Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
14413 vulnerabilities by Linux
CVE-2026-23416 (GCVE-0-2026-23416)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
mm/mseal: update VMA end correctly on merge
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/mseal: update VMA end correctly on merge
Previously we stored the end of the current VMA in curr_end, and then upon
iterating to the next VMA updated curr_start to curr_end to advance to the
next VMA.
However, this doesn't take into account the fact that a VMA might be
updated due to a merge by vma_modify_flags(), which can result in curr_end
being stale and thus, upon setting curr_start to curr_end, ending up with
an incorrect curr_start on the next iteration.
Resolve the issue by setting curr_end to vma->vm_end unconditionally to
ensure this value remains updated should this occur.
While we're here, eliminate this entire class of bug by simply setting
const curr_[start/end] to be clamped to the input range and VMAs, which
also happens to simplify the logic.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6c2da14ae1e0a0146587381594559027bd46c059 , < 40b3f4700e5535fbe74738cebb9379a40ec66bed
(git)
Affected: 6c2da14ae1e0a0146587381594559027bd46c059 , < 83737e34b83a23b2a9bcf586b058b2c2a54c7c6b (git) Affected: 6c2da14ae1e0a0146587381594559027bd46c059 , < 2697dd8ae721db4f6a53d4f4cbd438212a80f8dc (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/mseal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "40b3f4700e5535fbe74738cebb9379a40ec66bed",
"status": "affected",
"version": "6c2da14ae1e0a0146587381594559027bd46c059",
"versionType": "git"
},
{
"lessThan": "83737e34b83a23b2a9bcf586b058b2c2a54c7c6b",
"status": "affected",
"version": "6c2da14ae1e0a0146587381594559027bd46c059",
"versionType": "git"
},
{
"lessThan": "2697dd8ae721db4f6a53d4f4cbd438212a80f8dc",
"status": "affected",
"version": "6c2da14ae1e0a0146587381594559027bd46c059",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/mseal.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc6",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mseal: update VMA end correctly on merge\n\nPreviously we stored the end of the current VMA in curr_end, and then upon\niterating to the next VMA updated curr_start to curr_end to advance to the\nnext VMA.\n\nHowever, this doesn\u0027t take into account the fact that a VMA might be\nupdated due to a merge by vma_modify_flags(), which can result in curr_end\nbeing stale and thus, upon setting curr_start to curr_end, ending up with\nan incorrect curr_start on the next iteration.\n\nResolve the issue by setting curr_end to vma-\u003evm_end unconditionally to\nensure this value remains updated should this occur.\n\nWhile we\u0027re here, eliminate this entire class of bug by simply setting\nconst curr_[start/end] to be clamped to the input range and VMAs, which\nalso happens to simplify the logic."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:57.158Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/40b3f4700e5535fbe74738cebb9379a40ec66bed"
},
{
"url": "https://git.kernel.org/stable/c/83737e34b83a23b2a9bcf586b058b2c2a54c7c6b"
},
{
"url": "https://git.kernel.org/stable/c/2697dd8ae721db4f6a53d4f4cbd438212a80f8dc"
}
],
"title": "mm/mseal: update VMA end correctly on merge",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23416",
"datePublished": "2026-04-02T11:40:57.158Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-02T11:40:57.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23417 (GCVE-0-2026-23417)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
bpf: Fix constant blinding for PROBE_MEM32 stores
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix constant blinding for PROBE_MEM32 stores
BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by
bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to
survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.
The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM
to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,
before bpf_jit_blind_constants() runs during JIT compilation. The
blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not
BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through
unblinded.
Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the
existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:
load the blinded immediate into BPF_REG_AX via mov+xor, then convert
the immediate store to a register store (BPF_STX).
The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so
the architecture JIT emits the correct arena addressing (R12-based on
x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes
BPF_MEM mode; construct the instruction directly instead.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
6082b6c328b5486da2b356eae94b8b83c98b5565 , < 56af722756ed82fee2ae5d5b4d04743407506195
(git)
Affected: 6082b6c328b5486da2b356eae94b8b83c98b5565 , < ccbf29b28b5554f9d65b2fb53b994673ad58b3bf (git) Affected: 6082b6c328b5486da2b356eae94b8b83c98b5565 , < de641ea08f8fff6906e169d2576c2ac54e562fbb (git) Affected: 6082b6c328b5486da2b356eae94b8b83c98b5565 , < 2321a9596d2260310267622e0ad8fbfa6f95378f (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "56af722756ed82fee2ae5d5b4d04743407506195",
"status": "affected",
"version": "6082b6c328b5486da2b356eae94b8b83c98b5565",
"versionType": "git"
},
{
"lessThan": "ccbf29b28b5554f9d65b2fb53b994673ad58b3bf",
"status": "affected",
"version": "6082b6c328b5486da2b356eae94b8b83c98b5565",
"versionType": "git"
},
{
"lessThan": "de641ea08f8fff6906e169d2576c2ac54e562fbb",
"status": "affected",
"version": "6082b6c328b5486da2b356eae94b8b83c98b5565",
"versionType": "git"
},
{
"lessThan": "2321a9596d2260310267622e0ad8fbfa6f95378f",
"status": "affected",
"version": "6082b6c328b5486da2b356eae94b8b83c98b5565",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix constant blinding for PROBE_MEM32 stores\n\nBPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by\nbpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to\nsurvive unblinded into JIT-compiled native code when bpf_jit_harden \u003e= 1.\n\nThe root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM\nto BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,\nbefore bpf_jit_blind_constants() runs during JIT compilation. The\nblinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not\nBPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through\nunblinded.\n\nAdd BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the\nexisting BPF_ST|BPF_MEM cases. The blinding transformation is identical:\nload the blinded immediate into BPF_REG_AX via mov+xor, then convert\nthe immediate store to a register store (BPF_STX).\n\nThe rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so\nthe architecture JIT emits the correct arena addressing (R12-based on\nx86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes\nBPF_MEM mode; construct the instruction directly instead."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:57.837Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/56af722756ed82fee2ae5d5b4d04743407506195"
},
{
"url": "https://git.kernel.org/stable/c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf"
},
{
"url": "https://git.kernel.org/stable/c/de641ea08f8fff6906e169d2576c2ac54e562fbb"
},
{
"url": "https://git.kernel.org/stable/c/2321a9596d2260310267622e0ad8fbfa6f95378f"
}
],
"title": "bpf: Fix constant blinding for PROBE_MEM32 stores",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23417",
"datePublished": "2026-04-02T11:40:57.837Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-02T11:40:57.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23415 (GCVE-0-2026-23415)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
Summary
In the Linux kernel, the following vulnerability has been resolved:
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().
This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.
[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87
[ 151.415969] Call Trace:
[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)
Fix by adding rcu to __mpol_put().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c042c505210dc3453f378df432c10fff3d471bc5 , < 853f70c67d1b37e368fdcb3e328c4b8c04f53ac0
(git)
Affected: c042c505210dc3453f378df432c10fff3d471bc5 , < 7e196194ea27bd49adf3551e2aceb83498eb73fe (git) Affected: c042c505210dc3453f378df432c10fff3d471bc5 , < 190a8c48ff623c3d67cb295b4536a660db2012aa (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mempolicy.h",
"kernel/futex/core.c",
"mm/mempolicy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "853f70c67d1b37e368fdcb3e328c4b8c04f53ac0",
"status": "affected",
"version": "c042c505210dc3453f378df432c10fff3d471bc5",
"versionType": "git"
},
{
"lessThan": "7e196194ea27bd49adf3551e2aceb83498eb73fe",
"status": "affected",
"version": "c042c505210dc3453f378df432c10fff3d471bc5",
"versionType": "git"
},
{
"lessThan": "190a8c48ff623c3d67cb295b4536a660db2012aa",
"status": "affected",
"version": "c042c505210dc3453f378df432c10fff3d471bc5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mempolicy.h",
"kernel/futex/core.c",
"mm/mempolicy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc6",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()\n\nDuring futex_key_to_node_opt() execution, vma-\u003evm_policy is read under\nspeculative mmap lock and RCU. Concurrently, mbind() may call\nvma_replace_policy() which frees the old mempolicy immediately via\nkmem_cache_free().\n\nThis creates a race where __futex_key_to_node() dereferences a freed\nmempolicy pointer, causing a use-after-free read of mpol-\u003emode.\n\n[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)\n[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87\n\n[ 151.415969] Call Trace:\n\n[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)\n[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)\n[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)\n\nFix by adding rcu to __mpol_put()."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:56.476Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/853f70c67d1b37e368fdcb3e328c4b8c04f53ac0"
},
{
"url": "https://git.kernel.org/stable/c/7e196194ea27bd49adf3551e2aceb83498eb73fe"
},
{
"url": "https://git.kernel.org/stable/c/190a8c48ff623c3d67cb295b4536a660db2012aa"
}
],
"title": "futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23415",
"datePublished": "2026-04-02T11:40:56.476Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-02T11:40:56.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23414 (GCVE-0-2026-23414)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
tls: Purge async_hold in tls_decrypt_async_wait()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tls: Purge async_hold in tls_decrypt_async_wait()
The async_hold queue pins encrypted input skbs while
the AEAD engine references their scatterlist data. Once
tls_decrypt_async_wait() returns, every AEAD operation
has completed and the engine no longer references those
skbs, so they can be freed unconditionally.
A subsequent patch adds batch async decryption to
tls_sw_read_sock(), introducing a new call site that
must drain pending AEAD operations and release held
skbs. Move __skb_queue_purge(&ctx->async_hold) into
tls_decrypt_async_wait() so the purge is centralized
and every caller -- recvmsg's drain path, the -EBUSY
fallback in tls_do_decryption(), and the new read_sock
batch path -- releases held skbs on synchronization
without each site managing the purge independently.
This fixes a leak when tls_strp_msg_hold() fails part-way through,
after having added some cloned skbs to the async_hold
queue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to
process all pending decrypts, and drop back to synchronous mode, but
tls_sw_recvmsg() only flushes the async_hold queue when one record has
been processed in "fully-async" mode, which may not be the case here.
[pabeni@redhat.com: added leak comment]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c61d4368197d65c4809d9271f3b85325a600586a , < 2dcf324855c34e7f934ce978aa19b645a8f3ee71
(git)
Affected: 39dec4ea3daf77f684308576baf483b55ca7f160 , < 6dc11e0bd0a5466bcc76d275c09e5537bd0597dd (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 9f557c7eae127b44d2e863917dc986a4b6cb1269 (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < fd8037e1f18ca5336934d0e0e7e1a4fe097e749d (git) Affected: b8a6ff84abbcbbc445463de58704686011edc8e1 , < 84a8335d8300576f1b377ae24abca1d9f197807f (git) Affected: 9f83fd0c179e0f458e824e417f9d5ad53443f685 (git) Affected: 4fc109d0ab196bd943b7451276690fb6bb48c2e0 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dcf324855c34e7f934ce978aa19b645a8f3ee71",
"status": "affected",
"version": "c61d4368197d65c4809d9271f3b85325a600586a",
"versionType": "git"
},
{
"lessThan": "6dc11e0bd0a5466bcc76d275c09e5537bd0597dd",
"status": "affected",
"version": "39dec4ea3daf77f684308576baf483b55ca7f160",
"versionType": "git"
},
{
"lessThan": "9f557c7eae127b44d2e863917dc986a4b6cb1269",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "fd8037e1f18ca5336934d0e0e7e1a4fe097e749d",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"lessThan": "84a8335d8300576f1b377ae24abca1d9f197807f",
"status": "affected",
"version": "b8a6ff84abbcbbc445463de58704686011edc8e1",
"versionType": "git"
},
{
"status": "affected",
"version": "9f83fd0c179e0f458e824e417f9d5ad53443f685",
"versionType": "git"
},
{
"status": "affected",
"version": "4fc109d0ab196bd943b7451276690fb6bb48c2e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tls/tls_sw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "6.6.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "6.12.55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc6",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.158",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: Purge async_hold in tls_decrypt_async_wait()\n\nThe async_hold queue pins encrypted input skbs while\nthe AEAD engine references their scatterlist data. Once\ntls_decrypt_async_wait() returns, every AEAD operation\nhas completed and the engine no longer references those\nskbs, so they can be freed unconditionally.\n\nA subsequent patch adds batch async decryption to\ntls_sw_read_sock(), introducing a new call site that\nmust drain pending AEAD operations and release held\nskbs. Move __skb_queue_purge(\u0026ctx-\u003easync_hold) into\ntls_decrypt_async_wait() so the purge is centralized\nand every caller -- recvmsg\u0027s drain path, the -EBUSY\nfallback in tls_do_decryption(), and the new read_sock\nbatch path -- releases held skbs on synchronization\nwithout each site managing the purge independently.\n\nThis fixes a leak when tls_strp_msg_hold() fails part-way through,\nafter having added some cloned skbs to the async_hold\nqueue. tls_decrypt_sg() will then call tls_decrypt_async_wait() to\nprocess all pending decrypts, and drop back to synchronous mode, but\ntls_sw_recvmsg() only flushes the async_hold queue when one record has\nbeen processed in \"fully-async\" mode, which may not be the case here.\n\n[pabeni@redhat.com: added leak comment]"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:55.746Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dcf324855c34e7f934ce978aa19b645a8f3ee71"
},
{
"url": "https://git.kernel.org/stable/c/6dc11e0bd0a5466bcc76d275c09e5537bd0597dd"
},
{
"url": "https://git.kernel.org/stable/c/9f557c7eae127b44d2e863917dc986a4b6cb1269"
},
{
"url": "https://git.kernel.org/stable/c/fd8037e1f18ca5336934d0e0e7e1a4fe097e749d"
},
{
"url": "https://git.kernel.org/stable/c/84a8335d8300576f1b377ae24abca1d9f197807f"
}
],
"title": "tls: Purge async_hold in tls_decrypt_async_wait()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23414",
"datePublished": "2026-04-02T11:40:55.746Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-02T11:40:55.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23413 (GCVE-0-2026-23413)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
clsact: Fix use-after-free in init/destroy rollback asymmetry
Summary
In the Linux kernel, the following vulnerability has been resolved:
clsact: Fix use-after-free in init/destroy rollback asymmetry
Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.
