Search criteria
15382 vulnerabilities by Linux
CVE-2026-46333 (GCVE-0-2026-46333)
Vulnerability from cvelistv5 – Published: 2026-05-15 12:58 – Updated: 2026-05-18 12:53
VLAI?
Title
ptrace: slightly saner 'get_dumpable()' logic
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptrace: slightly saner 'get_dumpable()' logic
The 'dumpability' of a task is fundamentally about the memory image of
the task - the concept comes from whether it can core dump or not - and
makes no sense when you don't have an associated mm.
And almost all users do in fact use it only for the case where the task
has a mm pointer.
But we have one odd special case: ptrace_may_access() uses 'dumpable' to
check various other things entirely independently of the MM (typically
explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for
threads that no longer have a VM (and maybe never did, like most kernel
threads).
It's not what this flag was designed for, but it is what it is.
The ptrace code does check that the uid/gid matches, so you do have to
be uid-0 to see kernel thread details, but this means that the
traditional "drop capabilities" model doesn't make any difference for
this all.
Make it all make a *bit* more sense by saying that if you don't have a
MM pointer, we'll use a cached "last dumpability" flag if the thread
ever had a MM (it will be zero for kernel threads since it is never
set), and require a proper CAP_SYS_PTRACE capability to override.
Severity ?
5.5 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6
(git)
Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 15b828a46f305ae9f05a7c16914b3ce273474205 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 4709234fd1b95136ceb789f639b1e7ea5de1b181 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 8f907d345bae8f4b3f004c5abc56bf2dfb851ea7 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 2a93a4fac7b6051d3be7cd1b015fe7320cd0404d (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 01363cb3fbd0238ffdeb09f53e9039c9edf8a730 (git) Affected: bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 , < 31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a (git) Affected: d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12 (git) Affected: 03eed7afbc09e061f66b448daf7863174c3dc3f3 (git) Affected: e45692fa1aea06676449b63ef3c2b6e1e72b7578 (git) Affected: 694a95fa6dae4991f16cda333d897ea063021fed (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.256 , ≤ 5.10.* (semver) Unaffected: 5.15.207 , ≤ 5.15.* (semver) Unaffected: 6.1.173 , ≤ 6.1.* (semver) Unaffected: 6.6.139 , ≤ 6.6.* (semver) Unaffected: 6.12.89 , ≤ 6.12.* (semver) Unaffected: 6.18.31 , ≤ 6.18.* (semver) Unaffected: 7.0.8 , ≤ 7.0.* (semver) Unaffected: 7.1-rc4 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-16T12:20:56.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/15/9"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00032.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46333",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:53:10.740147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:53:44.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "15b828a46f305ae9f05a7c16914b3ce273474205",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "4709234fd1b95136ceb789f639b1e7ea5de1b181",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "8f907d345bae8f4b3f004c5abc56bf2dfb851ea7",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "2a93a4fac7b6051d3be7cd1b015fe7320cd0404d",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "01363cb3fbd0238ffdeb09f53e9039c9edf8a730",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"lessThan": "31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a",
"status": "affected",
"version": "bfedb589252c01fa505ac9f6f2a3d5d68d707ef4",
"versionType": "git"
},
{
"status": "affected",
"version": "d5b3e840dbf6dd2c0f30b5982b6f5ecd49e46b12",
"versionType": "git"
},
{
"status": "affected",
"version": "03eed7afbc09e061f66b448daf7863174c3dc3f3",
"versionType": "git"
},
{
"status": "affected",
"version": "e45692fa1aea06676449b63ef3c2b6e1e72b7578",
"versionType": "git"
},
{
"status": "affected",
"version": "694a95fa6dae4991f16cda333d897ea063021fed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/sched.h",
"kernel/exit.c",
