuration for each CPU, including\nMSR state:\n\n When executing from the power-on reset vector as a result of waking from an\n S2 or S3 sleep state, the platform firmware performs only the hardware\n initialization required to restore the system to either the state the\n platform was in prior to the initial operating system boot, or to the\n pre-sleep configuration state. In multiprocessor systems, non-boot\n processors should be placed in the same state as prior to the initial\n operating system boot.\n\n (further ahead)\n\n If this is an S2 or S3 wake, then the platform runtime firmware restores\n minimum context of the system before jumping to the waking vector. This\n includes:\n\n\tCPU configuration. Platform runtime firmware restores the pre-sleep\n\tconfiguration or initial boot configuration of each CPU (MSR, MTRR,\n\tfirmware update, SMBase, and so on). Interrupts must be disabled (for\n\tIA-32 processors, disabled by CLI instruction).\n\n\t(and other things)\n\nSo at least as per the spec, re-enablement of x2apic by the firmware is\nallowed if \"x2apic on\" is a part of the initial boot configuration.\n\n [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization\n\n [ bp: Massage. ]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:08.290Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c"
},
{
"url": "https://git.kernel.org/stable/c/3dd0812a7c764cd8f3b0182441ac22da0a7f3b09"
},
{
"url": "https://git.kernel.org/stable/c/965289b120cc68cca886c75219c68b8c15751d73"
},
{
"url": "https://git.kernel.org/stable/c/f591938072115bf08730b8530c67fab189cc6308"
},
{
"url": "https://git.kernel.org/stable/c/1a85f84214f9d790216547ac6086bf8033cd9e5a"
},
{
"url": "https://git.kernel.org/stable/c/11712c4eb384098db4cb08792e223c818b908c1a"
},
{
"url": "https://git.kernel.org/stable/c/1d8440c1e7c49715f937416ac90cf260f1f1712c"
},
{
"url": "https://git.kernel.org/stable/c/8cc7dd77a1466f0ec58c03478b2e735a5b289b96"
}
],
"title": "x86/apic: Disable x2apic on resume if the kernel expects so",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43363",
"datePublished": "2026-05-08T14:21:16.986Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:08.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43362 (GCVE-0-2026-43362)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
smb: client: fix in-place encryption corruption in SMB2_write()
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix in-place encryption corruption in SMB2_write()
SMB2_write() places write payload in iov[1..n] as part of rq_iov.
smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()
encrypts iov[1] in-place, replacing the original plaintext with
ciphertext. On a replayable error, the retry sends the same iov[1]
which now contains ciphertext instead of the original data,
resulting in corruption.
The corruption is most likely to be observed when connections are
unstable, as reconnects trigger write retries that re-send the
already-encrypted data.
This affects SFU mknod, MF symlinks, etc. On kernels before
6.10 (prior to the netfs conversion), sync writes also used
this path and were similarly affected. The async write path
wasn't unaffected as it uses rq_iter which gets deep-copied.
Fix by moving the write payload into rq_iter via iov_iter_kvec(),
so smb3_init_transform_rq() deep-copies it before encryption.
Severity ?
8.1 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 438e77435aee2894d5edf90be5c87004a57f6258
(git)
Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 52327268224fb9ccc7ecfbbdfdfff54b6e93c518 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < 92e64f1852f455f57d0850989e57c30d7fac7d95 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < aea5e37388a080361110ab5790f57ae0af383650 (git) Affected: 026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398 , < d78840a6a38d312dc1a51a65317bb67e46f0b929 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "438e77435aee2894d5edf90be5c87004a57f6258",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "52327268224fb9ccc7ecfbbdfdfff54b6e93c518",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "92e64f1852f455f57d0850989e57c30d7fac7d95",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "aea5e37388a080361110ab5790f57ae0af383650",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
},
{
"lessThan": "d78840a6a38d312dc1a51a65317bb67e46f0b929",
"status": "affected",
"version": "026e93dc0a3eefb0be060bcb9ecd8d7a7fd5c398",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix in-place encryption corruption in SMB2_write()\n\nSMB2_write() places write payload in iov[1..n] as part of rq_iov.\nsmb3_init_transform_rq() pointer-shares rq_iov, so crypt_message()\nencrypts iov[1] in-place, replacing the original plaintext with\nciphertext. On a replayable error, the retry sends the same iov[1]\nwhich now contains ciphertext instead of the original data,\nresulting in corruption.\n\nThe corruption is most likely to be observed when connections are\nunstable, as reconnects trigger write retries that re-send the\nalready-encrypted data.\n\nThis affects SFU mknod, MF symlinks, etc. On kernels before\n6.10 (prior to the netfs conversion), sync writes also used\nthis path and were similarly affected. The async write path\nwasn\u0027t unaffected as it uses rq_iter which gets deep-copied.\n\nFix by moving the write payload into rq_iter via iov_iter_kvec(),\nso smb3_init_transform_rq() deep-copies it before encryption."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:07.073Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258"
},
{
"url": "https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518"
},
{
"url": "https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95"
},
{
"url": "https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650"
},
{
"url": "https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929"
}
],
"title": "smb: client: fix in-place encryption corruption in SMB2_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43362",
"datePublished": "2026-05-08T14:21:16.358Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:07.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43361 (GCVE-0-2026-43361)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
btrfs: fix transaction abort when snapshotting received subvolumes
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort when snapshotting received subvolumes
Currently a user can trigger a transaction abort by snapshotting a
previously received snapshot a bunch of times until we reach a
BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
can store in a leaf). This is very likely not common in practice, but
if it happens, it turns the filesystem into RO mode. The snapshot, send
and set_received_subvol and subvol_setflags (used by receive) don't
require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
could use this to turn a filesystem into RO mode and disrupt a system.