The latter is achieved by first fully initializing a clsact instance, and
then in a second step having a replacement failure for the new clsact qdisc
instance. clsact_init() initializes ingress first and then takes care of the
egress part. This can fail midway, for example, via tcf_block_get_ext(). Upon
failure, the kernel will trigger the clsact_destroy() callback.
Commit 1cb6f0bae504 ("bpf: Fix too early release of tcx_entry") details the
way how the transition is happening. If tcf_block_get_ext on the q->ingress_block
ends up failing, we took the tcx_miniq_inc reference count on the ingress
side, but not yet on the egress side. clsact_destroy() tests whether the
{ingress,egress}_entry was non-NULL. However, even in midway failure on the
replacement, both are in fact non-NULL with a valid egress_entry from the
previous clsact instance.
What we really need to test for is whether the qdisc instance-specific ingress
or egress side previously got initialized. This adds a small helper for checking
the miniq initialization called mini_qdisc_pair_inited, and utilizes that upon
clsact_destroy() in order to fix the use-after-free scenario. Convert the
ingress_destroy() side as well so both are consistent to each other.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
230bb13650b0f186f540500fd5f5f7096a822a2a , < a73d95b57bf9faebdfed591bcb7ed9292062a84c
(git)
Affected: 1cb6f0bae50441f4b4b32a28315853b279c7404e , < 37bef86e5428d59f70a4da82b80f9a8f252fecbe (git) Affected: 1cb6f0bae50441f4b4b32a28315853b279c7404e , < 4c9af67f99aa3e51b522c54968ab3ac8272be41c (git) Affected: 1cb6f0bae50441f4b4b32a28315853b279c7404e , < 0509b762bc5e8ea7b8391130730c6d8502fc6e69 (git) Affected: 1cb6f0bae50441f4b4b32a28315853b279c7404e , < a0671125d4f55e1e98d9bde8a0b671941987e208 (git) Affected: f61ecf1bd5b562ebfd7d430ccb31619857e80857 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_ingress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a73d95b57bf9faebdfed591bcb7ed9292062a84c",
"status": "affected",
"version": "230bb13650b0f186f540500fd5f5f7096a822a2a",
"versionType": "git"
},
{
"lessThan": "37bef86e5428d59f70a4da82b80f9a8f252fecbe",
"status": "affected",
"version": "1cb6f0bae50441f4b4b32a28315853b279c7404e",
"versionType": "git"
},
{
"lessThan": "4c9af67f99aa3e51b522c54968ab3ac8272be41c",
"status": "affected",
"version": "1cb6f0bae50441f4b4b32a28315853b279c7404e",
"versionType": "git"
},
{
"lessThan": "0509b762bc5e8ea7b8391130730c6d8502fc6e69",
"status": "affected",
"version": "1cb6f0bae50441f4b4b32a28315853b279c7404e",
"versionType": "git"
},
{
"lessThan": "a0671125d4f55e1e98d9bde8a0b671941987e208",
"status": "affected",
"version": "1cb6f0bae50441f4b4b32a28315853b279c7404e",
"versionType": "git"
},
{
"status": "affected",
"version": "f61ecf1bd5b562ebfd7d430ccb31619857e80857",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_ingress.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclsact: Fix use-after-free in init/destroy rollback asymmetry\n\nFix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry.\nThe latter is achieved by first fully initializing a clsact instance, and\nthen in a second step having a replacement failure for the new clsact qdisc\ninstance. clsact_init() initializes ingress first and then takes care of the\negress part. This can fail midway, for example, via tcf_block_get_ext(). Upon\nfailure, the kernel will trigger the clsact_destroy() callback.\n\nCommit 1cb6f0bae504 (\"bpf: Fix too early release of tcx_entry\") details the\nway how the transition is happening. If tcf_block_get_ext on the q-\u003eingress_block\nends up failing, we took the tcx_miniq_inc reference count on the ingress\nside, but not yet on the egress side. clsact_destroy() tests whether the\n{ingress,egress}_entry was non-NULL. However, even in midway failure on the\nreplacement, both are in fact non-NULL with a valid egress_entry from the\nprevious clsact instance.\n\nWhat we really need to test for is whether the qdisc instance-specific ingress\nor egress side previously got initialized. This adds a small helper for checking\nthe miniq initialization called mini_qdisc_pair_inited, and utilizes that upon\nclsact_destroy() in order to fix the use-after-free scenario. Convert the\ningress_destroy() side as well so both are consistent to each other."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:54.384Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a73d95b57bf9faebdfed591bcb7ed9292062a84c"
},
{
"url": "https://git.kernel.org/stable/c/37bef86e5428d59f70a4da82b80f9a8f252fecbe"
},
{
"url": "https://git.kernel.org/stable/c/4c9af67f99aa3e51b522c54968ab3ac8272be41c"
},
{
"url": "https://git.kernel.org/stable/c/0509b762bc5e8ea7b8391130730c6d8502fc6e69"
},
{
"url": "https://git.kernel.org/stable/c/a0671125d4f55e1e98d9bde8a0b671941987e208"
}
],
"title": "clsact: Fix use-after-free in init/destroy rollback asymmetry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23413",
"datePublished": "2026-04-02T11:40:54.384Z",
"dateReserved": "2026-01-13T15:37:46.014Z",
"dateUpdated": "2026-04-02T11:40:54.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23412 (GCVE-0-2026-23412)
Vulnerability from cvelistv5 – Published: 2026-04-02 11:40 – Updated: 2026-04-02 11:40
VLAI?
Title
netfilter: bpf: defer hook memory release until rcu readers are done
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: defer hook memory release until rcu readers are done
Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:
BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
<TASK>
nfnl_hook_dump_one.isra.0+0xe71/0x10f0
netlink_dump+0x554/0x12b0
nfnl_hook_get+0x176/0x230
[..]
Defer release until after concurrent readers have completed.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
84601d6ee68ae820dec97450934797046d62db4b , < d016c216bc75c45128160593a77b864a04dbe7c0
(git)
Affected: 84601d6ee68ae820dec97450934797046d62db4b , < cb2bf5efdb02a2a59faf603604a1066e8266f349 (git) Affected: 84601d6ee68ae820dec97450934797046d62db4b , < c25e0dec366ae99b7264324ce3c7cbaea34691f9 (git) Affected: 84601d6ee68ae820dec97450934797046d62db4b , < 54244d54a971c26a0cd0a9073460ff71f3c51b32 (git) Affected: 84601d6ee68ae820dec97450934797046d62db4b , < 24f90fa3994b992d1a09003a3db2599330a5232a (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_bpf_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d016c216bc75c45128160593a77b864a04dbe7c0",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "cb2bf5efdb02a2a59faf603604a1066e8266f349",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "c25e0dec366ae99b7264324ce3c7cbaea34691f9",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "54244d54a971c26a0cd0a9073460ff71f3c51b32",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
},
{
"lessThan": "24f90fa3994b992d1a09003a3db2599330a5232a",
"status": "affected",
"version": "84601d6ee68ae820dec97450934797046d62db4b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_bpf_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bpf: defer hook memory release until rcu readers are done\n\nYiming Qian reports UaF when concurrent process is dumping hooks via\nnfnetlink_hooks:\n\nBUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0\nRead of size 8 at addr ffff888003edbf88 by task poc/79\nCall Trace:\n \u003cTASK\u003e\n nfnl_hook_dump_one.isra.0+0xe71/0x10f0\n netlink_dump+0x554/0x12b0\n nfnl_hook_get+0x176/0x230\n [..]\n\nDefer release until after concurrent readers have completed."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:40:53.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d016c216bc75c45128160593a77b864a04dbe7c0"
},
{
"url": "https://git.kernel.org/stable/c/cb2bf5efdb02a2a59faf603604a1066e8266f349"
},
{
"url": "https://git.kernel.org/stable/c/c25e0dec366ae99b7264324ce3c7cbaea34691f9"
},
{
"url": "https://git.kernel.org/stable/c/54244d54a971c26a0cd0a9073460ff71f3c51b32"
},
{
"url": "https://git.kernel.org/stable/c/24f90fa3994b992d1a09003a3db2599330a5232a"
}
],
"title": "netfilter: bpf: defer hook memory release until rcu readers are done",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23412",
"datePublished": "2026-04-02T11:40:53.528Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T11:40:53.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23410 (GCVE-0-2026-23410)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: fix race on rawdata dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix race on rawdata dereference
There is a race condition that leads to a use-after-free situation:
because the rawdata inodes are not refcounted, an attacker can start
open()ing one of the rawdata files, and at the same time remove the
last reference to this rawdata (by removing the corresponding profile,
for example), which frees its struct aa_loaddata; as a result, when
seq_rawdata_open() is reached, i_private is a dangling pointer and
freed memory is accessed.
The rawdata inodes weren't refcounted to avoid a circular refcount and
were supposed to be held by the profile rawdata reference. However
during profile removal there is a window where the vfs and profile
destruction race, resulting in the use after free.
Fix this by moving to a double refcount scheme. Where the profile
refcount on rawdata is used to break the circular dependency. Allowing
for freeing of the rawdata once all inode references to the rawdata
are put.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5d5182cae40115c03933989473288e54afb39c7c , < 6ef1f2926c41ab96952d9696d55a052f1b3a9418
(git)
Affected: 5d5182cae40115c03933989473288e54afb39c7c , < f9761add6d100962a23996cb68f3d6abdd4d1815 (git) Affected: 5d5182cae40115c03933989473288e54afb39c7c , < af782cc8871e3683ddd5a3cd2f7df526599863a9 (git) Affected: 5d5182cae40115c03933989473288e54afb39c7c , < 763e838adc3c7ec5a7df2990ce84cad951e42721 (git) Affected: 5d5182cae40115c03933989473288e54afb39c7c , < a0b7091c4de45a7325c8780e6934a894f92ac86b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/policy.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6ef1f2926c41ab96952d9696d55a052f1b3a9418",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "f9761add6d100962a23996cb68f3d6abdd4d1815",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "af782cc8871e3683ddd5a3cd2f7df526599863a9",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "763e838adc3c7ec5a7df2990ce84cad951e42721",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
},
{
"lessThan": "a0b7091c4de45a7325c8780e6934a894f92ac86b",
"status": "affected",
"version": "5d5182cae40115c03933989473288e54afb39c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/policy.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race on rawdata dereference\n\nThere is a race condition that leads to a use-after-free situation:\nbecause the rawdata inodes are not refcounted, an attacker can start\nopen()ing one of the rawdata files, and at the same time remove the\nlast reference to this rawdata (by removing the corresponding profile,\nfor example), which frees its struct aa_loaddata; as a result, when\nseq_rawdata_open() is reached, i_private is a dangling pointer and\nfreed memory is accessed.\n\nThe rawdata inodes weren\u0027t refcounted to avoid a circular refcount and\nwere supposed to be held by the profile rawdata reference. However\nduring profile removal there is a window where the vfs and profile\ndestruction race, resulting in the use after free.\n\nFix this by moving to a double refcount scheme. Where the profile\nrefcount on rawdata is used to break the circular dependency. Allowing\nfor freeing of the rawdata once all inode references to the rawdata\nare put."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:38.665Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6ef1f2926c41ab96952d9696d55a052f1b3a9418"
},
{
"url": "https://git.kernel.org/stable/c/f9761add6d100962a23996cb68f3d6abdd4d1815"
},
{
"url": "https://git.kernel.org/stable/c/af782cc8871e3683ddd5a3cd2f7df526599863a9"
},
{
"url": "https://git.kernel.org/stable/c/763e838adc3c7ec5a7df2990ce84cad951e42721"
},
{
"url": "https://git.kernel.org/stable/c/a0b7091c4de45a7325c8780e6934a894f92ac86b"
}
],
"title": "apparmor: fix race on rawdata dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23410",
"datePublished": "2026-04-01T08:36:39.202Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T14:44:38.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23411 (GCVE-0-2026-23411)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: fix race between freeing data and fs accessing it
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix race between freeing data and fs accessing it
AppArmor was putting the reference to i_private data on its end after
removing the original entry from the file system. However the inode
can aand does live beyond that point and it is possible that some of
the fs call back functions will be invoked after the reference has
been put, which results in a race between freeing the data and
accessing it through the fs.
While the rawdata/loaddata is the most likely candidate to fail the
race, as it has the fewest references. If properly crafted it might be
possible to trigger a race for the other types stored in i_private.
Fix this by moving the put of i_private referenced data to the correct
place which is during inode eviction.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c961ee5f21b202dea60b63eeef945730d92e46a6 , < ae10787d955fb255d381e0d5589451dd72c614b1
(git)
Affected: c961ee5f21b202dea60b63eeef945730d92e46a6 , < eecce026399917f6efa532c56bc7a3e9dd6ee68b (git) Affected: c961ee5f21b202dea60b63eeef945730d92e46a6 , < 13bc2772414d68e94e273dea013181a986948ddf (git) Affected: c961ee5f21b202dea60b63eeef945730d92e46a6 , < 2a732ed26fbd048e7925d227af8cf9ea43fb5cc9 (git) Affected: c961ee5f21b202dea60b63eeef945730d92e46a6 , < 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/label.h",
"security/apparmor/include/lib.h",
"security/apparmor/include/policy.h",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/label.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ae10787d955fb255d381e0d5589451dd72c614b1",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "eecce026399917f6efa532c56bc7a3e9dd6ee68b",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "13bc2772414d68e94e273dea013181a986948ddf",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "2a732ed26fbd048e7925d227af8cf9ea43fb5cc9",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
},
{
"lessThan": "8e135b8aee5a06c52a4347a5a6d51223c6f36ba3",
"status": "affected",
"version": "c961ee5f21b202dea60b63eeef945730d92e46a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/apparmorfs.c",
"security/apparmor/include/label.h",
"security/apparmor/include/lib.h",
"security/apparmor/include/policy.h",
"security/apparmor/include/policy_unpack.h",
"security/apparmor/label.c",
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix race between freeing data and fs accessing it\n\nAppArmor was putting the reference to i_private data on its end after\nremoving the original entry from the file system. However the inode\ncan aand does live beyond that point and it is possible that some of\nthe fs call back functions will be invoked after the reference has\nbeen put, which results in a race between freeing the data and\naccessing it through the fs.\n\nWhile the rawdata/loaddata is the most likely candidate to fail the\nrace, as it has the fewest references. If properly crafted it might be\npossible to trigger a race for the other types stored in i_private.\n\nFix this by moving the put of i_private referenced data to the correct\nplace which is during inode eviction."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:39.851Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ae10787d955fb255d381e0d5589451dd72c614b1"
},
{
"url": "https://git.kernel.org/stable/c/eecce026399917f6efa532c56bc7a3e9dd6ee68b"
},
{
"url": "https://git.kernel.org/stable/c/13bc2772414d68e94e273dea013181a986948ddf"
},
{
"url": "https://git.kernel.org/stable/c/2a732ed26fbd048e7925d227af8cf9ea43fb5cc9"
},
{
"url": "https://git.kernel.org/stable/c/8e135b8aee5a06c52a4347a5a6d51223c6f36ba3"
}
],
"title": "apparmor: fix race between freeing data and fs accessing it",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23411",
"datePublished": "2026-04-01T08:36:39.819Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T14:44:39.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23409 (GCVE-0-2026-23409)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-01 08:36
VLAI?