"kernel/ptrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.207",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.139",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.31",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc4",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.256",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.207",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.173",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.139",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.89",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.31",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.8",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.8.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptrace: slightly saner \u0027get_dumpable()\u0027 logic\n\nThe \u0027dumpability\u0027 of a task is fundamentally about the memory image of\nthe task - the concept comes from whether it can core dump or not - and\nmakes no sense when you don\u0027t have an associated mm.\n\nAnd almost all users do in fact use it only for the case where the task\nhas a mm pointer.\n\nBut we have one odd special case: ptrace_may_access() uses \u0027dumpable\u0027 to\ncheck various other things entirely independently of the MM (typically\nexplicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for\nthreads that no longer have a VM (and maybe never did, like most kernel\nthreads).\n\nIt\u0027s not what this flag was designed for, but it is what it is.\n\nThe ptrace code does check that the uid/gid matches, so you do have to\nbe uid-0 to see kernel thread details, but this means that the\ntraditional \"drop capabilities\" model doesn\u0027t make any difference for\nthis all.\n\nMake it all make a *bit* more sense by saying that if you don\u0027t have a\nMM pointer, we\u0027ll use a cached \"last dumpability\" flag if the thread\never had a MM (it will be zero for kernel threads since it is never\nset), and require a proper CAP_SYS_PTRACE capability to override."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T05:04:35.610Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/93d4ba49d18e3d7fb41a9927c2d0cca5e9dfefd6"
},
{
"url": "https://git.kernel.org/stable/c/15b828a46f305ae9f05a7c16914b3ce273474205"
},
{
"url": "https://git.kernel.org/stable/c/4709234fd1b95136ceb789f639b1e7ea5de1b181"
},
{
"url": "https://git.kernel.org/stable/c/8f907d345bae8f4b3f004c5abc56bf2dfb851ea7"
},
{
"url": "https://git.kernel.org/stable/c/6e5b51e74a40d377bcd3081dd33fbaa0e1aa7e3d"
},
{
"url": "https://git.kernel.org/stable/c/2a93a4fac7b6051d3be7cd1b015fe7320cd0404d"
},
{
"url": "https://git.kernel.org/stable/c/01363cb3fbd0238ffdeb09f53e9039c9edf8a730"
},
{
"url": "https://git.kernel.org/stable/c/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a"
}
],
"title": "ptrace: slightly saner \u0027get_dumpable()\u0027 logic",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46333",
"datePublished": "2026-05-15T12:58:44.599Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-05-18T12:53:44.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43490 (GCVE-0-2026-43490)
Vulnerability from cvelistv5 – Published: 2026-05-15 05:15 – Updated: 2026-05-15 05:15
VLAI?
Title
ksmbd: validate inherited ACE SID length
Summary
In the Linux kernel, the following vulnerability has been resolved:
ksmbd: validate inherited ACE SID length
smb_inherit_dacl() walks the parent directory DACL loaded from the
security descriptor xattr. It verifies that each ACE contains the fixed
SID header before using it, but does not verify that the variable-length
SID described by sid.num_subauth is fully contained in the ACE.
A malformed inheritable ACE can advertise more subauthorities than are
present in the ACE. compare_sids() may then read past the ACE.
smb_set_ace() also clamps the copied destination SID, but used the
unchecked source SID count to compute the inherited ACE size. That could
advance the temporary inherited ACE buffer pointer and nt_size accounting
past the allocated buffer.
Fix this by validating the parent ACE SID count and SID length before
using the SID during inheritance. Compute the inherited ACE size from the
copied SID so the size matches the bounded destination SID. Reject the
inherited DACL if size accumulation would overflow smb_acl.size or the
security descriptor allocation size.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 47c6e37a77b10e74f70d845ba4ea5d3cafa00336
(git)
Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 1aa60fea7f637c071f529ad6784aecca2f2f0c5f (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < c1d95c995d5bcb24b639200a899eda59cb1e6d64 (git) Affected: e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9 , < 996454bc0da84d5a1dedb1a7861823087e01a7ae (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "47c6e37a77b10e74f70d845ba4ea5d3cafa00336",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "1aa60fea7f637c071f529ad6784aecca2f2f0c5f",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "c1d95c995d5bcb24b639200a899eda59cb1e6d64",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
},
{
"lessThan": "996454bc0da84d5a1dedb1a7861823087e01a7ae",
"status": "affected",