Reproducer script:
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# Create a subvolume and set it to RO so that it can be used for send.
btrfs subvolume create $MNT/sv
touch $MNT/sv/foo
btrfs property set $MNT/sv ro true
# Send and receive the subvolume into snaps/sv.
mkdir $MNT/snaps
btrfs send $MNT/sv | btrfs receive $MNT/snaps
# Now snapshot the received subvolume, which has a received_uuid, a
# lot of times to trigger the leaf overflow.
total=500
for ((i = 1; i <= $total; i++)); do
echo -ne "\rCreating snapshot $i/$total"
btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
done
echo
umount $MNT
When running the test:
$ ./test.sh
(...)
Create subvolume '/mnt/sdi/sv'
At subvol /mnt/sdi/sv
At subvol sv
Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
And in dmesg/syslog:
$ dmesg
(...)
[251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
[251067.629212] ------------[ cut here ]------------
[251067.630033] BTRFS: Transaction aborted (error -75)
[251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
[251067.632851] Modules linked in: btrfs dm_zero (...)
[251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
[251067.646165] Tainted: [W]=WARN
[251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
[251067.649984] Code: f0 48 0f (...)
[251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
[251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
[251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
[251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
[251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
[251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
[251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
[251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
[251067.661972] Call Trace:
[251067.662292] <TASK>
[251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
[251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
[251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
[251067.665238] ? _raw_spin_unlock+0x15/0x30
[251067.665837] ? record_root_
---truncated---
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 9a9227b488ffb7cdbb5d930a01fc6956c05ba61a
(git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 6bce705b699cba9afccb996c77d194fe003dfa2a (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e3d8efc157bc590457d3e31da403af1a221643d6 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < bac55dde8efa457e769c934fd88a63f2141ba238 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 770af8e465c2c3de528f85e840eab462dd41542b (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < e1b18b959025e6b5dbad668f391f65d34b39595a (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a9227b488ffb7cdbb5d930a01fc6956c05ba61a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "6bce705b699cba9afccb996c77d194fe003dfa2a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "e3d8efc157bc590457d3e31da403af1a221643d6",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "bac55dde8efa457e769c934fd88a63f2141ba238",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "770af8e465c2c3de528f85e840eab462dd41542b",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "e1b18b959025e6b5dbad668f391f65d34b39595a",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/transaction.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort when snapshotting received subvolumes\n\nCurrently a user can trigger a transaction abort by snapshotting a\npreviously received snapshot a bunch of times until we reach a\nBTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we\ncan store in a leaf). This is very likely not common in practice, but\nif it happens, it turns the filesystem into RO mode. The snapshot, send\nand set_received_subvol and subvol_setflags (used by receive) don\u0027t\nrequire CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user\ncould use this to turn a filesystem into RO mode and disrupt a system.\n\nReproducer script:\n\n $ cat test.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # Create a subvolume and set it to RO so that it can be used for send.\n btrfs subvolume create $MNT/sv\n touch $MNT/sv/foo\n btrfs property set $MNT/sv ro true\n\n # Send and receive the subvolume into snaps/sv.\n mkdir $MNT/snaps\n btrfs send $MNT/sv | btrfs receive $MNT/snaps\n\n # Now snapshot the received subvolume, which has a received_uuid, a\n # lot of times to trigger the leaf overflow.\n total=500\n for ((i = 1; i \u003c= $total; i++)); do\n echo -ne \"\\rCreating snapshot $i/$total\"\n btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i \u003e /dev/null\n done\n echo\n\n umount $MNT\n\nWhen running the test:\n\n $ ./test.sh\n (...)\n Create subvolume \u0027/mnt/sdi/sv\u0027\n At subvol /mnt/sdi/sv\n At subvol sv\n Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type\n Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system\n Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system\n\nAnd in dmesg/syslog:\n\n $ dmesg\n (...)\n [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!\n [251067.629212] ------------[ cut here ]------------\n [251067.630033] BTRFS: Transaction aborted (error -75)\n [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235\n [251067.632851] Modules linked in: btrfs dm_zero (...)\n [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)\n [251067.646165] Tainted: [W]=WARN\n [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014\n [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]\n [251067.649984] Code: f0 48 0f (...)\n [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292\n [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3\n [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750\n [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820\n [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0\n [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5\n [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000\n [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0\n [251067.661972] Call Trace:\n [251067.662292] \u003cTASK\u003e\n [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]\n [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]\n [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]\n [251067.665238] ? _raw_spin_unlock+0x15/0x30\n [251067.665837] ? record_root_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:05.901Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a"
},
{
"url": "https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a"
},
{
"url": "https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6"
},
{
"url": "https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238"
},
{
"url": "https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b"
},
{
"url": "https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a"
}
],
"title": "btrfs: fix transaction abort when snapshotting received subvolumes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43361",
"datePublished": "2026-05-08T14:21:15.683Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:05.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43360 (GCVE-0-2026-43360)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
btrfs: fix transaction abort on file creation due to name hash collision
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on file creation due to name hash collision
If we attempt to create several files with names that result in the same
hash, we have to pack them in same dir item and that has a limit inherent
to the leaf size. However if we reach that limit, we trigger a transaction
abort and turns the filesystem into RO mode. This allows for a malicious
user to disrupt a system, without the need to have administration
privileges/capabilities.