Title
apparmor: fix differential encoding verification
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix differential encoding verification
Differential encoding allows loops to be created if it is abused. To
prevent this the unpack should verify that a diff-encode chain
terminates.
Unfortunately the differential encode verification had two bugs.
1. it conflated states that had gone through check and already been
marked, with states that were currently being checked and marked.
This means that loops in the current chain being verified are treated
as a chain that has already been verified.
2. the order bailout on already checked states compared current chain
check iterators j,k instead of using the outer loop iterator i.
Meaning a step backwards in states in the current chain verification
was being mistaken for moving to an already verified state.
Move to a double mark scheme where already verified states get a
different mark, than the current chain being kept. This enables us
to also drop the backwards verification check that was the cause of
the second error as any already verified state is already marked.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a
(git)
Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 34fc60b125ed1d4eb002c76b0664bf0619492167 (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 623a9d211bbbb031bb1cbdb38b23487648167f8a (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 1ff4857fac56ac5a90ee63b24db05fa5e91a45aa (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 39440b137546a3aa383cfdabc605fb73811b6093 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/match.h",
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "34fc60b125ed1d4eb002c76b0664bf0619492167",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "623a9d211bbbb031bb1cbdb38b23487648167f8a",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "1ff4857fac56ac5a90ee63b24db05fa5e91a45aa",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "39440b137546a3aa383cfdabc605fb73811b6093",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/match.h",
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix differential encoding verification\n\nDifferential encoding allows loops to be created if it is abused. To\nprevent this the unpack should verify that a diff-encode chain\nterminates.\n\nUnfortunately the differential encode verification had two bugs.\n\n1. it conflated states that had gone through check and already been\n marked, with states that were currently being checked and marked.\n This means that loops in the current chain being verified are treated\n as a chain that has already been verified.\n\n2. the order bailout on already checked states compared current chain\n check iterators j,k instead of using the outer loop iterator i.\n Meaning a step backwards in states in the current chain verification\n was being mistaken for moving to an already verified state.\n\nMove to a double mark scheme where already verified states get a\ndifferent mark, than the current chain being kept. This enables us\nto also drop the backwards verification check that was the cause of\nthe second error as any already verified state is already marked."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T08:36:38.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f90e3ecd9e1ed69f1a370f866ceed1f104f3ab4a"
},
{
"url": "https://git.kernel.org/stable/c/34fc60b125ed1d4eb002c76b0664bf0619492167"
},
{
"url": "https://git.kernel.org/stable/c/623a9d211bbbb031bb1cbdb38b23487648167f8a"
},
{
"url": "https://git.kernel.org/stable/c/1ff4857fac56ac5a90ee63b24db05fa5e91a45aa"
},
{
"url": "https://git.kernel.org/stable/c/39440b137546a3aa383cfdabc605fb73811b6093"
}
],
"title": "apparmor: fix differential encoding verification",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23409",
"datePublished": "2026-04-01T08:36:38.516Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-01T08:36:38.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23407 (GCVE-0-2026-23407)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
The verify_dfa() function only checks DEFAULT_TABLE bounds when the state
is not differentially encoded.
When the verification loop traverses the differential encoding chain,
it reads k = DEFAULT_TABLE[j] and uses k as an array index without
validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count,
therefore, causes both out-of-bounds reads and writes.
[ 57.179855] ==================================================================
[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660
[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993
[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 57.181563] Call Trace:
[ 57.181572] <TASK>
[ 57.181577] dump_stack_lvl+0x5e/0x80
[ 57.181596] print_report+0xc8/0x270
[ 57.181605] ? verify_dfa+0x59a/0x660
[ 57.181608] kasan_report+0x118/0x150
[ 57.181620] ? verify_dfa+0x59a/0x660
[ 57.181623] verify_dfa+0x59a/0x660
[ 57.181627] aa_dfa_unpack+0x1610/0x1740
[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470
[ 57.181640] unpack_pdb+0x86d/0x46b0
[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300
[ 57.181659] aa_unpack+0x20b0/0x4c30
[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181664] ? stack_depot_save_flags+0x33/0x700
[ 57.181681] ? kasan_save_track+0x4f/0x80
[ 57.181683] ? kasan_save_track+0x3e/0x80
[ 57.181686] ? __kasan_kmalloc+0x93/0xb0
[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130
[ 57.181697] ? policy_update+0x154/0x330
[ 57.181704] aa_replace_profiles+0x15a/0x1dd0
[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780
[ 57.181712] ? aa_loaddata_alloc+0x77/0x140
[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5
[ 57.181717] ? _copy_from_user+0x2a/0x70
[ 57.181730] policy_update+0x17a/0x330
[ 57.181733] profile_replace+0x153/0x1a0
[ 57.181735] ? rw_verify_area+0x93/0x2d0
[ 57.181740] vfs_write+0x235/0xab0
[ 57.181745] ksys_write+0xb0/0x170
[ 57.181748] do_syscall_64+0x8e/0x660
[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 57.181765] RIP: 0033:0x7f6192792eb2
Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE
entries unconditionally.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 7c7cf05e0606f554c467e3a4dc49e2e578a755b4
(git)
Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 76b4d36c5122866452d34d8f79985e191f9c3831 (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < 5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed (git) Affected: 031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3 , < d352873bbefa7eb39995239d0b44ccdf8aaa79a4 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c7cf05e0606f554c467e3a4dc49e2e578a755b4",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "76b4d36c5122866452d34d8f79985e191f9c3831",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
},
{
"lessThan": "d352873bbefa7eb39995239d0b44ccdf8aaa79a4",
"status": "affected",
"version": "031dcc8f4e84fea37dc6f78fdc7288aa7f8386c3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix missing bounds check on DEFAULT table in verify_dfa()\n\nThe verify_dfa() function only checks DEFAULT_TABLE bounds when the state\nis not differentially encoded.\n\nWhen the verification loop traverses the differential encoding chain,\nit reads k = DEFAULT_TABLE[j] and uses k as an array index without\nvalidation. A malformed DFA with DEFAULT_TABLE[j] \u003e= state_count,\ntherefore, causes both out-of-bounds reads and writes.\n\n[ 57.179855] ==================================================================\n[ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660\n[ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993\n\n[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 57.181563] Call Trace:\n[ 57.181572] \u003cTASK\u003e\n[ 57.181577] dump_stack_lvl+0x5e/0x80\n[ 57.181596] print_report+0xc8/0x270\n[ 57.181605] ? verify_dfa+0x59a/0x660\n[ 57.181608] kasan_report+0x118/0x150\n[ 57.181620] ? verify_dfa+0x59a/0x660\n[ 57.181623] verify_dfa+0x59a/0x660\n[ 57.181627] aa_dfa_unpack+0x1610/0x1740\n[ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470\n[ 57.181640] unpack_pdb+0x86d/0x46b0\n[ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181656] ? aa_unpack_nameX+0x1a8/0x300\n[ 57.181659] aa_unpack+0x20b0/0x4c30\n[ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181664] ? stack_depot_save_flags+0x33/0x700\n[ 57.181681] ? kasan_save_track+0x4f/0x80\n[ 57.181683] ? kasan_save_track+0x3e/0x80\n[ 57.181686] ? __kasan_kmalloc+0x93/0xb0\n[ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130\n[ 57.181697] ? policy_update+0x154/0x330\n[ 57.181704] aa_replace_profiles+0x15a/0x1dd0\n[ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780\n[ 57.181712] ? aa_loaddata_alloc+0x77/0x140\n[ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 57.181717] ? _copy_from_user+0x2a/0x70\n[ 57.181730] policy_update+0x17a/0x330\n[ 57.181733] profile_replace+0x153/0x1a0\n[ 57.181735] ? rw_verify_area+0x93/0x2d0\n[ 57.181740] vfs_write+0x235/0xab0\n[ 57.181745] ksys_write+0xb0/0x170\n[ 57.181748] do_syscall_64+0x8e/0x660\n[ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 57.181765] RIP: 0033:0x7f6192792eb2\n\nRemove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE\nentries unconditionally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:36.495Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c7cf05e0606f554c467e3a4dc49e2e578a755b4"
},
{
"url": "https://git.kernel.org/stable/c/76b4d36c5122866452d34d8f79985e191f9c3831"
},
{
"url": "https://git.kernel.org/stable/c/5a68e46dfe0c8c8ffc6f425ebc4cae6238566ecc"
},
{
"url": "https://git.kernel.org/stable/c/f39e126e56c6ec1930fae51ad6bca3dae2a4c3ed"
},
{
"url": "https://git.kernel.org/stable/c/d352873bbefa7eb39995239d0b44ccdf8aaa79a4"
}
],
"title": "apparmor: fix missing bounds check on DEFAULT table in verify_dfa()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23407",
"datePublished": "2026-04-01T08:36:37.197Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T14:44:36.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23408 (GCVE-0-2026-23408)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: Fix double free of ns_name in aa_replace_profiles()
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: Fix double free of ns_name in aa_replace_profiles()
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
")
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
145a0ef21c8e944957f58e2c8ffcd8a10f46266a , < 55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a
(git)
Affected: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a , < 86feeccd6b93ed94bd6655f30de80f163f8d5a45 (git) Affected: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a , < 7998ab3010d2317643f91828f1853d954ef31387 (git) Affected: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a , < 18b5233e860c294a847ee07869d93c0b8673a54b (git) Affected: 145a0ef21c8e944957f58e2c8ffcd8a10f46266a , < 5df0c44e8f5f619d3beb871207aded7c78414502 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "86feeccd6b93ed94bd6655f30de80f163f8d5a45",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "7998ab3010d2317643f91828f1853d954ef31387",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "18b5233e860c294a847ee07869d93c0b8673a54b",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
},
{
"lessThan": "5df0c44e8f5f619d3beb871207aded7c78414502",
"status": "affected",
"version": "145a0ef21c8e944957f58e2c8ffcd8a10f46266a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: Fix double free of ns_name in aa_replace_profiles()\n\nif ns_name is NULL after\n1071 error = aa_unpack(udata, \u0026lh, \u0026ns_name);\n\nand if ent-\u003ens_name contains an ns_name in\n1089 } else if (ent-\u003ens_name) {\n\nthen ns_name is assigned the ent-\u003ens_name\n1095 ns_name = ent-\u003ens_name;\n\nhowever ent-\u003ens_name is freed at\n1262 aa_load_ent_free(ent);\n\nand then again when freeing ns_name at\n1270 kfree(ns_name);\n\nFix this by NULLing out ent-\u003ens_name after it is transferred to ns_name\n\n\")"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:37.549Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/55ef2af7490aaf72f8ffe11ec44c6bcb7eb2162a"
},
{
"url": "https://git.kernel.org/stable/c/86feeccd6b93ed94bd6655f30de80f163f8d5a45"
},
{
"url": "https://git.kernel.org/stable/c/7998ab3010d2317643f91828f1853d954ef31387"
},
{
"url": "https://git.kernel.org/stable/c/18b5233e860c294a847ee07869d93c0b8673a54b"
},
{
"url": "https://git.kernel.org/stable/c/5df0c44e8f5f619d3beb871207aded7c78414502"
}
],
"title": "apparmor: Fix double free of ns_name in aa_replace_profiles()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23408",
"datePublished": "2026-04-01T08:36:37.873Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T14:44:37.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23406 (GCVE-0-2026-23406)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 14:44
VLAI?
Title
apparmor: fix side-effect bug in match_char() macro usage
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix side-effect bug in match_char() macro usage
The match_char() macro evaluates its character parameter multiple
times when traversing differential encoding chains. When invoked
with *str++, the string pointer advances on each iteration of the
inner do-while loop, causing the DFA to check different characters
at each iteration and therefore skip input characters.
This results in out-of-bounds reads when the pointer advances past
the input buffer boundary.