"version": "e2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/server/smbacl.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate inherited ACE SID length\n\nsmb_inherit_dacl() walks the parent directory DACL loaded from the\nsecurity descriptor xattr. It verifies that each ACE contains the fixed\nSID header before using it, but does not verify that the variable-length\nSID described by sid.num_subauth is fully contained in the ACE.\n\nA malformed inheritable ACE can advertise more subauthorities than are\npresent in the ACE. compare_sids() may then read past the ACE.\nsmb_set_ace() also clamps the copied destination SID, but used the\nunchecked source SID count to compute the inherited ACE size. That could\nadvance the temporary inherited ACE buffer pointer and nt_size accounting\npast the allocated buffer.\n\nFix this by validating the parent ACE SID count and SID length before\nusing the SID during inheritance. Compute the inherited ACE size from the\ncopied SID so the size matches the bounded destination SID. Reject the\ninherited DACL if size accumulation would overflow smb_acl.size or the\nsecurity descriptor allocation size."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T05:15:37.666Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/47c6e37a77b10e74f70d845ba4ea5d3cafa00336"
},
{
"url": "https://git.kernel.org/stable/c/1aa60fea7f637c071f529ad6784aecca2f2f0c5f"
},
{
"url": "https://git.kernel.org/stable/c/c1d95c995d5bcb24b639200a899eda59cb1e6d64"
},
{
"url": "https://git.kernel.org/stable/c/996454bc0da84d5a1dedb1a7861823087e01a7ae"
}
],
"title": "ksmbd: validate inherited ACE SID length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43490",
"datePublished": "2026-05-15T05:15:37.666Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-15T05:15:37.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43489 (GCVE-0-2026-43489)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
liveupdate: luo_file: remember retrieve() status
Summary
In the Linux kernel, the following vulnerability has been resolved:
liveupdate: luo_file: remember retrieve() status
LUO keeps track of successful retrieve attempts on a LUO file. It does so
to avoid multiple retrievals of the same file. Multiple retrievals cause
problems because once the file is retrieved, the serialized data
structures are likely freed and the file is likely in a very different
state from what the code expects.
The retrieve boolean in struct luo_file keeps track of this, and is passed
to the finish callback so it knows what work was already done and what it
has left to do.
All this works well when retrieve succeeds. When it fails,
luo_retrieve_file() returns the error immediately, without ever storing
anywhere that a retrieve was attempted or what its error code was. This
results in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,
but nothing prevents it from trying this again.
The retry is problematic for much of the same reasons listed above. The
file is likely in a very different state than what the retrieve logic
normally expects, and it might even have freed some serialization data
structures. Attempting to access them or free them again is going to
break things.
For example, if memfd managed to restore 8 of its 10 folios, but fails on
the 9th, a subsequent retrieve attempt will try to call
kho_restore_folio() on the first folio again, and that will fail with a
warning since it is an invalid operation.
Apart from the retry, finish() also breaks. Since on failure the
retrieved bool in luo_file is never touched, the finish() call on session
close will tell the file handler that retrieve was never attempted, and it
will try to access or free the data structures that might not exist, much
in the same way as the retry attempt.
There is no sane way of attempting the retrieve again. Remember the error
retrieve returned and directly return it on a retry. Also pass this
status code to finish() so it can make the right decision on the work it
needs to do.
This is done by changing the bool to an integer. A value of 0 means
retrieve was never attempted, a positive value means it succeeded, and a
negative value means it failed and the error code is the value.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < 1d3ad69484dc1cc53be62d2554e7ef038a627af9
(git)
Affected: 7c722a7f44e0c1f9714084152226bc7bd644b7e3 , < f85b1c6af5bc3872f994df0a5688c1162de07a62 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/liveupdate.h",
"kernel/liveupdate/luo_file.c",
"mm/memfd_luo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d3ad69484dc1cc53be62d2554e7ef038a627af9",
"status": "affected",
"version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
"versionType": "git"
},
{
"lessThan": "f85b1c6af5bc3872f994df0a5688c1162de07a62",
"status": "affected",
"version": "7c722a7f44e0c1f9714084152226bc7bd644b7e3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/liveupdate.h",
"kernel/liveupdate/luo_file.c",