Reproducer:
$ cat exploit-hash-collisions.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
# Use smallest node size to make the test faster and require fewer file
# names that result in hash collision.
mkfs.btrfs -f --nodesize 4K $DEV
mount $DEV $MNT
# List of names that result in the same crc32c hash for btrfs.
declare -a names=(
'foobar'
'%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC'
'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z'
'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4'
'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:'
'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO'
'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us'
'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY'
'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO'
'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU'
'Ono7avN5GjC:_6dBJ_'
'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am'
'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k'
'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2'
'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd'
'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm'
'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ'
'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky'
'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS'
'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz'
'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu'
'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN'
'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4='
'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn'
'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C'
'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW'
'8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc'
'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC
---truncated---
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
caae78e032343df525b8d05c58b462827f10b2a3 , < 36947b5200b89bbe3a63629c12d4b31c84c0af9f
(git)
Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 64ad49597d14c495ab8b7933bfefc83936a598e4 (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688 (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 9273175bf16c83f3ec93aa242d78c9b5db452d4d (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 0625e564290450c1921b115fc3d9abef74e055bd (git) Affected: caae78e032343df525b8d05c58b462827f10b2a3 , < 2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 (git) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36947b5200b89bbe3a63629c12d4b31c84c0af9f",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "64ad49597d14c495ab8b7933bfefc83936a598e4",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "9273175bf16c83f3ec93aa242d78c9b5db452d4d",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "0625e564290450c1921b115fc3d9abef74e055bd",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
},
{
"lessThan": "2d1ababdedd4ba38867c2500eb7f95af5ddeeef7",
"status": "affected",
"version": "caae78e032343df525b8d05c58b462827f10b2a3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/inode.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on file creation due to name hash collision\n\nIf we attempt to create several files with names that result in the same\nhash, we have to pack them in same dir item and that has a limit inherent\nto the leaf size. However if we reach that limit, we trigger a transaction\nabort and turns the filesystem into RO mode. This allows for a malicious\nuser to disrupt a system, without the need to have administration\nprivileges/capabilities.\n\nReproducer:\n\n $ cat exploit-hash-collisions.sh\n #!/bin/bash\n\n DEV=/dev/sdi\n MNT=/mnt/sdi\n\n # Use smallest node size to make the test faster and require fewer file\n # names that result in hash collision.\n mkfs.btrfs -f --nodesize 4K $DEV\n mount $DEV $MNT\n\n # List of names that result in the same crc32c hash for btrfs.\n declare -a names=(\n \u0027foobar\u0027\n \u0027%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC\u0027\n \u0027AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z\u0027\n \u0027CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4\u0027\n \u0027ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:\u0027\n \u0027HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO\u0027\n \u0027Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us\u0027\n \u0027KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY\u0027\n \u0027NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO\u0027\n \u0027Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU\u0027\n \u0027Ono7avN5GjC:_6dBJ_\u0027\n \u0027WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am\u0027\n \u0027WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k\u0027\n \u0027XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2\u0027\n \u0027d3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd\u0027\n \u0027ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm\u0027\n \u0027evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ\u0027\n \u0027gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky\u0027\n \u0027hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS\u0027\n \u0027isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz\u0027\n \u0027kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu\u0027\n \u0027lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN\u0027\n \u0027rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=\u0027\n \u0027uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn\u0027\n \u0027UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C\u0027\n \u0027y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW\u0027\n \u00278-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc\u0027\n \u0027YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:04.705Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36947b5200b89bbe3a63629c12d4b31c84c0af9f"
},
{
"url": "https://git.kernel.org/stable/c/64ad49597d14c495ab8b7933bfefc83936a598e4"
},
{
"url": "https://git.kernel.org/stable/c/5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688"
},
{
"url": "https://git.kernel.org/stable/c/9273175bf16c83f3ec93aa242d78c9b5db452d4d"
},
{
"url": "https://git.kernel.org/stable/c/0625e564290450c1921b115fc3d9abef74e055bd"
},
{
"url": "https://git.kernel.org/stable/c/2d1ababdedd4ba38867c2500eb7f95af5ddeeef7"