[ 94.984676] ==================================================================
[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760
[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976
[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)
[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 94.986329] Call Trace:
[ 94.986341] <TASK>
[ 94.986347] dump_stack_lvl+0x5e/0x80
[ 94.986374] print_report+0xc8/0x270
[ 94.986384] ? aa_dfa_match+0x5ae/0x760
[ 94.986388] kasan_report+0x118/0x150
[ 94.986401] ? aa_dfa_match+0x5ae/0x760
[ 94.986405] aa_dfa_match+0x5ae/0x760
[ 94.986408] __aa_path_perm+0x131/0x400
[ 94.986418] aa_path_perm+0x219/0x2f0
[ 94.986424] apparmor_file_open+0x345/0x570
[ 94.986431] security_file_open+0x5c/0x140
[ 94.986442] do_dentry_open+0x2f6/0x1120
[ 94.986450] vfs_open+0x38/0x2b0
[ 94.986453] ? may_open+0x1e2/0x2b0
[ 94.986466] path_openat+0x231b/0x2b30
[ 94.986469] ? __x64_sys_openat+0xf8/0x130
[ 94.986477] do_file_open+0x19d/0x360
[ 94.986487] do_sys_openat2+0x98/0x100
[ 94.986491] __x64_sys_openat+0xf8/0x130
[ 94.986499] do_syscall_64+0x8e/0x660
[ 94.986515] ? count_memcg_events+0x15f/0x3c0
[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0
[ 94.986551] ? vma_start_read+0xf0/0x320
[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0
[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0
[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5
[ 94.986588] ? irqentry_exit+0x3c/0x590
[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 94.986597] RIP: 0033:0x7fda4a79c3ea
Fix by extracting the character value before invoking match_char,
ensuring single evaluation per outer loop.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
074c1cd798cb0b481d7eaa749b64aa416563c053 , < 5a184f7cbdeaad17e16dedf3c17d0cd622edfed8
(git)
Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < b73c1dff8a9d7eeaebabf8097a5b2de192f40913 (git) Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 0510d1ba0976f97f521feb2b75b0572ea5df3ceb (git) Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 383b7270faf42564f133134c2fc3c24bbae52615 (git) Affected: 074c1cd798cb0b481d7eaa749b64aa416563c053 , < 8756b68edae37ff546c02091989a4ceab3f20abd (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5a184f7cbdeaad17e16dedf3c17d0cd622edfed8",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "b73c1dff8a9d7eeaebabf8097a5b2de192f40913",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "0510d1ba0976f97f521feb2b75b0572ea5df3ceb",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "383b7270faf42564f133134c2fc3c24bbae52615",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
},
{
"lessThan": "8756b68edae37ff546c02091989a4ceab3f20abd",
"status": "affected",
"version": "074c1cd798cb0b481d7eaa749b64aa416563c053",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/match.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix side-effect bug in match_char() macro usage\n\nThe match_char() macro evaluates its character parameter multiple\ntimes when traversing differential encoding chains. When invoked\nwith *str++, the string pointer advances on each iteration of the\ninner do-while loop, causing the DFA to check different characters\nat each iteration and therefore skip input characters.\nThis results in out-of-bounds reads when the pointer advances past\nthe input buffer boundary.\n\n[ 94.984676] ==================================================================\n[ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760\n[ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976\n\n[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy)\n[ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n[ 94.986329] Call Trace:\n[ 94.986341] \u003cTASK\u003e\n[ 94.986347] dump_stack_lvl+0x5e/0x80\n[ 94.986374] print_report+0xc8/0x270\n[ 94.986384] ? aa_dfa_match+0x5ae/0x760\n[ 94.986388] kasan_report+0x118/0x150\n[ 94.986401] ? aa_dfa_match+0x5ae/0x760\n[ 94.986405] aa_dfa_match+0x5ae/0x760\n[ 94.986408] __aa_path_perm+0x131/0x400\n[ 94.986418] aa_path_perm+0x219/0x2f0\n[ 94.986424] apparmor_file_open+0x345/0x570\n[ 94.986431] security_file_open+0x5c/0x140\n[ 94.986442] do_dentry_open+0x2f6/0x1120\n[ 94.986450] vfs_open+0x38/0x2b0\n[ 94.986453] ? may_open+0x1e2/0x2b0\n[ 94.986466] path_openat+0x231b/0x2b30\n[ 94.986469] ? __x64_sys_openat+0xf8/0x130\n[ 94.986477] do_file_open+0x19d/0x360\n[ 94.986487] do_sys_openat2+0x98/0x100\n[ 94.986491] __x64_sys_openat+0xf8/0x130\n[ 94.986499] do_syscall_64+0x8e/0x660\n[ 94.986515] ? count_memcg_events+0x15f/0x3c0\n[ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986540] ? handle_mm_fault+0x1639/0x1ef0\n[ 94.986551] ? vma_start_read+0xf0/0x320\n[ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0\n[ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0\n[ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5\n[ 94.986588] ? irqentry_exit+0x3c/0x590\n[ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 94.986597] RIP: 0033:0x7fda4a79c3ea\n\nFix by extracting the character value before invoking match_char,\nensuring single evaluation per outer loop."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:35.415Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5a184f7cbdeaad17e16dedf3c17d0cd622edfed8"
},
{
"url": "https://git.kernel.org/stable/c/b73c1dff8a9d7eeaebabf8097a5b2de192f40913"
},
{
"url": "https://git.kernel.org/stable/c/0510d1ba0976f97f521feb2b75b0572ea5df3ceb"
},
{
"url": "https://git.kernel.org/stable/c/383b7270faf42564f133134c2fc3c24bbae52615"
},
{
"url": "https://git.kernel.org/stable/c/8756b68edae37ff546c02091989a4ceab3f20abd"
}
],
"title": "apparmor: fix side-effect bug in match_char() macro usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23406",
"datePublished": "2026-04-01T08:36:36.460Z",
"dateReserved": "2026-01-13T15:37:46.013Z",
"dateUpdated": "2026-04-02T14:44:35.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23404 (GCVE-0-2026-23404)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-01 08:36
VLAI?
Title
apparmor: replace recursive profile removal with iterative approach
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: replace recursive profile removal with iterative approach
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 33959a491e9fd557abfa5fce5ae4637d400915d3
(git)
Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 999bd704b0b641527a5ed46f0d969deff8cfa68b (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 7eade846e013cbe8d2dc4a484463aa19e6515c7f (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < a6a941a1294ac5abe22053dc501d25aed96e48fe (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < ab09264660f9de5d05d1ef4e225aa447c63a8747 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "33959a491e9fd557abfa5fce5ae4637d400915d3",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "999bd704b0b641527a5ed46f0d969deff8cfa68b",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7eade846e013cbe8d2dc4a484463aa19e6515c7f",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "a6a941a1294ac5abe22053dc501d25aed96e48fe",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "ab09264660f9de5d05d1ef4e225aa447c63a8747",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: replace recursive profile removal with iterative approach\n\nThe profile removal code uses recursion when removing nested profiles,\nwhich can lead to kernel stack exhaustion and system crashes.\n\nReproducer:\n $ pf=\u0027a\u0027; for ((i=0; i\u003c1024; i++)); do\n echo -e \"profile $pf { \\n }\" | apparmor_parser -K -a;\n pf=\"$pf//x\";\n done\n $ echo -n a \u003e /sys/kernel/security/apparmor/.remove\n\nReplace the recursive __aa_profile_list_release() approach with an\niterative approach in __remove_profile(). The function repeatedly\nfinds and removes leaf profiles until the entire subtree is removed,\nmaintaining the same removal semantic without recursion."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T08:36:35.032Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/33959a491e9fd557abfa5fce5ae4637d400915d3"
},
{
"url": "https://git.kernel.org/stable/c/999bd704b0b641527a5ed46f0d969deff8cfa68b"
},
{
"url": "https://git.kernel.org/stable/c/7eade846e013cbe8d2dc4a484463aa19e6515c7f"
},
{
"url": "https://git.kernel.org/stable/c/a6a941a1294ac5abe22053dc501d25aed96e48fe"
},
{
"url": "https://git.kernel.org/stable/c/ab09264660f9de5d05d1ef4e225aa447c63a8747"
}
],
"title": "apparmor: replace recursive profile removal with iterative approach",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23404",
"datePublished": "2026-04-01T08:36:35.032Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-01T08:36:35.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23405 (GCVE-0-2026-23405)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-01 08:36
VLAI?
Title
apparmor: fix: limit the number of levels of policy namespaces
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix: limit the number of levels of policy namespaces
Currently the number of policy namespaces is not bounded relying on
the user namespace limit. However policy namespaces aren't strictly
tied to user namespaces and it is possible to create them and nest
them arbitrarily deep which can be used to exhaust system resource.
Hard cap policy namespaces to the same depth as user namespaces.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e
(git)
Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 853ce31ca72097d23991a06876a2ccb5cb64b603 (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < d42b2b6bb77ca40ee34ab74ad79305840b5f315d (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 7b6495ead2c611647f6b11441a852324e3eb8616 (git) Affected: c88d4c7b049e87998ac0a9f455aa545cc895ef92 , < 306039414932c80f8420695a24d4fe10c84ccfb2 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "853ce31ca72097d23991a06876a2ccb5cb64b603",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "d42b2b6bb77ca40ee34ab74ad79305840b5f315d",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "7b6495ead2c611647f6b11441a852324e3eb8616",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
},
{
"lessThan": "306039414932c80f8420695a24d4fe10c84ccfb2",
"status": "affected",
"version": "c88d4c7b049e87998ac0a9f455aa545cc895ef92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/include/policy_ns.h",
"security/apparmor/policy_ns.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.36"
},
{
"lessThan": "2.6.36",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "2.6.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "2.6.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix: limit the number of levels of policy namespaces\n\nCurrently the number of policy namespaces is not bounded relying on\nthe user namespace limit. However policy namespaces aren\u0027t strictly\ntied to user namespaces and it is possible to create them and nest\nthem arbitrarily deep which can be used to exhaust system resource.\n\nHard cap policy namespaces to the same depth as user namespaces."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T08:36:35.697Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3f8699b3ee0c04b4b9bc27b82cd89a40e81e1d2e"
},
{
"url": "https://git.kernel.org/stable/c/853ce31ca72097d23991a06876a2ccb5cb64b603"
},
{
"url": "https://git.kernel.org/stable/c/d42b2b6bb77ca40ee34ab74ad79305840b5f315d"
},
{
"url": "https://git.kernel.org/stable/c/7b6495ead2c611647f6b11441a852324e3eb8616"
},
{
"url": "https://git.kernel.org/stable/c/306039414932c80f8420695a24d4fe10c84ccfb2"
}
],
"title": "apparmor: fix: limit the number of levels of policy namespaces",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23405",
"datePublished": "2026-04-01T08:36:35.697Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-01T08:36:35.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23403 (GCVE-0-2026-23403)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-01 08:36
VLAI?
Title
apparmor: fix memory leak in verify_header
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix memory leak in verify_header
The function sets `*ns = NULL` on every call, leaking the namespace
string allocated in previous iterations when multiple profiles are
unpacked. This also breaks namespace consistency checking since *ns
is always NULL when the comparison is made.
Remove the incorrect assignment.
The caller (aa_unpack) initializes *ns to NULL once before the loop,
which is sufficient.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dd51c84857630e77c139afe4d9bba65fc051dc3f , < 663ce34786e759ebcbeb3060685c20bcc886d51a
(git)
Affected: dd51c84857630e77c139afe4d9bba65fc051dc3f , < 786e2c2a87d9c505f33321d1fd23a176aa8ddeb1 (git) Affected: dd51c84857630e77c139afe4d9bba65fc051dc3f , < 4f0889f2df1ab99224a5e1ac4e20437eea5fe38e (git) Affected: dd51c84857630e77c139afe4d9bba65fc051dc3f , < 42fd831abfc15d0643c14688f0522556b347e7e6 (git) Affected: dd51c84857630e77c139afe4d9bba65fc051dc3f , < e38c55d9f834e5b848bfed0f5c586aaf45acb825 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "663ce34786e759ebcbeb3060685c20bcc886d51a",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "786e2c2a87d9c505f33321d1fd23a176aa8ddeb1",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "4f0889f2df1ab99224a5e1ac4e20437eea5fe38e",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "42fd831abfc15d0643c14688f0522556b347e7e6",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
},
{
"lessThan": "e38c55d9f834e5b848bfed0f5c586aaf45acb825",
"status": "affected",
"version": "dd51c84857630e77c139afe4d9bba65fc051dc3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.18",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.8",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix memory leak in verify_header\n\nThe function sets `*ns = NULL` on every call, leaking the namespace\nstring allocated in previous iterations when multiple profiles are\nunpacked. This also breaks namespace consistency checking since *ns\nis always NULL when the comparison is made.\n\nRemove the incorrect assignment.\nThe caller (aa_unpack) initializes *ns to NULL once before the loop,\nwhich is sufficient."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T08:36:34.269Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/663ce34786e759ebcbeb3060685c20bcc886d51a"
},
{
"url": "https://git.kernel.org/stable/c/786e2c2a87d9c505f33321d1fd23a176aa8ddeb1"
},
{
"url": "https://git.kernel.org/stable/c/4f0889f2df1ab99224a5e1ac4e20437eea5fe38e"
},
{
"url": "https://git.kernel.org/stable/c/42fd831abfc15d0643c14688f0522556b347e7e6"
},
{
"url": "https://git.kernel.org/stable/c/e38c55d9f834e5b848bfed0f5c586aaf45acb825"
}
],
"title": "apparmor: fix memory leak in verify_header",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23403",
"datePublished": "2026-04-01T08:36:34.269Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-01T08:36:34.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23402 (GCVE-0-2026-23402)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 11:30
VLAI?
Title
KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE
Adjust KVM's sanity check against overwriting a shadow-present SPTE with a
another SPTE with a different target PFN to only apply to direct MMUs,
i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM
to overwrite a shadow-present SPTE in response to a guest write, writes
from outside the scope of KVM, e.g. from host userspace, aren't detected
by KVM's write tracking and so can break KVM's shadow paging rules.
------------[ cut here ]------------
pfn != spte_to_pfn(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]
Call Trace:
<TASK>
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
11d45175111d933c5175acc28e56af2213dd5cd6 , < bab090e8fd5607f77379ea78b9d0c683cb1538a9
(git)
Affected: 11d45175111d933c5175acc28e56af2213dd5cd6 , < a1e0f7150639bc30a8e75476d1c7daab77d44992 (git) Affected: 11d45175111d933c5175acc28e56af2213dd5cd6 , < df83746075778958954aa0460cca55f4b3fc9c02 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bab090e8fd5607f77379ea78b9d0c683cb1538a9",
"status": "affected",
"version": "11d45175111d933c5175acc28e56af2213dd5cd6",
"versionType": "git"
},
{
"lessThan": "a1e0f7150639bc30a8e75476d1c7daab77d44992",
"status": "affected",
"version": "11d45175111d933c5175acc28e56af2213dd5cd6",
"versionType": "git"
},
{
"lessThan": "df83746075778958954aa0460cca55f4b3fc9c02",
"status": "affected",
"version": "11d45175111d933c5175acc28e56af2213dd5cd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc6",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE\n\nAdjust KVM\u0027s sanity check against overwriting a shadow-present SPTE with a\nanother SPTE with a different target PFN to only apply to direct MMUs,\ni.e. only to MMUs without shadowed gPTEs. While it\u0027s impossible for KVM\nto overwrite a shadow-present SPTE in response to a guest write, writes\nfrom outside the scope of KVM, e.g. from host userspace, aren\u0027t detected\nby KVM\u0027s write tracking and so can break KVM\u0027s shadow paging rules.\n\n ------------[ cut here ]------------\n pfn != spte_to_pfn(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:3069 at mmu_set_spte+0x1e4/0x440 [kvm], CPU#0: vmx_ept_stale_r/872\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 872 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mmu_set_spte+0x1e4/0x440 [kvm]\n Call Trace:\n \u003cTASK\u003e\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:57.726Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bab090e8fd5607f77379ea78b9d0c683cb1538a9"
},
{
"url": "https://git.kernel.org/stable/c/a1e0f7150639bc30a8e75476d1c7daab77d44992"
},
{
"url": "https://git.kernel.org/stable/c/df83746075778958954aa0460cca55f4b3fc9c02"
}
],
"title": "KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23402",
"datePublished": "2026-04-01T08:36:33.366Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-02T11:30:57.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23401 (GCVE-0-2026-23401)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:36 – Updated: 2026-04-02 11:30
VLAI?