"mm/memfd_luo.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nliveupdate: luo_file: remember retrieve() status\n\nLUO keeps track of successful retrieve attempts on a LUO file. It does so\nto avoid multiple retrievals of the same file. Multiple retrievals cause\nproblems because once the file is retrieved, the serialized data\nstructures are likely freed and the file is likely in a very different\nstate from what the code expects.\n\nThe retrieve boolean in struct luo_file keeps track of this, and is passed\nto the finish callback so it knows what work was already done and what it\nhas left to do.\n\nAll this works well when retrieve succeeds. When it fails,\nluo_retrieve_file() returns the error immediately, without ever storing\nanywhere that a retrieve was attempted or what its error code was. This\nresults in an errored LIVEUPDATE_SESSION_RETRIEVE_FD ioctl to userspace,\nbut nothing prevents it from trying this again.\n\nThe retry is problematic for much of the same reasons listed above. The\nfile is likely in a very different state than what the retrieve logic\nnormally expects, and it might even have freed some serialization data\nstructures. Attempting to access them or free them again is going to\nbreak things.\n\nFor example, if memfd managed to restore 8 of its 10 folios, but fails on\nthe 9th, a subsequent retrieve attempt will try to call\nkho_restore_folio() on the first folio again, and that will fail with a\nwarning since it is an invalid operation.\n\nApart from the retry, finish() also breaks. Since on failure the\nretrieved bool in luo_file is never touched, the finish() call on session\nclose will tell the file handler that retrieve was never attempted, and it\nwill try to access or free the data structures that might not exist, much\nin the same way as the retry attempt.\n\nThere is no sane way of attempting the retrieve again. Remember the error\nretrieve returned and directly return it on a retry. Also pass this\nstatus code to finish() so it can make the right decision on the work it\nneeds to do.\n\nThis is done by changing the bool to an integer. A value of 0 means\nretrieve was never attempted, a positive value means it succeeded, and a\nnegative value means it failed and the error code is the value."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:33.810Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d3ad69484dc1cc53be62d2554e7ef038a627af9"
},
{
"url": "https://git.kernel.org/stable/c/f85b1c6af5bc3872f994df0a5688c1162de07a62"
}
],
"title": "liveupdate: luo_file: remember retrieve() status",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43489",
"datePublished": "2026-05-13T15:08:33.810Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:33.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43488 (GCVE-0-2026-43488)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-14 14:31
VLAI?
Title
usb: xhci: Prevent interrupt storm on host controller error (HCE)
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Prevent interrupt storm on host controller error (HCE)
The xHCI controller reports a Host Controller Error (HCE) in UAS Storage
Device plug/unplug scenarios on Android devices. HCE is checked in
xhci_irq() function and causes an interrupt storm (since the interrupt
isn’t cleared), leading to severe system-level faults.
When the xHC controller reports HCE in the interrupt handler, the driver
only logs a warning and assumes xHC activity will stop as stated in xHCI
specification. An interrupt storm does however continue on some hosts
even after HCE, and only ceases after manually disabling xHC interrupt
and stopping the controller by calling xhci_halt().
Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,
mirroring the existing error handling pattern used for STS_FATAL errors.
This only fixes the interrupt storm. Proper HCE recovery requires resetting
and re-initializing the xHC.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2a25e66d676dfb9b018abd503deed3d38a892dec , < b2dd9abf8c06cfcbcf242321fd54ae51a4807705
(git)
Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < 6f91f3f087194c114d6d8ea4591b850bb00672f8 (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < cd41e0d1df8fcf5eae294657da52b50d1ce03246 (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < 09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d (git) Affected: 2a25e66d676dfb9b018abd503deed3d38a892dec , < d6d5febd12452b7fd951fdd15c3ec262f01901a4 (git) |
|
| Linux | Linux |
Affected:
6.2
Unaffected: 0 , < 6.2 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2dd9abf8c06cfcbcf242321fd54ae51a4807705",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "6f91f3f087194c114d6d8ea4591b850bb00672f8",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "cd41e0d1df8fcf5eae294657da52b50d1ce03246",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
},
{
"lessThan": "d6d5febd12452b7fd951fdd15c3ec262f01901a4",
"status": "affected",