}
],
"title": "btrfs: fix transaction abort on file creation due to name hash collision",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43360",
"datePublished": "2026-05-08T14:21:15.008Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:04.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43359 (GCVE-0-2026-43359)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
btrfs: fix transaction abort on set received ioctl due to item overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on set received ioctl due to item overflow
If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < b9914db13ac15aca3b74544c0bb1a2e0dad1f174
(git)
Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < b19c0465e4daad5aa8f60552ea0578cf31a11b1e (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5 (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < d11aefe654a04fc41996d254748d6a38b6b0a7be (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 41fb97353ff58fa4f31904c343fc8e3df2f7517d (git) Affected: dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70 , < 87f2c46003fce4d739138aab4af1942b1afdadac (git) |
|
| Linux | Linux |
Affected:
3.12
Unaffected: 0 , < 3.12 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/uuid-tree.c",
"fs/btrfs/uuid-tree.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b9914db13ac15aca3b74544c0bb1a2e0dad1f174",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "b19c0465e4daad5aa8f60552ea0578cf31a11b1e",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "d11aefe654a04fc41996d254748d6a38b6b0a7be",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "41fb97353ff58fa4f31904c343fc8e3df2f7517d",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
},
{
"lessThan": "87f2c46003fce4d739138aab4af1942b1afdadac",
"status": "affected",
"version": "dd5f9615fc5c5e8d3751aab3a17b92768fb1ce70",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/ioctl.c",
"fs/btrfs/uuid-tree.c",
"fs/btrfs/uuid-tree.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on set received ioctl due to item overflow\n\nIf the set received ioctl fails due to an item overflow when attempting to\nadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction\nsince we did some metadata updates before.\n\nThis means that if a user calls this ioctl with the same received UUID\nfield for a lot of subvolumes, we will hit the overflow, trigger the\ntransaction abort and turn the filesystem into RO mode. A malicious user\ncould exploit this, and this ioctl does not even requires that a user\nhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.\n\nFix this by doing an early check for item overflow before starting a\ntransaction. This is also race safe because we are holding the subvol_sem\nsemaphore in exclusive (write) mode.\n\nA test case for fstests will follow soon."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:03.390Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174"
},
{
"url": "https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e"
},
{
"url": "https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5"
},
{
"url": "https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be"
},
{
"url": "https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d"
},
{
"url": "https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac"
}
],
"title": "btrfs: fix transaction abort on set received ioctl due to item overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43359",
"datePublished": "2026-05-08T14:21:14.357Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:03.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43358 (GCVE-0-2026-43358)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
Call rcu_read_lock() before exiting the loop in
try_release_subpage_extent_buffer() because there is a rcu_read_unlock()
call past the loop.
This has been detected by the Clang thread-safety analyzer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ad580dfa388fabb52af033e3f8cc5d04be985e54 , < 5e1ab71f74a1e61f1254dff128a764fdebaec0b8
(git)
Affected: ad580dfa388fabb52af033e3f8cc5d04be985e54 , < 35b0c8768e848e1b7e32052db36b5fa59b6a33a1 (git) Affected: ad580dfa388fabb52af033e3f8cc5d04be985e54 , < b2840e33127ce0eea880504b7f133e780f567a9b (git) Affected: 10ec363cfefeeb77fda4c1ac20a531f21de45264 (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5e1ab71f74a1e61f1254dff128a764fdebaec0b8",
"status": "affected",
"version": "ad580dfa388fabb52af033e3f8cc5d04be985e54",
"versionType": "git"
},
{
"lessThan": "35b0c8768e848e1b7e32052db36b5fa59b6a33a1",
"status": "affected",
"version": "ad580dfa388fabb52af033e3f8cc5d04be985e54",
"versionType": "git"
},
{
"lessThan": "b2840e33127ce0eea880504b7f133e780f567a9b",
"status": "affected",
"version": "ad580dfa388fabb52af033e3f8cc5d04be985e54",
"versionType": "git"
},
{
"status": "affected",
"version": "10ec363cfefeeb77fda4c1ac20a531f21de45264",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_io.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.16.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()\n\nCall rcu_read_lock() before exiting the loop in\ntry_release_subpage_extent_buffer() because there is a rcu_read_unlock()\ncall past the loop.\n\nThis has been detected by the Clang thread-safety analyzer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:01.981Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5e1ab71f74a1e61f1254dff128a764fdebaec0b8"
},
{
"url": "https://git.kernel.org/stable/c/35b0c8768e848e1b7e32052db36b5fa59b6a33a1"
},
{
"url": "https://git.kernel.org/stable/c/b2840e33127ce0eea880504b7f133e780f567a9b"
}
],
"title": "btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43358",
"datePublished": "2026-05-08T14:21:13.719Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:01.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43357 (GCVE-0-2026-43357)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
iio: gyro: mpu3050-core: fix pm_runtime error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: gyro: mpu3050-core: fix pm_runtime error handling
The return value of pm_runtime_get_sync() is not checked, allowing
the driver to access hardware that may fail to resume. The device
usage count is also unconditionally incremented. Use
pm_runtime_resume_and_get() which propagates errors and avoids
incrementing the usage count on failure.