Title
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
When installing an emulated MMIO SPTE, do so *after* dropping/zapping the
existing SPTE (if it's shadow-present). While commit a54aa15c6bda3 was
right about it being impossible to convert a shadow-present SPTE to an
MMIO SPTE due to a _guest_ write, it failed to account for writes to guest
memory that are outside the scope of KVM.
E.g. if host userspace modifies a shadowed gPTE to switch from a memslot
to emulted MMIO and then the guest hits a relevant page fault, KVM will
install the MMIO SPTE without first zapping the shadow-present SPTE.
------------[ cut here ]------------
is_shadow_present_pte(*sptep)
WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292
Modules linked in: kvm_intel kvm irqbypass
CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]
Call Trace:
<TASK>
mmu_set_spte+0x237/0x440 [kvm]
ept_page_fault+0x535/0x7f0 [kvm]
kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]
kvm_mmu_page_fault+0x8d/0x620 [kvm]
vmx_handle_exit+0x18c/0x5a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]
kvm_vcpu_ioctl+0x2d5/0x980 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb5/0x730
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x47fa3f
</TASK>
---[ end trace 0000000000000000 ]---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < fd28c5618699180cd69619801e9ae6a5266c0a22
(git)
Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 459158151a158a6703b49f3c9de0e536d8bd553f (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < 695320de6eadb75aaed8be1787c4ce4c189e4c7b (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < bce7fe59d43531623f3e43779127bfb33804925d (git) Affected: a54aa15c6bda3ca7e2f9e040ba968a1da303e24f , < aad885e774966e97b675dfe928da164214a71605 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fd28c5618699180cd69619801e9ae6a5266c0a22",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "459158151a158a6703b49f3c9de0e536d8bd553f",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "695320de6eadb75aaed8be1787c4ce4c189e4c7b",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "bce7fe59d43531623f3e43779127bfb33804925d",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
},
{
"lessThan": "aad885e774966e97b675dfe928da164214a71605",
"status": "affected",
"version": "a54aa15c6bda3ca7e2f9e040ba968a1da303e24f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/mmu/mmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc6",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE\n\nWhen installing an emulated MMIO SPTE, do so *after* dropping/zapping the\nexisting SPTE (if it\u0027s shadow-present). While commit a54aa15c6bda3 was\nright about it being impossible to convert a shadow-present SPTE to an\nMMIO SPTE due to a _guest_ write, it failed to account for writes to guest\nmemory that are outside the scope of KVM.\n\nE.g. if host userspace modifies a shadowed gPTE to switch from a memslot\nto emulted MMIO and then the guest hits a relevant page fault, KVM will\ninstall the MMIO SPTE without first zapping the shadow-present SPTE.\n\n ------------[ cut here ]------------\n is_shadow_present_pte(*sptep)\n WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292\n Modules linked in: kvm_intel kvm irqbypass\n CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm]\n Call Trace:\n \u003cTASK\u003e\n mmu_set_spte+0x237/0x440 [kvm]\n ept_page_fault+0x535/0x7f0 [kvm]\n kvm_mmu_do_page_fault+0xee/0x1f0 [kvm]\n kvm_mmu_page_fault+0x8d/0x620 [kvm]\n vmx_handle_exit+0x18c/0x5a0 [kvm_intel]\n kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm]\n kvm_vcpu_ioctl+0x2d5/0x980 [kvm]\n __x64_sys_ioctl+0x8a/0xd0\n do_syscall_64+0xb5/0x730\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x47fa3f\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T11:30:56.628Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fd28c5618699180cd69619801e9ae6a5266c0a22"
},
{
"url": "https://git.kernel.org/stable/c/459158151a158a6703b49f3c9de0e536d8bd553f"
},
{
"url": "https://git.kernel.org/stable/c/695320de6eadb75aaed8be1787c4ce4c189e4c7b"
},
{
"url": "https://git.kernel.org/stable/c/bce7fe59d43531623f3e43779127bfb33804925d"
},
{
"url": "https://git.kernel.org/stable/c/aad885e774966e97b675dfe928da164214a71605"
}
],
"title": "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23401",
"datePublished": "2026-04-01T08:36:32.367Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-04-02T11:30:56.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23400 (GCVE-0-2026-23400)
Vulnerability from cvelistv5 – Published: 2026-03-29 12:55 – Updated: 2026-03-29 12:55
VLAI?
Title
rust_binder: call set_notification_done() without proc lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
rust_binder: call set_notification_done() without proc lock
Consider the following sequence of events on a death listener:
1. The remote process dies and sends a BR_DEAD_BINDER message.
2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.
3. The local process then invokes the BC_DEAD_BINDER_DONE.
Then, the kernel will reply to the BC_DEAD_BINDER_DONE command with a
BR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().
However, this can result in a deadlock if the current thread is not a
looper. This is because dead_binder_done() still holds the proc lock
during set_notification_done(), which called push_work_if_looper().
Normally, push_work_if_looper() takes the thread lock, which is fine to
take under the proc lock. But if the current thread is not a looper,
then it falls back to delivering the reply to the process work queue,
which involves taking the proc lock. Since the proc lock is already
held, this is a deadlock.
Fix this by releasing the proc lock during set_notification_done(). It
was not intentional that it was held during that function to begin with.
I don't think this ever happens in Android because BC_DEAD_BINDER_DONE
is only invoked in response to BR_DEAD_BINDER messages, and the kernel
always delivers BR_DEAD_BINDER to a looper. So there's no scenario where
Android userspace will call BC_DEAD_BINDER_DONE on a non-looper thread.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
eafedbc7c050c44744fbdf80bdf3315e860b7513 , < dd109e3442817bc03ad1f3ffd541092f8c428141
(git)
Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 3be72099067d2cd4a0e089696f19780f75b2b88a (git) Affected: eafedbc7c050c44744fbdf80bdf3315e860b7513 , < 2e303f0febb65a434040774b793ba8356698802b (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/process.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dd109e3442817bc03ad1f3ffd541092f8c428141",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
},
{
"lessThan": "3be72099067d2cd4a0e089696f19780f75b2b88a",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
},
{
"lessThan": "2e303f0febb65a434040774b793ba8356698802b",
"status": "affected",
"version": "eafedbc7c050c44744fbdf80bdf3315e860b7513",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/android/binder/process.rs"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc4",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrust_binder: call set_notification_done() without proc lock\n\nConsider the following sequence of events on a death listener:\n1. The remote process dies and sends a BR_DEAD_BINDER message.\n2. The local process invokes the BC_CLEAR_DEATH_NOTIFICATION command.\n3. The local process then invokes the BC_DEAD_BINDER_DONE.\nThen, the kernel will reply to the BC_DEAD_BINDER_DONE command with a\nBR_CLEAR_DEATH_NOTIFICATION_DONE reply using push_work_if_looper().\n\nHowever, this can result in a deadlock if the current thread is not a\nlooper. This is because dead_binder_done() still holds the proc lock\nduring set_notification_done(), which called push_work_if_looper().\nNormally, push_work_if_looper() takes the thread lock, which is fine to\ntake under the proc lock. But if the current thread is not a looper,\nthen it falls back to delivering the reply to the process work queue,\nwhich involves taking the proc lock. Since the proc lock is already\nheld, this is a deadlock.\n\nFix this by releasing the proc lock during set_notification_done(). It\nwas not intentional that it was held during that function to begin with.\n\nI don\u0027t think this ever happens in Android because BC_DEAD_BINDER_DONE\nis only invoked in response to BR_DEAD_BINDER messages, and the kernel\nalways delivers BR_DEAD_BINDER to a looper. So there\u0027s no scenario where\nAndroid userspace will call BC_DEAD_BINDER_DONE on a non-looper thread."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-29T12:55:50.660Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dd109e3442817bc03ad1f3ffd541092f8c428141"
},
{
"url": "https://git.kernel.org/stable/c/3be72099067d2cd4a0e089696f19780f75b2b88a"
},
{
"url": "https://git.kernel.org/stable/c/2e303f0febb65a434040774b793ba8356698802b"
}
],
"title": "rust_binder: call set_notification_done() without proc lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23400",
"datePublished": "2026-03-29T12:55:50.660Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-03-29T12:55:50.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23399 (GCVE-0-2026-23399)
Vulnerability from cvelistv5 – Published: 2026-03-28 07:16 – Updated: 2026-03-28 07:16
VLAI?
Title
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
Summary
In the Linux kernel, the following vulnerability has been resolved:
nf_tables: nft_dynset: fix possible stateful expression memleak in error path
If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
563125a73ac30d7036ae69ca35c40500562c1de4 , < d1354873cbe3b344899c4311ac05897fd83e3f21
(git)
Affected: 563125a73ac30d7036ae69ca35c40500562c1de4 , < 31641c682db73353e4647e40735c7f2a75ff58ef (git) Affected: 563125a73ac30d7036ae69ca35c40500562c1de4 , < c88a9fd26cee365bec932196f76175772a941cca (git) Affected: 563125a73ac30d7036ae69ca35c40500562c1de4 , < 0548a13b5a145b16e4da0628b5936baf35f51b43 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_dynset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d1354873cbe3b344899c4311ac05897fd83e3f21",
"status": "affected",
"version": "563125a73ac30d7036ae69ca35c40500562c1de4",
"versionType": "git"
},
{
"lessThan": "31641c682db73353e4647e40735c7f2a75ff58ef",
"status": "affected",
"version": "563125a73ac30d7036ae69ca35c40500562c1de4",
"versionType": "git"
},
{
"lessThan": "c88a9fd26cee365bec932196f76175772a941cca",
"status": "affected",
"version": "563125a73ac30d7036ae69ca35c40500562c1de4",
"versionType": "git"
},
{
"lessThan": "0548a13b5a145b16e4da0628b5936baf35f51b43",
"status": "affected",
"version": "563125a73ac30d7036ae69ca35c40500562c1de4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/netfilter/nf_tables.h",
"net/netfilter/nf_tables_api.c",
"net/netfilter/nft_dynset.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnf_tables: nft_dynset: fix possible stateful expression memleak in error path\n\nIf cloning the second stateful expression in the element via GFP_ATOMIC\nfails, then the first stateful expression remains in place without being\nreleased.\n\n \u00a0 unreferenced object (percpu) 0x607b97e9cab8 (size 16):\n \u00a0 \u00a0 comm \"softirq\", pid 0, jiffies 4294931867\n \u00a0 \u00a0 hex dump (first 16 bytes on cpu 3):\n \u00a0 \u00a0 \u00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u00a0 \u00a0 backtrace (crc 0):\n \u00a0 \u00a0 \u00a0 pcpu_alloc_noprof+0x453/0xd80\n \u00a0 \u00a0 \u00a0 nft_counter_clone+0x9c/0x190 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_expr_clone+0x8f/0x1b0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_new+0x2cb/0x5f0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_rhash_update+0x236/0x11c0 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_dynset_eval+0x11f/0x670 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain+0x253/0x1700 [nf_tables]\n \u00a0 \u00a0 \u00a0 nft_do_chain_ipv4+0x18d/0x270 [nf_tables]\n \u00a0 \u00a0 \u00a0 nf_hook_slow+0xaa/0x1e0\n \u00a0 \u00a0 \u00a0 ip_local_deliver+0x209/0x330"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T07:16:09.888Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d1354873cbe3b344899c4311ac05897fd83e3f21"
},
{
"url": "https://git.kernel.org/stable/c/31641c682db73353e4647e40735c7f2a75ff58ef"
},
{
"url": "https://git.kernel.org/stable/c/c88a9fd26cee365bec932196f76175772a941cca"
},
{
"url": "https://git.kernel.org/stable/c/0548a13b5a145b16e4da0628b5936baf35f51b43"
}
],
"title": "nf_tables: nft_dynset: fix possible stateful expression memleak in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23399",
"datePublished": "2026-03-28T07:16:09.888Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-03-28T07:16:09.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23398 (GCVE-0-2026-23398)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-03-26 10:22
VLAI?
Title
icmp: fix NULL pointer dereference in icmp_tag_validation()
Summary
In the Linux kernel, the following vulnerability has been resolved:
icmp: fix NULL pointer dereference in icmp_tag_validation()
icmp_tag_validation() unconditionally dereferences the result of
rcu_dereference(inet_protos[proto]) without checking for NULL.