"version": "2a25e66d676dfb9b018abd503deed3d38a892dec",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci-ring.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Prevent interrupt storm on host controller error (HCE)\n\nThe xHCI controller reports a Host Controller Error (HCE) in UAS Storage\nDevice plug/unplug scenarios on Android devices. HCE is checked in\nxhci_irq() function and causes an interrupt storm (since the interrupt\nisn\u2019t cleared), leading to severe system-level faults.\n\nWhen the xHC controller reports HCE in the interrupt handler, the driver\nonly logs a warning and assumes xHC activity will stop as stated in xHCI\nspecification. An interrupt storm does however continue on some hosts\neven after HCE, and only ceases after manually disabling xHC interrupt\nand stopping the controller by calling xhci_halt().\n\nAdd xhci_halt() to xhci_irq() function where STS_HCE status is checked,\nmirroring the existing error handling pattern used for STS_FATAL errors.\n\nThis only fixes the interrupt storm. Proper HCE recovery requires resetting\nand re-initializing the xHC."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T14:31:22.390Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2dd9abf8c06cfcbcf242321fd54ae51a4807705"
},
{
"url": "https://git.kernel.org/stable/c/6f91f3f087194c114d6d8ea4591b850bb00672f8"
},
{
"url": "https://git.kernel.org/stable/c/cd41e0d1df8fcf5eae294657da52b50d1ce03246"
},
{
"url": "https://git.kernel.org/stable/c/09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d"
},
{
"url": "https://git.kernel.org/stable/c/d6d5febd12452b7fd951fdd15c3ec262f01901a4"
}
],
"title": "usb: xhci: Prevent interrupt storm on host controller error (HCE)",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43488",
"datePublished": "2026-05-13T15:08:33.196Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-14T14:31:22.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43487 (GCVE-0-2026-43487)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
ata: libata-core: Disable LPM on ST1000DM010-2EP102
Summary
In the Linux kernel, the following vulnerability has been resolved:
ata: libata-core: Disable LPM on ST1000DM010-2EP102
According to a user report, the ST1000DM010-2EP102 has problems with LPM,
causing random system freezes. The drive belongs to the same BarraCuda
family as the ST2000DM008-2FR102 which has the same issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7627a0edef548c4c4dea62df51cc26bfe5bbcab8 , < f897b72cc74d24e7106716184f450d4045a6289b
(git)
Affected: 7627a0edef548c4c4dea62df51cc26bfe5bbcab8 , < 87f0349beaacab2ac60c4a1b6dcff254cef7d5a0 (git) Affected: 7627a0edef548c4c4dea62df51cc26bfe5bbcab8 , < a4bfb1947eda615fe0b2fc54beb6bedc03372e34 (git) Affected: 7627a0edef548c4c4dea62df51cc26bfe5bbcab8 , < b3b1d3ae1d87bc9398fb715c945968bf4c75a09a (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f897b72cc74d24e7106716184f450d4045a6289b",
"status": "affected",
"version": "7627a0edef548c4c4dea62df51cc26bfe5bbcab8",
"versionType": "git"
},
{
"lessThan": "87f0349beaacab2ac60c4a1b6dcff254cef7d5a0",
"status": "affected",
"version": "7627a0edef548c4c4dea62df51cc26bfe5bbcab8",
"versionType": "git"
},
{
"lessThan": "a4bfb1947eda615fe0b2fc54beb6bedc03372e34",
"status": "affected",
"version": "7627a0edef548c4c4dea62df51cc26bfe5bbcab8",
"versionType": "git"
},
{
"lessThan": "b3b1d3ae1d87bc9398fb715c945968bf4c75a09a",
"status": "affected",
"version": "7627a0edef548c4c4dea62df51cc26bfe5bbcab8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ata/libata-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Disable LPM on ST1000DM010-2EP102\n\nAccording to a user report, the ST1000DM010-2EP102 has problems with LPM,\ncausing random system freezes. The drive belongs to the same BarraCuda\nfamily as the ST2000DM008-2FR102 which has the same issue."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:32.631Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f897b72cc74d24e7106716184f450d4045a6289b"
},
{
"url": "https://git.kernel.org/stable/c/87f0349beaacab2ac60c4a1b6dcff254cef7d5a0"
},
{
"url": "https://git.kernel.org/stable/c/a4bfb1947eda615fe0b2fc54beb6bedc03372e34"
},
{
"url": "https://git.kernel.org/stable/c/b3b1d3ae1d87bc9398fb715c945968bf4c75a09a"
}
],
"title": "ata: libata-core: Disable LPM on ST1000DM010-2EP102",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43487",
"datePublished": "2026-05-13T15:08:32.631Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:32.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43486 (GCVE-0-2026-43486)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults
contpte_ptep_set_access_flags() compared the gathered ptep_get() value
against the requested entry to detect no-ops. ptep_get() ORs AF/dirty
from all sub-PTEs in the CONT block, so a dirty sibling can make the
target appear already-dirty. When the gathered value matches entry, the
function returns 0 even though the target sub-PTE still has PTE_RDONLY
set in hardware.