In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()
failure since postdisable does not run when preenable fails.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 935f57dd43492240e1ca220dd065d624efece6be
(git)
Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 8544c488e50206f00630a8bbba43d2c8bd290345 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 2a86a396aa001a9f9ba2d37dda36573a76f17c90 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 66c0d1d600e7be034959cf49edab104cb5a39258 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 42685cf96e28262e0b84d74447f3d99f3f6a72e0 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < 7a3dec5b265cf87678b10c98a72a435a8e769bb7 (git) Affected: 3904b28efb2c780c23dcddfb87e07fe0230661e5 , < acc3949aab3e8094641a9c7c2768de1958c88378 (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "935f57dd43492240e1ca220dd065d624efece6be",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "8544c488e50206f00630a8bbba43d2c8bd290345",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "2a86a396aa001a9f9ba2d37dda36573a76f17c90",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "66c0d1d600e7be034959cf49edab104cb5a39258",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "42685cf96e28262e0b84d74447f3d99f3f6a72e0",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "7a3dec5b265cf87678b10c98a72a435a8e769bb7",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
},
{
"lessThan": "acc3949aab3e8094641a9c7c2768de1958c88378",
"status": "affected",
"version": "3904b28efb2c780c23dcddfb87e07fe0230661e5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/gyro/mpu3050-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: gyro: mpu3050-core: fix pm_runtime error handling\n\nThe return value of pm_runtime_get_sync() is not checked, allowing\nthe driver to access hardware that may fail to resume. The device\nusage count is also unconditionally incremented. Use\npm_runtime_resume_and_get() which propagates errors and avoids\nincrementing the usage count on failure.\n\nIn preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate()\nfailure since postdisable does not run when preenable fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:00.799Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be"
},
{
"url": "https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345"
},
{
"url": "https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677"
},
{
"url": "https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90"
},
{
"url": "https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258"
},
{
"url": "https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0"
},
{
"url": "https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7"
},
{
"url": "https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378"
}
],
"title": "iio: gyro: mpu3050-core: fix pm_runtime error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43357",
"datePublished": "2026-05-08T14:21:13.050Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:23:00.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43356 (GCVE-0-2026-43356)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
iio: imu: adis: Fix NULL pointer dereference in adis_init
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: imu: adis: Fix NULL pointer dereference in adis_init
The adis_init() function dereferences adis->ops to check if the
individual function pointers (write, read, reset) are NULL, but does
not first check if adis->ops itself is NULL.
Drivers like adis16480, adis16490, adis16545 and others do not set
custom ops and rely on adis_init() assigning the defaults. Since struct
adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL
when adis_init() is called, causing a NULL pointer dereference:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
pc : adis_init+0xc0/0x118
Call trace:
adis_init+0xc0/0x118
adis16480_probe+0xe0/0x670
Fix this by checking if adis->ops is NULL before dereferencing it,
falling through to assign the default ops in that case.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4 , < ba19dd366528b961430f5195c2e382420703074f
(git)
Affected: 3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4 , < 1a48f94c63a078e7b6a2e59a637fc0858dc6510c (git) Affected: 3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4 , < 9990cd4f8827bd1ae3fb6eb7407630d8d463c430 (git) |
|
| Linux | Linux |
Affected:
6.15
Unaffected: 0 , < 6.15 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/adis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ba19dd366528b961430f5195c2e382420703074f",
"status": "affected",
"version": "3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4",
"versionType": "git"
},
{
"lessThan": "1a48f94c63a078e7b6a2e59a637fc0858dc6510c",
"status": "affected",
"version": "3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4",
"versionType": "git"
},
{
"lessThan": "9990cd4f8827bd1ae3fb6eb7407630d8d463c430",
"status": "affected",
"version": "3b29bcee8f6f703a5952b85fc2ffcbcfb0862db4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/imu/adis.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.15"
},
{
"lessThan": "6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: adis: Fix NULL pointer dereference in adis_init\n\nThe adis_init() function dereferences adis-\u003eops to check if the\nindividual function pointers (write, read, reset) are NULL, but does\nnot first check if adis-\u003eops itself is NULL.\n\nDrivers like adis16480, adis16490, adis16545 and others do not set\ncustom ops and rely on adis_init() assigning the defaults. Since struct\nadis is zero-initialized by devm_iio_device_alloc(), adis-\u003eops is NULL\nwhen adis_init() is called, causing a NULL pointer dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n pc : adis_init+0xc0/0x118\n Call trace:\n adis_init+0xc0/0x118\n adis16480_probe+0xe0/0x670\n\nFix this by checking if adis-\u003eops is NULL before dereferencing it,\nfalling through to assign the default ops in that case."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:59.595Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ba19dd366528b961430f5195c2e382420703074f"
},
{