The inet_protos[] array is sparse -- only about 15 of 256 protocol
numbers have registered handlers. When ip_no_pmtu_disc is set to 3
(hardened PMTU mode) and the kernel receives an ICMP Fragmentation
Needed error with a quoted inner IP header containing an unregistered
protocol number, the NULL dereference causes a kernel panic in
softirq context.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)
Call Trace:
<IRQ>
icmp_rcv (net/ipv4/icmp.c:1527)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)
ip_local_deliver_finish (net/ipv4/ip_input.c:242)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
__netif_receive_skb_one_core (net/core/dev.c:6164)
process_backlog (net/core/dev.c:6628)
handle_softirqs (kernel/softirq.c:561)
</IRQ>
Add a NULL check before accessing icmp_strict_tag_validation. If the
protocol has no registered handler, return false since it cannot
perform strict tag validation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161
(git)
Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < b61529c357f1ee4d64836eb142a542d2e7ad67ce (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 9647e99d2a617c355d2b378be0ff6d0e848fd579 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < d938dd5a0ad780c891ea3bc94cae7405f11e618a (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 1e4e2f5e48cec0cccaea9815fb9486c084ba41e2 (git) Affected: 8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e , < 614aefe56af8e13331e50220c936fc0689cf5675 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "b61529c357f1ee4d64836eb142a542d2e7ad67ce",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "9647e99d2a617c355d2b378be0ff6d0e848fd579",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "d938dd5a0ad780c891ea3bc94cae7405f11e618a",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "1e4e2f5e48cec0cccaea9815fb9486c084ba41e2",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
},
{
"lessThan": "614aefe56af8e13331e50220c936fc0689cf5675",
"status": "affected",
"version": "8ed1dc44d3e9e8387a104b1ae8f92e9a3fbf1b1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/icmp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: fix NULL pointer dereference in icmp_tag_validation()\n\nicmp_tag_validation() unconditionally dereferences the result of\nrcu_dereference(inet_protos[proto]) without checking for NULL.\nThe inet_protos[] array is sparse -- only about 15 of 256 protocol\nnumbers have registered handlers. When ip_no_pmtu_disc is set to 3\n(hardened PMTU mode) and the kernel receives an ICMP Fragmentation\nNeeded error with a quoted inner IP header containing an unregistered\nprotocol number, the NULL dereference causes a kernel panic in\nsoftirq context.\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:icmp_unreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143)\n Call Trace:\n \u003cIRQ\u003e\n icmp_rcv (net/ipv4/icmp.c:1527)\n ip_protocol_deliver_rcu (net/ipv4/ip_input.c:207)\n ip_local_deliver_finish (net/ipv4/ip_input.c:242)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n __netif_receive_skb_one_core (net/core/dev.c:6164)\n process_backlog (net/core/dev.c:6628)\n handle_softirqs (kernel/softirq.c:561)\n \u003c/IRQ\u003e\n\nAdd a NULL check before accessing icmp_strict_tag_validation. If the\nprotocol has no registered handler, return false since it cannot\nperform strict tag validation."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:22:50.606Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f9f2c6d4b2a613b7756fc5679c5116ba2ca0161"
},
{
"url": "https://git.kernel.org/stable/c/b61529c357f1ee4d64836eb142a542d2e7ad67ce"
},
{
"url": "https://git.kernel.org/stable/c/9647e99d2a617c355d2b378be0ff6d0e848fd579"
},
{
"url": "https://git.kernel.org/stable/c/d938dd5a0ad780c891ea3bc94cae7405f11e618a"
},
{
"url": "https://git.kernel.org/stable/c/1e4e2f5e48cec0cccaea9815fb9486c084ba41e2"
},
{
"url": "https://git.kernel.org/stable/c/614aefe56af8e13331e50220c936fc0689cf5675"
}
],
"title": "icmp: fix NULL pointer dereference in icmp_tag_validation()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23398",
"datePublished": "2026-03-26T10:22:50.606Z",
"dateReserved": "2026-01-13T15:37:46.012Z",
"dateUpdated": "2026-03-26T10:22:50.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23397 (GCVE-0-2026-23397)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-03-26 10:22
VLAI?
Title
nfnetlink_osf: validate individual option lengths in fingerprints
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfnetlink_osf: validate individual option lengths in fingerprints
nfnl_osf_add_callback() validates opt_num bounds and string
NUL-termination but does not check individual option length fields.
A zero-length option causes nf_osf_match_one() to enter the option
matching loop even when foptsize sums to zero, which matches packets
with no TCP options where ctx->optp is NULL:
Oops: general protection fault
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)
Call Trace:
nf_osf_match (net/netfilter/nfnetlink_osf.c:227)
xt_osf_match_packet (net/netfilter/xt_osf.c:32)
ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)
nf_hook_slow (net/netfilter/core.c:623)
ip_local_deliver (net/ipv4/ip_input.c:262)
ip_rcv (net/ipv4/ip_input.c:573)
Additionally, an MSS option (kind=2) with length < 4 causes
out-of-bounds reads when nf_osf_match_one() unconditionally accesses
optp[2] and optp[3] for MSS value extraction. While RFC 9293
section 3.2 specifies that the MSS option is always exactly 4
bytes (Kind=2, Length=4), the check uses "< 4" rather than
"!= 4" because lengths greater than 4 do not cause memory
safety issues -- the buffer is guaranteed to be at least
foptsize bytes by the ctx->optsize == foptsize check.
Reject fingerprints where any option has zero length, or where an MSS
option has length less than 4, at add time rather than trusting these
values in the packet matching hot path.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < aa0574182c46963c3cdb8cde46ec93aca21100d8
(git)
Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 224f4678812e1a7bc8341bcb666773a0aec5ea6f (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < ec8bf0571b142f29dc0b68ae2ac3952f7a464b38 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 3932620c04c2938c93c0890c225960d3d34ba355 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < 4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6 (git) Affected: 11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384 , < dbdfaae9609629a9569362e3b8f33d0a20fd783c (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aa0574182c46963c3cdb8cde46ec93aca21100d8",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "224f4678812e1a7bc8341bcb666773a0aec5ea6f",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "ec8bf0571b142f29dc0b68ae2ac3952f7a464b38",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "3932620c04c2938c93c0890c225960d3d34ba355",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
},
{
"lessThan": "dbdfaae9609629a9569362e3b8f33d0a20fd783c",
"status": "affected",
"version": "11eeef41d5f63c7d2f7fdfcc733eb7fb137cc384",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_osf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.31"
},
{
"lessThan": "2.6.31",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "2.6.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfnetlink_osf: validate individual option lengths in fingerprints\n\nnfnl_osf_add_callback() validates opt_num bounds and string\nNUL-termination but does not check individual option length fields.\nA zero-length option causes nf_osf_match_one() to enter the option\nmatching loop even when foptsize sums to zero, which matches packets\nwith no TCP options where ctx-\u003eoptp is NULL:\n\n Oops: general protection fault\n KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98)\n Call Trace:\n nf_osf_match (net/netfilter/nfnetlink_osf.c:227)\n xt_osf_match_packet (net/netfilter/xt_osf.c:32)\n ipt_do_table (net/ipv4/netfilter/ip_tables.c:293)\n nf_hook_slow (net/netfilter/core.c:623)\n ip_local_deliver (net/ipv4/ip_input.c:262)\n ip_rcv (net/ipv4/ip_input.c:573)\n\nAdditionally, an MSS option (kind=2) with length \u003c 4 causes\nout-of-bounds reads when nf_osf_match_one() unconditionally accesses\noptp[2] and optp[3] for MSS value extraction. While RFC 9293\nsection 3.2 specifies that the MSS option is always exactly 4\nbytes (Kind=2, Length=4), the check uses \"\u003c 4\" rather than\n\"!= 4\" because lengths greater than 4 do not cause memory\nsafety issues -- the buffer is guaranteed to be at least\nfoptsize bytes by the ctx-\u003eoptsize == foptsize check.\n\nReject fingerprints where any option has zero length, or where an MSS\noption has length less than 4, at add time rather than trusting these\nvalues in the packet matching hot path."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:22:49.954Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aa0574182c46963c3cdb8cde46ec93aca21100d8"
},
{
"url": "https://git.kernel.org/stable/c/224f4678812e1a7bc8341bcb666773a0aec5ea6f"
},
{
"url": "https://git.kernel.org/stable/c/ec8bf0571b142f29dc0b68ae2ac3952f7a464b38"
},
{
"url": "https://git.kernel.org/stable/c/3932620c04c2938c93c0890c225960d3d34ba355"
},
{
"url": "https://git.kernel.org/stable/c/4c6aa008b913e808c4f4d3cde36cb1d9bb5967c6"
},
{
"url": "https://git.kernel.org/stable/c/dbdfaae9609629a9569362e3b8f33d0a20fd783c"
}
],
"title": "nfnetlink_osf: validate individual option lengths in fingerprints",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23397",
"datePublished": "2026-03-26T10:22:49.954Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-03-26T10:22:49.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23396 (GCVE-0-2026-23396)
Vulnerability from cvelistv5 – Published: 2026-03-26 10:22 – Updated: 2026-03-26 10:22
VLAI?
Title
wifi: mac80211: fix NULL deref in mesh_matches_local()
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: fix NULL deref in mesh_matches_local()
mesh_matches_local() unconditionally dereferences ie->mesh_config to
compare mesh configuration parameters. When called from
mesh_rx_csa_frame(), the parsed action-frame elements may not contain a
Mesh Configuration IE, leaving ie->mesh_config NULL and triggering a
kernel NULL pointer dereference.
The other two callers are already safe:
- ieee80211_mesh_rx_bcn_presp() checks !elems->mesh_config before
calling mesh_matches_local()
- mesh_plink_get_event() is only reached through
mesh_process_plink_frame(), which checks !elems->mesh_config, too
mesh_rx_csa_frame() is the only caller that passes raw parsed elements
to mesh_matches_local() without guarding mesh_config. An adjacent
attacker can exploit this by sending a crafted CSA action frame that
includes a valid Mesh ID IE but omits the Mesh Configuration IE,
crashing the kernel.
The captured crash log:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events_unbound cfg80211_wiphy_work
[...]
Call Trace:
<TASK>
? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)
ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)
[...]
ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)
[...]
cfg80211_wiphy_work (net/wireless/core.c:426)
process_one_work (net/kernel/workqueue.c:3280)
? assign_work (net/kernel/workqueue.c:1219)
worker_thread (net/kernel/workqueue.c:3352)
? __pfx_worker_thread (net/kernel/workqueue.c:3385)
kthread (net/kernel/kthread.c:436)
[...]
ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)
</TASK>
This patch adds a NULL check for ie->mesh_config at the top of
mesh_matches_local() to return false early when the Mesh Configuration
IE is absent.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < c1e3f2416fb27c816ce96d747d3e784e31f4d95c
(git)
Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 0a4da176ae4b4e075a19c00d3e269cfd5e05a813 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 44699c6cdfce80a0f296b54ae9314461e3e41b3d (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < 7c55a3deaf7eaaafa2546f8de7fed19382a0a116 (git) Affected: 2e3c8736820bf72a8ad10721c7e31d36d4fa7790 , < c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c1e3f2416fb27c816ce96d747d3e784e31f4d95c",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "0a4da176ae4b4e075a19c00d3e269cfd5e05a813",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "44699c6cdfce80a0f296b54ae9314461e3e41b3d",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "7c55a3deaf7eaaafa2546f8de7fed19382a0a116",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
},
{
"lessThan": "c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd",
"status": "affected",
"version": "2e3c8736820bf72a8ad10721c7e31d36d4fa7790",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mesh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_local()\n\nmesh_matches_local() unconditionally dereferences ie-\u003emesh_config to\ncompare mesh configuration parameters. When called from\nmesh_rx_csa_frame(), the parsed action-frame elements may not contain a\nMesh Configuration IE, leaving ie-\u003emesh_config NULL and triggering a\nkernel NULL pointer dereference.\n\nThe other two callers are already safe:\n - ieee80211_mesh_rx_bcn_presp() checks !elems-\u003emesh_config before\n calling mesh_matches_local()\n - mesh_plink_get_event() is only reached through\n mesh_process_plink_frame(), which checks !elems-\u003emesh_config, too\n\nmesh_rx_csa_frame() is the only caller that passes raw parsed elements\nto mesh_matches_local() without guarding mesh_config. An adjacent\nattacker can exploit this by sending a crafted CSA action frame that\nincludes a valid Mesh ID IE but omits the Mesh Configuration IE,\ncrashing the kernel.\n\nThe captured crash log:\n\nOops: general protection fault, probably for non-canonical address ...\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nWorkqueue: events_unbound cfg80211_wiphy_work\n[...]\nCall Trace:\n \u003cTASK\u003e\n ? __pfx_mesh_matches_local (net/mac80211/mesh.c:65)\n ieee80211_mesh_rx_queued_mgmt (net/mac80211/mesh.c:1686)\n [...]\n ieee80211_iface_work (net/mac80211/iface.c:1754 net/mac80211/iface.c:1802)\n [...]\n cfg80211_wiphy_work (net/wireless/core.c:426)\n process_one_work (net/kernel/workqueue.c:3280)\n ? assign_work (net/kernel/workqueue.c:1219)\n worker_thread (net/kernel/workqueue.c:3352)\n ? __pfx_worker_thread (net/kernel/workqueue.c:3385)\n kthread (net/kernel/kthread.c:436)\n [...]\n ret_from_fork_asm (net/arch/x86/entry/entry_64.S:255)\n \u003c/TASK\u003e\n\nThis patch adds a NULL check for ie-\u003emesh_config at the top of\nmesh_matches_local() to return false early when the Mesh Configuration\nIE is absent."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T10:22:49.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c1e3f2416fb27c816ce96d747d3e784e31f4d95c"
},
{
"url": "https://git.kernel.org/stable/c/0a4da176ae4b4e075a19c00d3e269cfd5e05a813"
},
{
"url": "https://git.kernel.org/stable/c/a90279e7f7ea0b7e923a1c5ebee9a6b78b6d1004"
},
{
"url": "https://git.kernel.org/stable/c/44699c6cdfce80a0f296b54ae9314461e3e41b3d"
},
{
"url": "https://git.kernel.org/stable/c/7c55a3deaf7eaaafa2546f8de7fed19382a0a116"
},
{
"url": "https://git.kernel.org/stable/c/c73bb9a2d33bf81f6eecaa0f474b6c6dbe9855bd"
}
],
"title": "wifi: mac80211: fix NULL deref in mesh_matches_local()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23396",
"datePublished": "2026-03-26T10:22:49.287Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-03-26T10:22:49.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23394 (GCVE-0-2026-23394)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-03-25 10:33
VLAI?
Title
af_unix: Give up GC if MSG_PEEK intervened.
Summary
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Give up GC if MSG_PEEK intervened.
Igor Ushakov reported that GC purged the receive queue of
an alive socket due to a race with MSG_PEEK with a nice repro.
This is the exact same issue previously fixed by commit
cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
After GC was replaced with the current algorithm, the cited
commit removed the locking dance in unix_peek_fds() and
reintroduced the same issue.
The problem is that MSG_PEEK bumps a file refcount without
interacting with GC.
Consider an SCC containing sk-A and sk-B, where sk-A is
close()d but can be recv()ed via sk-B.