For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may
set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered
across the CONT range. But page-table walkers that evaluate each
descriptor individually (e.g. a CPU without DBM support, or an SMMU
without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the
unchanged target sub-PTE, causing an infinite fault loop.
Gathering can therefore cause false no-ops when only a sibling has been
updated:
- write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)
- read faults: target still lacks PTE_AF
Fix by checking each sub-PTE against the requested AF/dirty/write state
(the same bits consumed by __ptep_set_access_flags()), using raw
per-PTE values rather than the gathered ptep_get() view, before
returning no-op. Keep using the raw target PTE for the write-bit unfold
decision.
Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT
range may become the effective cached translation and software must
maintain consistent attributes across the range.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4602e5757bcceb231c3a13c36c373ad4a750eddb , < 05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0
(git)
Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 6f92a7a8b48a523f910ef25dd83808710724f59b (git) Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 09d620555e59768776090073a2c59d2bc8506eb3 (git) Affected: 4602e5757bcceb231c3a13c36c373ad4a750eddb , < 97c5550b763171dbef61e6239cab372b9f9cd4a2 (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/contpte.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0",
"status": "affected",
"version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
"versionType": "git"
},
{
"lessThan": "6f92a7a8b48a523f910ef25dd83808710724f59b",
"status": "affected",
"version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
"versionType": "git"
},
{
"lessThan": "09d620555e59768776090073a2c59d2bc8506eb3",
"status": "affected",
"version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
"versionType": "git"
},
{
"lessThan": "97c5550b763171dbef61e6239cab372b9f9cd4a2",
"status": "affected",
"version": "4602e5757bcceb231c3a13c36c373ad4a750eddb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/mm/contpte.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults\n\ncontpte_ptep_set_access_flags() compared the gathered ptep_get() value\nagainst the requested entry to detect no-ops. ptep_get() ORs AF/dirty\nfrom all sub-PTEs in the CONT block, so a dirty sibling can make the\ntarget appear already-dirty. When the gathered value matches entry, the\nfunction returns 0 even though the target sub-PTE still has PTE_RDONLY\nset in hardware.\n\nFor a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may\nset AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered\nacross the CONT range. But page-table walkers that evaluate each\ndescriptor individually (e.g. a CPU without DBM support, or an SMMU\nwithout HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the\nunchanged target sub-PTE, causing an infinite fault loop.\n\nGathering can therefore cause false no-ops when only a sibling has been\nupdated:\n - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)\n - read faults: target still lacks PTE_AF\n\nFix by checking each sub-PTE against the requested AF/dirty/write state\n(the same bits consumed by __ptep_set_access_flags()), using raw\nper-PTE values rather than the gathered ptep_get() view, before\nreturning no-op. Keep using the raw target PTE for the write-bit unfold\ndecision.\n\nPer Arm ARM (DDI 0487) D8.7.1 (\"The Contiguous bit\"), any sub-PTE in a CONT\nrange may become the effective cached translation and software must\nmaintain consistent attributes across the range."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:32.085Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05d239f2c95e66e27e7fb4e99ee07eb56e3e34b0"
},
{
"url": "https://git.kernel.org/stable/c/6f92a7a8b48a523f910ef25dd83808710724f59b"
},
{
"url": "https://git.kernel.org/stable/c/09d620555e59768776090073a2c59d2bc8506eb3"
},
{
"url": "https://git.kernel.org/stable/c/97c5550b763171dbef61e6239cab372b9f9cd4a2"
}
],
"title": "arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43486",
"datePublished": "2026-05-13T15:08:32.085Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:32.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43485 (GCVE-0-2026-43485)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
nouveau/gsp: drop WARN_ON in ACPI probes
Summary
In the Linux kernel, the following vulnerability has been resolved:
nouveau/gsp: drop WARN_ON in ACPI probes
These WARN_ONs seem to trigger a lot, and we don't seem to have a
plan to fix them, so just drop them, as they are most likely
harmless.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
176fdcbddfd288408ce8571c1760ad618d962096 , < 214b6bde0e941a34ba877cf2f26f85d62fb5d598
(git)
Affected: 176fdcbddfd288408ce8571c1760ad618d962096 , < d1c991c860496d97044802ea54b30f20db468c1d (git) Affected: 176fdcbddfd288408ce8571c1760ad618d962096 , < 9478c166c46934160135e197b049b5a05753f2ad (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "214b6bde0e941a34ba877cf2f26f85d62fb5d598",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
},
{
"lessThan": "d1c991c860496d97044802ea54b30f20db468c1d",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
},
{
"lessThan": "9478c166c46934160135e197b049b5a05753f2ad",
"status": "affected",
"version": "176fdcbddfd288408ce8571c1760ad618d962096",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/gsp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/gsp: drop WARN_ON in ACPI probes\n\nThese WARN_ONs seem to trigger a lot, and we don\u0027t seem to have a\nplan to fix them, so just drop them, as they are most likely\nharmless."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:31.508Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/214b6bde0e941a34ba877cf2f26f85d62fb5d598"
},
{
"url": "https://git.kernel.org/stable/c/d1c991c860496d97044802ea54b30f20db468c1d"
},
{
"url": "https://git.kernel.org/stable/c/9478c166c46934160135e197b049b5a05753f2ad"
}
],
"title": "nouveau/gsp: drop WARN_ON in ACPI probes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43485",
"datePublished": "2026-05-13T15:08:31.508Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:31.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43484 (GCVE-0-2026-43484)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
mmc: core: Avoid bitfield RMW for claim/retune flags
Summary
In the Linux kernel, the following vulnerability has been resolved:
mmc: core: Avoid bitfield RMW for claim/retune flags
Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.