"url": "https://git.kernel.org/stable/c/1a48f94c63a078e7b6a2e59a637fc0858dc6510c"
},
{
"url": "https://git.kernel.org/stable/c/9990cd4f8827bd1ae3fb6eb7407630d8d463c430"
}
],
"title": "iio: imu: adis: Fix NULL pointer dereference in adis_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43356",
"datePublished": "2026-05-08T14:21:12.373Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:22:59.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43355 (GCVE-0-2026-43355)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
iio: light: bh1780: fix PM runtime leak on error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: light: bh1780: fix PM runtime leak on error path
Move pm_runtime_put_autosuspend() before the error check to ensure
the PM runtime reference count is always decremented after
pm_runtime_get_sync(), regardless of whether the read operation
succeeds or fails.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f0477f18306c018a954e4f333690a9d0f7efc76 , < 1eb3af4f59e09323788860a9155e9766b12891e5
(git)
Affected: 1f0477f18306c018a954e4f333690a9d0f7efc76 , < 424bf90e87134effe4bd932608a15286493b11ab (git) Affected: 1f0477f18306c018a954e4f333690a9d0f7efc76 , < fc77e0a5600e620a2ae51ec78933162fb217b20b (git) Affected: 1f0477f18306c018a954e4f333690a9d0f7efc76 , < aae572ddc28578af476cce7da3faec0395ef0bf0 (git) Affected: 1f0477f18306c018a954e4f333690a9d0f7efc76 , < 33661bfc85c14836bfef4425a74b0ca2df4bb5ad (git) Affected: 1f0477f18306c018a954e4f333690a9d0f7efc76 , < dd72e6c3cdea05cad24e99710939086f7a113fb5 (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/light/bh1780.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1eb3af4f59e09323788860a9155e9766b12891e5",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
},
{
"lessThan": "424bf90e87134effe4bd932608a15286493b11ab",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
},
{
"lessThan": "fc77e0a5600e620a2ae51ec78933162fb217b20b",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
},
{
"lessThan": "aae572ddc28578af476cce7da3faec0395ef0bf0",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
},
{
"lessThan": "33661bfc85c14836bfef4425a74b0ca2df4bb5ad",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
},
{
"lessThan": "dd72e6c3cdea05cad24e99710939086f7a113fb5",
"status": "affected",
"version": "1f0477f18306c018a954e4f333690a9d0f7efc76",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/light/bh1780.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: bh1780: fix PM runtime leak on error path\n\nMove pm_runtime_put_autosuspend() before the error check to ensure\nthe PM runtime reference count is always decremented after\npm_runtime_get_sync(), regardless of whether the read operation\nsucceeds or fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:58.436Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1eb3af4f59e09323788860a9155e9766b12891e5"
},
{
"url": "https://git.kernel.org/stable/c/424bf90e87134effe4bd932608a15286493b11ab"
},
{
"url": "https://git.kernel.org/stable/c/fc77e0a5600e620a2ae51ec78933162fb217b20b"
},
{
"url": "https://git.kernel.org/stable/c/aae572ddc28578af476cce7da3faec0395ef0bf0"
},
{
"url": "https://git.kernel.org/stable/c/33661bfc85c14836bfef4425a74b0ca2df4bb5ad"
},
{
"url": "https://git.kernel.org/stable/c/dd72e6c3cdea05cad24e99710939086f7a113fb5"
}
],
"title": "iio: light: bh1780: fix PM runtime leak on error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43355",
"datePublished": "2026-05-08T14:21:11.609Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:22:58.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43354 (GCVE-0-2026-43354)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: proximity: hx9023s: Protect against division by zero in set_samp_freq
Avoid division by zero when sampling frequency is unspecified.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
60df548277b7281171f51b87b214ab6717fc6101 , < 451ec5e67444f8460f9706a1bde146b5bbc86ce6
(git)
Affected: 60df548277b7281171f51b87b214ab6717fc6101 , < ad9da7d39cecd3e92f54149ea0ebca390f33fe69 (git) Affected: 60df548277b7281171f51b87b214ab6717fc6101 , < 739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa (git) Affected: 60df548277b7281171f51b87b214ab6717fc6101 , < a318cfc0853706f1d6ce682dba660bc455d674ef (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/proximity/hx9023s.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "451ec5e67444f8460f9706a1bde146b5bbc86ce6",
"status": "affected",
"version": "60df548277b7281171f51b87b214ab6717fc6101",
"versionType": "git"
},
{
"lessThan": "ad9da7d39cecd3e92f54149ea0ebca390f33fe69",
"status": "affected",
"version": "60df548277b7281171f51b87b214ab6717fc6101",
"versionType": "git"
},
{
"lessThan": "739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa",
"status": "affected",
"version": "60df548277b7281171f51b87b214ab6717fc6101",
"versionType": "git"
},
{
"lessThan": "a318cfc0853706f1d6ce682dba660bc455d674ef",
"status": "affected",
"version": "60df548277b7281171f51b87b214ab6717fc6101",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/proximity/hx9023s.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: proximity: hx9023s: Protect against division by zero in set_samp_freq\n\nAvoid division by zero when sampling frequency is unspecified."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:57.289Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/451ec5e67444f8460f9706a1bde146b5bbc86ce6"
},
{
"url": "https://git.kernel.org/stable/c/ad9da7d39cecd3e92f54149ea0ebca390f33fe69"
},
{
"url": "https://git.kernel.org/stable/c/739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa"
},
{
"url": "https://git.kernel.org/stable/c/a318cfc0853706f1d6ce682dba660bc455d674ef"
}
],
"title": "iio: proximity: hx9023s: Protect against division by zero in set_samp_freq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43354",
"datePublished": "2026-05-08T14:21:10.949Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:22:57.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43353 (GCVE-0-2026-43353)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
i3c: mipi-i3c-hci: Fix race in DMA ring dequeue
The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.