The bad thing happens if sk-A is recv()ed with MSG_PEEK from
sk-B and sk-B is close()d while GC is checking unix_vertex_dead()
for sk-A and sk-B.
GC thread User thread
--------- -----------
unix_vertex_dead(sk-A)
-> true <------.
\
`------ recv(sk-B, MSG_PEEK)
invalidate !! -> sk-A's file refcount : 1 -> 2
close(sk-B)
-> sk-B's file refcount : 2 -> 1
unix_vertex_dead(sk-B)
-> true
Initially, sk-A's file refcount is 1 by the inflight fd in sk-B
recvq. GC thinks sk-A is dead because the file refcount is the
same as the number of its inflight fds.
However, sk-A's file refcount is bumped silently by MSG_PEEK,
which invalidates the previous evaluation.
At this moment, sk-B's file refcount is 2; one by the open fd,
and one by the inflight fd in sk-A. The subsequent close()
releases one refcount by the former.
Finally, GC incorrectly concludes that both sk-A and sk-B are dead.
One option is to restore the locking dance in unix_peek_fds(),
but we can resolve this more elegantly thanks to the new algorithm.
The point is that the issue does not occur without the subsequent
close() and we actually do not need to synchronise MSG_PEEK with
the dead SCC detection.
When the issue occurs, close() and GC touch the same file refcount.
If GC sees the refcount being decremented by close(), it can just
give up garbage-collecting the SCC.
Therefore, we only need to signal the race during MSG_PEEK with
a proper memory barrier to make it visible to the GC.
Let's use seqcount_t to notify GC when MSG_PEEK occurs and let
it defer the SCC to the next run.
This way no locking is needed on the MSG_PEEK side, and we can
avoid imposing a penalty on every MSG_PEEK unnecessarily.
Note that we can retry within unix_scc_dead() if MSG_PEEK is
detected, but we do not do so to avoid hung task splat from
abusive MSG_PEEK calls.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
118f457da9ed58a79e24b73c2ef0aa1987241f0e , < 37dd7ab332396eb8dd80b2dc7ea4b61abf767436
(git)
Affected: 118f457da9ed58a79e24b73c2ef0aa1987241f0e , < e5b31d988a41549037b8d8721a3c3cae893d8670 (git) Affected: 61a75360dca93c945ef6bd757f8b8a96f39b77cb (git) Affected: 7b1ffbd3b22e755d481d49647dcb7c5cfbde5844 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "37dd7ab332396eb8dd80b2dc7ea4b61abf767436",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"lessThan": "e5b31d988a41549037b8d8721a3c3cae893d8670",
"status": "affected",
"version": "118f457da9ed58a79e24b73c2ef0aa1987241f0e",
"versionType": "git"
},
{
"status": "affected",
"version": "61a75360dca93c945ef6bd757f8b8a96f39b77cb",
"versionType": "git"
},
{
"status": "affected",
"version": "7b1ffbd3b22e755d481d49647dcb7c5cfbde5844",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/unix/af_unix.c",
"net/unix/af_unix.h",
"net/unix/garbage.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Give up GC if MSG_PEEK intervened.\n\nIgor Ushakov reported that GC purged the receive queue of\nan alive socket due to a race with MSG_PEEK with a nice repro.\n\nThis is the exact same issue previously fixed by commit\ncbcf01128d0a (\"af_unix: fix garbage collect vs MSG_PEEK\").\n\nAfter GC was replaced with the current algorithm, the cited\ncommit removed the locking dance in unix_peek_fds() and\nreintroduced the same issue.\n\nThe problem is that MSG_PEEK bumps a file refcount without\ninteracting with GC.\n\nConsider an SCC containing sk-A and sk-B, where sk-A is\nclose()d but can be recv()ed via sk-B.\n\nThe bad thing happens if sk-A is recv()ed with MSG_PEEK from\nsk-B and sk-B is close()d while GC is checking unix_vertex_dead()\nfor sk-A and sk-B.\n\n GC thread User thread\n --------- -----------\n unix_vertex_dead(sk-A)\n -\u003e true \u003c------.\n \\\n `------ recv(sk-B, MSG_PEEK)\n invalidate !! -\u003e sk-A\u0027s file refcount : 1 -\u003e 2\n\n close(sk-B)\n -\u003e sk-B\u0027s file refcount : 2 -\u003e 1\n unix_vertex_dead(sk-B)\n -\u003e true\n\nInitially, sk-A\u0027s file refcount is 1 by the inflight fd in sk-B\nrecvq. GC thinks sk-A is dead because the file refcount is the\nsame as the number of its inflight fds.\n\nHowever, sk-A\u0027s file refcount is bumped silently by MSG_PEEK,\nwhich invalidates the previous evaluation.\n\nAt this moment, sk-B\u0027s file refcount is 2; one by the open fd,\nand one by the inflight fd in sk-A. The subsequent close()\nreleases one refcount by the former.\n\nFinally, GC incorrectly concludes that both sk-A and sk-B are dead.\n\nOne option is to restore the locking dance in unix_peek_fds(),\nbut we can resolve this more elegantly thanks to the new algorithm.\n\nThe point is that the issue does not occur without the subsequent\nclose() and we actually do not need to synchronise MSG_PEEK with\nthe dead SCC detection.\n\nWhen the issue occurs, close() and GC touch the same file refcount.\nIf GC sees the refcount being decremented by close(), it can just\ngive up garbage-collecting the SCC.\n\nTherefore, we only need to signal the race during MSG_PEEK with\na proper memory barrier to make it visible to the GC.\n\nLet\u0027s use seqcount_t to notify GC when MSG_PEEK occurs and let\nit defer the SCC to the next run.\n\nThis way no locking is needed on the MSG_PEEK side, and we can\navoid imposing a penalty on every MSG_PEEK unnecessarily.\n\nNote that we can retry within unix_scc_dead() if MSG_PEEK is\ndetected, but we do not do so to avoid hung task splat from\nabusive MSG_PEEK calls."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:33:18.180Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/37dd7ab332396eb8dd80b2dc7ea4b61abf767436"
},
{
"url": "https://git.kernel.org/stable/c/e5b31d988a41549037b8d8721a3c3cae893d8670"
}
],
"title": "af_unix: Give up GC if MSG_PEEK intervened.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23394",
"datePublished": "2026-03-25T10:33:18.180Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-03-25T10:33:18.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23395 (GCVE-0-2026-23395)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-02 08:39
VLAI?
Title
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Currently the code attempts to accept requests regardless of the
command identifier which may cause multiple requests to be marked
as pending (FLAG_DEFER_SETUP) which can cause more than
L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
causing an overflow.
The spec is quite clear that the same identifier shall not be used on
subsequent requests:
'Within each signaling channel a different Identifier shall be used
for each successive request or indication.'
https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d
So this attempts to check if there are any channels pending with the
same identifier and rejects if any are found.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
15f02b91056253e8cdc592888f431da0731337b8 , < fb4a3a26483f3ea2cd21c7a2f7c45d5670600465
(git)
Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 2124d82fd25e1671bb3ceb37998af5aae5903e06 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 6b949a6b33cbdf621d9fc6f0c48ac00915dbf514 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 8d0d94f8ba5b3a0beec3b0da558b9bea48018117 (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < e72ee455297b794b852e5cea8d2d7bb17312172a (git) Affected: 15f02b91056253e8cdc592888f431da0731337b8 , < 5b3e2052334f2ff6d5200e952f4aa66994d09899 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fb4a3a26483f3ea2cd21c7a2f7c45d5670600465",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "2124d82fd25e1671bb3ceb37998af5aae5903e06",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "6b949a6b33cbdf621d9fc6f0c48ac00915dbf514",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "8d0d94f8ba5b3a0beec3b0da558b9bea48018117",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "e72ee455297b794b852e5cea8d2d7bb17312172a",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
},
{
"lessThan": "5b3e2052334f2ff6d5200e952f4aa66994d09899",
"status": "affected",
"version": "15f02b91056253e8cdc592888f431da0731337b8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ\n\nCurrently the code attempts to accept requests regardless of the\ncommand identifier which may cause multiple requests to be marked\nas pending (FLAG_DEFER_SETUP) which can cause more than\nL2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer\ncausing an overflow.\n\nThe spec is quite clear that the same identifier shall not be used on\nsubsequent requests:\n\n\u0027Within each signaling channel a different Identifier shall be used\nfor each successive request or indication.\u0027\nhttps://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d\n\nSo this attempts to check if there are any channels pending with the\nsame identifier and rejects if any are found."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T08:39:39.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fb4a3a26483f3ea2cd21c7a2f7c45d5670600465"
},
{
"url": "https://git.kernel.org/stable/c/2124d82fd25e1671bb3ceb37998af5aae5903e06"
},
{
"url": "https://git.kernel.org/stable/c/6b949a6b33cbdf621d9fc6f0c48ac00915dbf514"
},
{
"url": "https://git.kernel.org/stable/c/8d0d94f8ba5b3a0beec3b0da558b9bea48018117"
},
{
"url": "https://git.kernel.org/stable/c/e72ee455297b794b852e5cea8d2d7bb17312172a"
},
{
"url": "https://git.kernel.org/stable/c/5b3e2052334f2ff6d5200e952f4aa66994d09899"
}
],
"title": "Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23395",
"datePublished": "2026-03-25T10:33:18.936Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-02T08:39:39.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23393 (GCVE-0-2026-23393)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-02 14:44
VLAI?
Title
bridge: cfm: Fix race condition in peer_mep deletion
Summary
In the Linux kernel, the following vulnerability has been resolved:
bridge: cfm: Fix race condition in peer_mep deletion
When a peer MEP is being deleted, cancel_delayed_work_sync() is called
on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in
softirq context under rcu_read_lock (without RTNL) and can re-schedule
ccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()
returning and kfree_rcu() being called.
The following is a simple race scenario:
cpu0 cpu1
mep_delete_implementation()
cancel_delayed_work_sync(ccm_rx_dwork);
br_cfm_frame_rx()
// peer_mep still in hlist
if (peer_mep->ccm_defect)
ccm_rx_timer_start()
queue_delayed_work(ccm_rx_dwork)
hlist_del_rcu(&peer_mep->head);
kfree_rcu(peer_mep, rcu);
ccm_rx_work_expired()
// on freed peer_mep
To prevent this, cancel_delayed_work_sync() is replaced with
disable_delayed_work_sync() in both peer MEP deletion paths, so
that subsequent queue_delayed_work() calls from br_cfm_frame_rx()
are silently rejected.
The cc_peer_disable() helper retains cancel_delayed_work_sync()
because it is also used for the CC enable/disable toggle path where
the work must remain re-schedulable.
Severity ?
7.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
dc32cbb3dbd7da38c700d6e0fc6354df24920525 , < e89dbd2736a45f0507949af4748cbbf3ff793146
(git)
Affected: dc32cbb3dbd7da38c700d6e0fc6354df24920525 , < d8f35767bacb3c7769d470a41cf161e3f3c07e70 (git) Affected: dc32cbb3dbd7da38c700d6e0fc6354df24920525 , < 1fd81151f65927fd9edb8ecd12ad45527dbbe5ab (git) Affected: dc32cbb3dbd7da38c700d6e0fc6354df24920525 , < 3715a00855316066cdda69d43648336367422127 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bridge/br_cfm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e89dbd2736a45f0507949af4748cbbf3ff793146",
"status": "affected",
"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525",
"versionType": "git"
},
{
"lessThan": "d8f35767bacb3c7769d470a41cf161e3f3c07e70",
"status": "affected",
"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525",
"versionType": "git"
},
{
"lessThan": "1fd81151f65927fd9edb8ecd12ad45527dbbe5ab",
"status": "affected",
"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525",
"versionType": "git"
},
{
"lessThan": "3715a00855316066cdda69d43648336367422127",
"status": "affected",
"version": "dc32cbb3dbd7da38c700d6e0fc6354df24920525",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bridge/br_cfm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "5.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: cfm: Fix race condition in peer_mep deletion\n\nWhen a peer MEP is being deleted, cancel_delayed_work_sync() is called\non ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in\nsoftirq context under rcu_read_lock (without RTNL) and can re-schedule\nccm_rx_dwork via ccm_rx_timer_start() between cancel_delayed_work_sync()\nreturning and kfree_rcu() being called.\n\nThe following is a simple race scenario:\n\n cpu0 cpu1\n\nmep_delete_implementation()\n cancel_delayed_work_sync(ccm_rx_dwork);\n br_cfm_frame_rx()\n // peer_mep still in hlist\n if (peer_mep-\u003eccm_defect)\n ccm_rx_timer_start()\n queue_delayed_work(ccm_rx_dwork)\n hlist_del_rcu(\u0026peer_mep-\u003ehead);\n kfree_rcu(peer_mep, rcu);\n ccm_rx_work_expired()\n // on freed peer_mep\n\nTo prevent this, cancel_delayed_work_sync() is replaced with\ndisable_delayed_work_sync() in both peer MEP deletion paths, so\nthat subsequent queue_delayed_work() calls from br_cfm_frame_rx()\nare silently rejected.\n\nThe cc_peer_disable() helper retains cancel_delayed_work_sync()\nbecause it is also used for the CC enable/disable toggle path where\nthe work must remain re-schedulable."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:34.129Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e89dbd2736a45f0507949af4748cbbf3ff793146"
},
{
"url": "https://git.kernel.org/stable/c/d8f35767bacb3c7769d470a41cf161e3f3c07e70"
},
{
"url": "https://git.kernel.org/stable/c/1fd81151f65927fd9edb8ecd12ad45527dbbe5ab"
},
{
"url": "https://git.kernel.org/stable/c/3715a00855316066cdda69d43648336367422127"
}
],
"title": "bridge: cfm: Fix race condition in peer_mep deletion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23393",
"datePublished": "2026-03-25T10:33:17.407Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-02T14:44:34.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23392 (GCVE-0-2026-23392)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-02 14:44
VLAI?
Title
netfilter: nf_tables: release flowtable after rcu grace period on error
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: release flowtable after rcu grace period on error
Call synchronize_rcu() after unregistering the hooks from error path,
since a hook that already refers to this flowtable can be already
registered, exposing this flowtable to packet path and nfnetlink_hook
control plane.