The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.
Severity ?
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6c0cedd1ef9527ef13e66875746570e76a3188a7 , < 41dce4dae583a8ce06a7ebf4ce704c46a142957c
(git)
Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < bb7fc2498c3bb25fa6a91f22f4760005325cfbd5 (git) Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < 270277c2ab631044867adb1bd2f2433d3892de6e (git) Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < 45038e03f15e992c48603fff8c6b1c9be5397ac9 (git) Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < 0e06cc511c61cff1591e5435a207759adcc76b6d (git) Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < d3a3caf44c8ec26f5d63dc17c1c7242effa60ebc (git) Affected: 6c0cedd1ef9527ef13e66875746570e76a3188a7 , < 901084c51a0a8fb42a3f37d2e9c62083c495f824 (git) |
|
| Linux | Linux |
Affected:
4.15
Unaffected: 0 , < 4.15 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/mmc/host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41dce4dae583a8ce06a7ebf4ce704c46a142957c",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "bb7fc2498c3bb25fa6a91f22f4760005325cfbd5",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "270277c2ab631044867adb1bd2f2433d3892de6e",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "45038e03f15e992c48603fff8c6b1c9be5397ac9",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "0e06cc511c61cff1591e5435a207759adcc76b6d",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "d3a3caf44c8ec26f5d63dc17c1c7242effa60ebc",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
},
{
"lessThan": "901084c51a0a8fb42a3f37d2e9c62083c495f824",
"status": "affected",
"version": "6c0cedd1ef9527ef13e66875746570e76a3188a7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/mmc/host.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid bitfield RMW for claim/retune flags\n\nMove claimed and retune control flags out of the bitfield word to\navoid unrelated RMW side effects in asynchronous contexts.\n\nThe host-\u003eclaimed bit shared a word with retune flags. Writes to claimed\nin __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite\nother bits when concurrent updates happen in other contexts, triggering\nspurious WARN_ON(!host-\u003eclaimed). Convert claimed, can_retune,\nretune_now and retune_paused to bool to remove shared-word coupling."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:30.919Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41dce4dae583a8ce06a7ebf4ce704c46a142957c"
},
{
"url": "https://git.kernel.org/stable/c/bb7fc2498c3bb25fa6a91f22f4760005325cfbd5"
},
{
"url": "https://git.kernel.org/stable/c/270277c2ab631044867adb1bd2f2433d3892de6e"
},
{
"url": "https://git.kernel.org/stable/c/45038e03f15e992c48603fff8c6b1c9be5397ac9"
},
{
"url": "https://git.kernel.org/stable/c/0e06cc511c61cff1591e5435a207759adcc76b6d"
},
{
"url": "https://git.kernel.org/stable/c/d3a3caf44c8ec26f5d63dc17c1c7242effa60ebc"
},
{
"url": "https://git.kernel.org/stable/c/901084c51a0a8fb42a3f37d2e9c62083c495f824"
}
],
"title": "mmc: core: Avoid bitfield RMW for claim/retune flags",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43484",
"datePublished": "2026-05-13T15:08:30.919Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:30.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43483 (GCVE-0-2026-43483)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
Explicitly set/clear CR8 write interception when AVIC is (de)activated to
fix a bug where KVM leaves the interception enabled after AVIC is
activated. E.g. if KVM emulates INIT=>WFS while AVIC is deactivated, CR8
will remain intercepted in perpetuity.