When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.
Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9ad9a52cce2828d932ae9495181e3d6414f72c07 , < b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e
(git)
Affected: 9ad9a52cce2828d932ae9495181e3d6414f72c07 , < 4faa1e9c67a2229f6749190aedaf88ce0391efd2 (git) Affected: 9ad9a52cce2828d932ae9495181e3d6414f72c07 , < 1dca8aee80eea76d2aae21265de5dd64f6ba0f09 (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i3c/master/mipi-i3c-hci/core.c",
"drivers/i3c/master/mipi-i3c-hci/dma.c",
"drivers/i3c/master/mipi-i3c-hci/hci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
},
{
"lessThan": "4faa1e9c67a2229f6749190aedaf88ce0391efd2",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
},
{
"lessThan": "1dca8aee80eea76d2aae21265de5dd64f6ba0f09",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i3c/master/mipi-i3c-hci/core.c",
"drivers/i3c/master/mipi-i3c-hci/dma.c",
"drivers/i3c/master/mipi-i3c-hci/hci.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Fix race in DMA ring dequeue\n\nThe HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for\nmultiple transfers that timeout around the same time. However, the\nfunction is not serialized and can race with itself.\n\nWhen a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes\nincomplete transfers, and then restarts the ring. If another timeout\ntriggers a parallel call into the same function, the two instances may\ninterfere with each other - stopping or restarting the ring at unexpected\ntimes.\n\nAdd a mutex so that hci_dma_dequeue_xfer() is serialized with respect to\nitself."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:56.101Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e"
},
{
"url": "https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2"
},
{
"url": "https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09"
}
],
"title": "i3c: mipi-i3c-hci: Fix race in DMA ring dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43353",
"datePublished": "2026-05-08T14:21:10.282Z",
"dateReserved": "2026-05-01T14:12:56.005Z",
"dateUpdated": "2026-05-11T22:22:56.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43352 (GCVE-0-2026-43352)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
Summary
In the Linux kernel, the following vulnerability has been resolved:
i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue
The logic used to abort the DMA ring contains several flaws:
1. The driver unconditionally issues a ring abort even when the ring has
already stopped.
2. The completion used to wait for abort completion is never
re-initialized, resulting in incorrect wait behavior.
3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which
resets hardware ring pointers and disrupts the controller state.
4. If the ring is already stopped, the abort operation should be
considered successful without attempting further action.
Fix the abort handling by checking whether the ring is running before
issuing an abort, re-initializing the completion when needed, ensuring that
RING_CTRL_ENABLE remains asserted during abort, and treating an already
stopped ring as a successful condition.
Severity ?
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9ad9a52cce2828d932ae9495181e3d6414f72c07 , < 003df94bcc9227e8e930abd03ac7f63ac10033dc
(git)
Affected: 9ad9a52cce2828d932ae9495181e3d6414f72c07 , < 5549611888f5ca2db5e8e692b57f30626ddf9898 (git) Affected: 9ad9a52cce2828d932ae9495181e3d6414f72c07 , < b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 (git) |
|
| Linux | Linux |
Affected:
5.11
Unaffected: 0 , < 5.11 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i3c/master/mipi-i3c-hci/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "003df94bcc9227e8e930abd03ac7f63ac10033dc",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
},
{
"lessThan": "5549611888f5ca2db5e8e692b57f30626ddf9898",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
},
{
"lessThan": "b795e68bf3073d67bebbb5a44d93f49efc5b8cc7",
"status": "affected",
"version": "9ad9a52cce2828d932ae9495181e3d6414f72c07",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i3c/master/mipi-i3c-hci/dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue\n\nThe logic used to abort the DMA ring contains several flaws:\n\n 1. The driver unconditionally issues a ring abort even when the ring has\n already stopped.\n 2. The completion used to wait for abort completion is never\n re-initialized, resulting in incorrect wait behavior.\n 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which\n resets hardware ring pointers and disrupts the controller state.\n 4. If the ring is already stopped, the abort operation should be\n considered successful without attempting further action.\n\nFix the abort handling by checking whether the ring is running before\nissuing an abort, re-initializing the completion when needed, ensuring that\nRING_CTRL_ENABLE remains asserted during abort, and treating an already\nstopped ring as a successful condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:54.935Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc"
},
{
"url": "https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898"
},
{
"url": "https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7"
}
],
"title": "i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43352",
"datePublished": "2026-05-08T14:21:09.552Z",
"dateReserved": "2026-05-01T14:12:56.004Z",
"dateUpdated": "2026-05-11T22:22:54.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43351 (GCVE-0-2026-43351)
Vulnerability from nvd – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:22
VLAI?
Title
KVM: arm64: Eagerly init vgic dist/redist on vgic creation
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Eagerly init vgic dist/redist on vgic creation
If vgic_allocate_private_irqs_locked() fails for any odd reason,
we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised.
kvm_vgic_dist_destroy() then comes along and walks into the weeds
trying to free the RDs. Got to love this stuff.