This error path is rare, it should only happen by reaching the maximum
number hooks or by failing to set up to hardware offload, just call
synchronize_rcu().
There is a check for already used device hooks by different flowtable
that could result in EEXIST at this late stage. The hook parser can be
updated to perform this check earlier to this error path really becomes
rarely exercised.
Uncovered by KASAN reported as use-after-free from nfnetlink_hook path
when dumping hooks.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d2632de96ccb066e0131ad1494241b9c281c60b8
(git)
Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < adee3436ccd29f1e514c028899e400cbc6d84065 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < 7e3955b282eae20d61c75e499c75eade51c20060 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < c8092edb9a11f20f95ccceeb9422b7dd0df337bd (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < e78a2dcc7cfb87b64a631441ca7681492b347ef6 (git) Affected: 3b49e2e94e6ebb8b23d0955d9e898254455734f8 , < d73f4b53aaaea4c95f245e491aa5eeb8a21874ce (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2632de96ccb066e0131ad1494241b9c281c60b8",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "adee3436ccd29f1e514c028899e400cbc6d84065",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "7e3955b282eae20d61c75e499c75eade51c20060",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "c8092edb9a11f20f95ccceeb9422b7dd0df337bd",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "e78a2dcc7cfb87b64a631441ca7681492b347ef6",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
},
{
"lessThan": "d73f4b53aaaea4c95f245e491aa5eeb8a21874ce",
"status": "affected",
"version": "3b49e2e94e6ebb8b23d0955d9e898254455734f8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release flowtable after rcu grace period on error\n\nCall synchronize_rcu() after unregistering the hooks from error path,\nsince a hook that already refers to this flowtable can be already\nregistered, exposing this flowtable to packet path and nfnetlink_hook\ncontrol plane.\n\nThis error path is rare, it should only happen by reaching the maximum\nnumber hooks or by failing to set up to hardware offload, just call\nsynchronize_rcu().\n\nThere is a check for already used device hooks by different flowtable\nthat could result in EEXIST at this late stage. The hook parser can be\nupdated to perform this check earlier to this error path really becomes\nrarely exercised.\n\nUncovered by KASAN reported as use-after-free from nfnetlink_hook path\nwhen dumping hooks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:32.750Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2632de96ccb066e0131ad1494241b9c281c60b8"
},
{
"url": "https://git.kernel.org/stable/c/adee3436ccd29f1e514c028899e400cbc6d84065"
},
{
"url": "https://git.kernel.org/stable/c/7e3955b282eae20d61c75e499c75eade51c20060"
},
{
"url": "https://git.kernel.org/stable/c/c8092edb9a11f20f95ccceeb9422b7dd0df337bd"
},
{
"url": "https://git.kernel.org/stable/c/e78a2dcc7cfb87b64a631441ca7681492b347ef6"
},
{
"url": "https://git.kernel.org/stable/c/d73f4b53aaaea4c95f245e491aa5eeb8a21874ce"
}
],
"title": "netfilter: nf_tables: release flowtable after rcu grace period on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23392",
"datePublished": "2026-03-25T10:33:16.647Z",
"dateReserved": "2026-01-13T15:37:46.011Z",
"dateUpdated": "2026-04-02T14:44:32.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23391 (GCVE-0-2026-23391)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:33 – Updated: 2026-04-02 14:44
VLAI?
Title
netfilter: xt_CT: drop pending enqueued packets on template removal
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: xt_CT: drop pending enqueued packets on template removal
Templates refer to objects that can go away while packets are sitting in
nfqueue refer to:
- helper, this can be an issue on module removal.
- timeout policy, nfnetlink_cttimeout might remove it.
The use of templates with zone and event cache filter are safe, since
this just copies values.
Flush these enqueued packets in case the template rule gets removed.
Severity ?
7.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
24de58f465165298aaa8f286b2592f0163706cfe , < d2d0bae0c9a2a17b6990a2966f5cdce0813d6256
(git)
Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 63b8097cea1923fe82cd598068d0796da8c015ec (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 19a230dec6bb8928e3f96387f9085cf2c79bcef9 (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < cb549925875fa06dd155e49db4ac2c5044c30f9c (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < 777d02efe3d630cca4c1b63962cec17c57711325 (git) Affected: 24de58f465165298aaa8f286b2592f0163706cfe , < f62a218a946b19bb59abdd5361da85fa4606b96b (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2d0bae0c9a2a17b6990a2966f5cdce0813d6256",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "63b8097cea1923fe82cd598068d0796da8c015ec",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "19a230dec6bb8928e3f96387f9085cf2c79bcef9",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "cb549925875fa06dd155e49db4ac2c5044c30f9c",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "777d02efe3d630cca4c1b63962cec17c57711325",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
},
{
"lessThan": "f62a218a946b19bb59abdd5361da85fa4606b96b",
"status": "affected",
"version": "24de58f465165298aaa8f286b2592f0163706cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/xt_CT.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.4"
},
{
"lessThan": "3.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "3.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc5",
"versionStartIncluding": "3.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: xt_CT: drop pending enqueued packets on template removal\n\nTemplates refer to objects that can go away while packets are sitting in\nnfqueue refer to:\n\n- helper, this can be an issue on module removal.\n- timeout policy, nfnetlink_cttimeout might remove it.\n\nThe use of templates with zone and event cache filter are safe, since\nthis just copies values.\n\nFlush these enqueued packets in case the template rule gets removed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:44:30.830Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2d0bae0c9a2a17b6990a2966f5cdce0813d6256"
},
{
"url": "https://git.kernel.org/stable/c/63b8097cea1923fe82cd598068d0796da8c015ec"
},
{
"url": "https://git.kernel.org/stable/c/19a230dec6bb8928e3f96387f9085cf2c79bcef9"
},
{
"url": "https://git.kernel.org/stable/c/cb549925875fa06dd155e49db4ac2c5044c30f9c"
},
{
"url": "https://git.kernel.org/stable/c/777d02efe3d630cca4c1b63962cec17c57711325"
},
{
"url": "https://git.kernel.org/stable/c/f62a218a946b19bb59abdd5361da85fa4606b96b"
}
],
"title": "netfilter: xt_CT: drop pending enqueued packets on template removal",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23391",
"datePublished": "2026-03-25T10:33:15.677Z",
"dateReserved": "2026-01-13T15:37:46.009Z",
"dateUpdated": "2026-04-02T14:44:30.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23390 (GCVE-0-2026-23390)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:29 – Updated: 2026-03-25 16:49
VLAI?
Title
tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow
The dma_map_sg tracepoint can trigger a perf buffer overflow when
tracing large scatter-gather lists. With devices like virtio-gpu
creating large DRM buffers, nents can exceed 1000 entries, resulting
in:
phys_addrs: 1000 * 8 bytes = 8,000 bytes
dma_addrs: 1000 * 8 bytes = 8,000 bytes
lengths: 1000 * 4 bytes = 4,000 bytes
Total: ~20,000 bytes
This exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:
WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405
perf buffer not large enough, wanted 24620, have 8192
Cap all three dynamic arrays at 128 entries using min() in the array
size calculation. This ensures arrays are only as large as needed
(up to the cap), avoiding unnecessary memory allocation for small
operations while preventing overflow for large ones.
The tracepoint now records the full nents/ents counts and a truncated
flag so users can see when data has been capped.
Changes in v2:
- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing
instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from
Steven Rostedt)
- This allocates only what's needed up to the cap, avoiding waste
for small operations
Reviwed-by: Sean Anderson <sean.anderson@linux.dev>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
038eb433dc1474c4bc7d33188294e3d4778efdfd , < 02d209bb018a40dee9eac89e91860253dee9605b
(git)
Affected: 038eb433dc1474c4bc7d33188294e3d4778efdfd , < f2584f791a10343bdc995ff6ff402db45b95de69 (git) Affected: 038eb433dc1474c4bc7d33188294e3d4778efdfd , < daafcc0ef0b358d9d622b6e3b7c43767aa3814ee (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/trace/events/dma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "02d209bb018a40dee9eac89e91860253dee9605b",
"status": "affected",
"version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
"versionType": "git"
},
{
"lessThan": "f2584f791a10343bdc995ff6ff402db45b95de69",
"status": "affected",
"version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
"versionType": "git"
},
{
"lessThan": "daafcc0ef0b358d9d622b6e3b7c43767aa3814ee",
"status": "affected",
"version": "038eb433dc1474c4bc7d33188294e3d4778efdfd",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/trace/events/dma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow\n\nThe dma_map_sg tracepoint can trigger a perf buffer overflow when\ntracing large scatter-gather lists. With devices like virtio-gpu\ncreating large DRM buffers, nents can exceed 1000 entries, resulting\nin:\n\n phys_addrs: 1000 * 8 bytes = 8,000 bytes\n dma_addrs: 1000 * 8 bytes = 8,000 bytes\n lengths: 1000 * 4 bytes = 4,000 bytes\n Total: ~20,000 bytes\n\nThis exceeds PERF_MAX_TRACE_SIZE (8192 bytes), causing:\n\n WARNING: CPU: 0 PID: 5497 at kernel/trace/trace_event_perf.c:405\n perf buffer not large enough, wanted 24620, have 8192\n\nCap all three dynamic arrays at 128 entries using min() in the array\nsize calculation. This ensures arrays are only as large as needed\n(up to the cap), avoiding unnecessary memory allocation for small\noperations while preventing overflow for large ones.\n\nThe tracepoint now records the full nents/ents counts and a truncated\nflag so users can see when data has been capped.\n\nChanges in v2:\n- Use min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing\n instead of fixed DMA_TRACE_MAX_ENTRIES allocation (feedback from\n Steven Rostedt)\n- This allocates only what\u0027s needed up to the cap, avoiding waste\n for small operations\n\nReviwed-by: Sean Anderson \u003csean.anderson@linux.dev\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:49:17.786Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/02d209bb018a40dee9eac89e91860253dee9605b"
},
{
"url": "https://git.kernel.org/stable/c/f2584f791a10343bdc995ff6ff402db45b95de69"
},
{
"url": "https://git.kernel.org/stable/c/daafcc0ef0b358d9d622b6e3b7c43767aa3814ee"
}
],
"title": "tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23390",
"datePublished": "2026-03-25T10:29:02.768Z",
"dateReserved": "2026-01-13T15:37:46.008Z",
"dateUpdated": "2026-03-25T16:49:17.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23388 (GCVE-0-2026-23388)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:28 – Updated: 2026-03-25 10:28
VLAI?
Title
Squashfs: check metadata block offset is within range
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check metadata block offset is within range
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.
The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
f400e12656ab518be107febfe2315fb1eab5a342 , < 0c8ab092aec3ac4294940054772d30b511b16713
(git)
Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 6b847d65f5b0065e02080c61fad93d57d6686383 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 01ee0bcc29864b78249308e8b35042b09bbf5fe3 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < 3b9499e7d677dd4366239a292238489a804936b2 (git) Affected: f400e12656ab518be107febfe2315fb1eab5a342 , < fdb24a820a5832ec4532273282cbd4f22c291a0d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c8ab092aec3ac4294940054772d30b511b16713",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "6b847d65f5b0065e02080c61fad93d57d6686383",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "01ee0bcc29864b78249308e8b35042b09bbf5fe3",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "3b9499e7d677dd4366239a292238489a804936b2",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
},
{
"lessThan": "fdb24a820a5832ec4532273282cbd4f22c291a0d",
"status": "affected",
"version": "f400e12656ab518be107febfe2315fb1eab5a342",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/cache.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.77",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.77",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.17",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc2",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:28:06.224Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"
},
{
"url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"
},
{
"url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"
},
{
"url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"
},
{
"url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"
},
{
"url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"
}
],
"title": "Squashfs: check metadata block offset is within range",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23388",
"datePublished": "2026-03-25T10:28:06.224Z",
"dateReserved": "2026-01-13T15:37:46.008Z",
"dateUpdated": "2026-03-25T10:28:06.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23389 (GCVE-0-2026-23389)
Vulnerability from cvelistv5 – Published: 2026-03-25 10:28 – Updated: 2026-03-25 10:28
VLAI?
Title
ice: Fix memory leak in ice_set_ringparam()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix memory leak in ice_set_ringparam()
In ice_set_ringparam, tx_rings and xdp_rings are allocated before
rx_rings. If the allocation of rx_rings fails, the code jumps to
the done label leaking both tx_rings and xdp_rings. Furthermore, if
the setup of an individual Rx ring fails during the loop, the code jumps
to the free_tx label which releases tx_rings but leaks xdp_rings.
Fix this by introducing a free_xdp label and updating the error paths to
ensure both xdp_rings and tx_rings are properly freed if rx_rings
allocation or setup fails.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "44ba32a892b72de3faa04b8cfb1f2f1418fdd580",
"status": "affected",
"version": "fcea6f3da546b93050f3534aadea7bd96c1d7349",
"versionType": "git"
},
{
"lessThan": "fe868b499d16f55bbeea89992edb98043c9de416",
"status": "affected",
"version": "fcea6f3da546b93050f3534aadea7bd96c1d7349",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_ethtool.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.7",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc3",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix memory leak in ice_set_ringparam()\n\nIn ice_set_ringparam, tx_rings and xdp_rings are allocated before\nrx_rings. If the allocation of rx_rings fails, the code jumps to\nthe done label leaking both tx_rings and xdp_rings. Furthermore, if\nthe setup of an individual Rx ring fails during the loop, the code jumps\nto the free_tx label which releases tx_rings but leaks xdp_rings.\n\nFix this by introducing a free_xdp label and updating the error paths to\nensure both xdp_rings and tx_rings are properly freed if rx_rings\nallocation or setup fails.\n\nCompile tested only. Issue found using a prototype static analysis tool\nand code review."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T10:28:06.991Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/44ba32a892b72de3faa04b8cfb1f2f1418fdd580"
},
{
"url": "https://git.kernel.org/stable/c/fe868b499d16f55bbeea89992edb98043c9de416"
}
],
"title": "ice: Fix memory leak in ice_set_ringparam()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23389",
"datePublished": "2026-03-25T10:28:06.991Z",
"dateReserved": "2026-01-13T15:37:46.008Z",
"dateUpdated": "2026-03-25T10:28:06.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}