Solve it by moving all the static initialisation early, and make
sure that if we fail halfway, we're in a reasonable shape to
perform the rest of the teardown. While at it, reset the vgic model
on failure, just in case...
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b3aa9283c0c505b5cfd25f7d6cfd720de2adc807 , < b7493f48c3dba75674a4ee505b4afa8fe5102457
(git)
Affected: b3aa9283c0c505b5cfd25f7d6cfd720de2adc807 , < a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c (git) Affected: b3aa9283c0c505b5cfd25f7d6cfd720de2adc807 , < ac6769c8f948dff33265c50e524aebf9aa6f1be0 (git) |
|
| Linux | Linux |
Affected:
6.14
Unaffected: 0 , < 6.14 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7493f48c3dba75674a4ee505b4afa8fe5102457",
"status": "affected",
"version": "b3aa9283c0c505b5cfd25f7d6cfd720de2adc807",
"versionType": "git"
},
{
"lessThan": "a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c",
"status": "affected",
"version": "b3aa9283c0c505b5cfd25f7d6cfd720de2adc807",
"versionType": "git"
},
{
"lessThan": "ac6769c8f948dff33265c50e524aebf9aa6f1be0",
"status": "affected",
"version": "b3aa9283c0c505b5cfd25f7d6cfd720de2adc807",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-init.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.14"
},
{
"lessThan": "6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Eagerly init vgic dist/redist on vgic creation\n\nIf vgic_allocate_private_irqs_locked() fails for any odd reason,\nwe exit kvm_vgic_create() early, leaving dist-\u003erd_regions uninitialised.\n\nkvm_vgic_dist_destroy() then comes along and walks into the weeds\ntrying to free the RDs. Got to love this stuff.\n\nSolve it by moving all the static initialisation early, and make\nsure that if we fail halfway, we\u0027re in a reasonable shape to\nperform the rest of the teardown. While at it, reset the vgic model\non failure, just in case..."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:53.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7493f48c3dba75674a4ee505b4afa8fe5102457"
},
{
"url": "https://git.kernel.org/stable/c/a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c"
},
{
"url": "https://git.kernel.org/stable/c/ac6769c8f948dff33265c50e524aebf9aa6f1be0"
}
],
"title": "KVM: arm64: Eagerly init vgic dist/redist on vgic creation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43351",
"datePublished": "2026-05-08T14:21:08.868Z",
"dateReserved": "2026-05-01T14:12:56.003Z",
"dateUpdated": "2026-05-11T22:22:53.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from cvelistv5 – Published: 2026-05-11 06:26 – Updated: 2026-05-17 15:21
VLAI?
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.29 , ≤ 6.18.* (semver) Unaffected: 7.0.6 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:39.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-17T15:21:39.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43377 (GCVE-0-2026-43377)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI?
Title
ksmbd: Don't log keys in SMB3 signing and encryption key generation
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: Don't log keys in SMB3 signing and encryption key generation
When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and
generate_smb3encryptionkey() log the session, signing, encryption, and
decryption key bytes. Remove the logs to avoid exposing credentials.
Severity ?
8.1 (High)
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 4084ed720d7d5f4e975c9e4a6267a552dad3b24a
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < fec5c70b82af3f59f15bb984df94e5ad1fccfb1e (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 407cc37c21d51f9b9d4d20204b04890880cfa6ae (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c6b01b997a2094969e315f1ebfc1d64b8ae2163d (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 441336115df26b966575de56daf7107ed474faed (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4084ed720d7d5f4e975c9e4a6267a552dad3b24a",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "fec5c70b82af3f59f15bb984df94e5ad1fccfb1e",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "407cc37c21d51f9b9d4d20204b04890880cfa6ae",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c6b01b997a2094969e315f1ebfc1d64b8ae2163d",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "441336115df26b966575de56daf7107ed474faed",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/auth.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: Don\u0027t log keys in SMB3 signing and encryption key generation\n\nWhen KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and\ngenerate_smb3encryptionkey() log the session, signing, encryption, and\ndecryption key bytes. Remove the logs to avoid exposing credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:24.655Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4084ed720d7d5f4e975c9e4a6267a552dad3b24a"
},
{
"url": "https://git.kernel.org/stable/c/fec5c70b82af3f59f15bb984df94e5ad1fccfb1e"
},
{
"url": "https://git.kernel.org/stable/c/3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f"
},
{
"url": "https://git.kernel.org/stable/c/407cc37c21d51f9b9d4d20204b04890880cfa6ae"
},
{
"url": "https://git.kernel.org/stable/c/c6b01b997a2094969e315f1ebfc1d64b8ae2163d"
},
{
"url": "https://git.kernel.org/stable/c/441336115df26b966575de56daf7107ed474faed"
}
],
"title": "ksmbd: Don\u0027t log keys in SMB3 signing and encryption key generation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43377",
"datePublished": "2026-05-08T14:21:26.618Z",
"dateReserved": "2026-05-01T14:12:56.006Z",
"dateUpdated": "2026-05-11T22:23:24.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}