On its own, the dangling CR8 intercept is "just" a performance issue, but
combined with the TPR sync bug fixed by commit d02e48830e3f ("KVM: SVM:
Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active"), the danging
intercept is fatal to Windows guests as the TPR seen by hardware gets
wildly out of sync with reality.
Note, VMX isn't affected by the bug as TPR_THRESHOLD is explicitly ignored
when Virtual Interrupt Delivery is enabled, i.e. when APICv is active in
KVM's world. I.e. there's no need to trigger update_cr8_intercept(), this
is firmly an SVM implementation flaw/detail.
WARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should
never enter the guest with AVIC enabled and CR8 writes intercepted.
[Squash fix to avic_deactivate_vmcb. - Paolo]
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3bbf3565f48ce3999b5a12cde946f81bd4475312 , < a4123fe5d9122eef9852e4921f7cc463420f30d4
(git)
Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 816fa1dfae4532e851b1fe6b2434c753ecbd86c7 (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 01651e7751edbbc0fb4598f8367a3dabcfc8c182 (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < ba3bca40f9f25c053f69413e5f4a41dd0fd762bf (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 737410b32bd615b321da4fbeda490351b9af5e8b (git) Affected: 3bbf3565f48ce3999b5a12cde946f81bd4475312 , < 87d0f901a9bd8ae6be57249c737f20ac0cace93d (git) |
|
| Linux | Linux |
Affected:
4.7
Unaffected: 0 , < 4.7 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a4123fe5d9122eef9852e4921f7cc463420f30d4",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "816fa1dfae4532e851b1fe6b2434c753ecbd86c7",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "01651e7751edbbc0fb4598f8367a3dabcfc8c182",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "ba3bca40f9f25c053f69413e5f4a41dd0fd762bf",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "737410b32bd615b321da4fbeda490351b9af5e8b",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
},
{
"lessThan": "87d0f901a9bd8ae6be57249c737f20ac0cace93d",
"status": "affected",
"version": "3bbf3565f48ce3999b5a12cde946f81bd4475312",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/avic.c",
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.7"
},
{
"lessThan": "4.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated\n\nExplicitly set/clear CR8 write interception when AVIC is (de)activated to\nfix a bug where KVM leaves the interception enabled after AVIC is\nactivated. E.g. if KVM emulates INIT=\u003eWFS while AVIC is deactivated, CR8\nwill remain intercepted in perpetuity.\n\nOn its own, the dangling CR8 intercept is \"just\" a performance issue, but\ncombined with the TPR sync bug fixed by commit d02e48830e3f (\"KVM: SVM:\nSync TPR from LAPIC into VMCB::V_TPR even if AVIC is active\"), the danging\nintercept is fatal to Windows guests as the TPR seen by hardware gets\nwildly out of sync with reality.\n\nNote, VMX isn\u0027t affected by the bug as TPR_THRESHOLD is explicitly ignored\nwhen Virtual Interrupt Delivery is enabled, i.e. when APICv is active in\nKVM\u0027s world. I.e. there\u0027s no need to trigger update_cr8_intercept(), this\nis firmly an SVM implementation flaw/detail.\n\nWARN if KVM gets a CR8 write #VMEXIT while AVIC is active, as KVM should\nnever enter the guest with AVIC enabled and CR8 writes intercepted.\n\n[Squash fix to avic_deactivate_vmcb. - Paolo]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:30.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a4123fe5d9122eef9852e4921f7cc463420f30d4"
},
{
"url": "https://git.kernel.org/stable/c/816fa1dfae4532e851b1fe6b2434c753ecbd86c7"
},
{
"url": "https://git.kernel.org/stable/c/01651e7751edbbc0fb4598f8367a3dabcfc8c182"
},
{
"url": "https://git.kernel.org/stable/c/ba3bca40f9f25c053f69413e5f4a41dd0fd762bf"
},
{
"url": "https://git.kernel.org/stable/c/737410b32bd615b321da4fbeda490351b9af5e8b"
},
{
"url": "https://git.kernel.org/stable/c/87d0f901a9bd8ae6be57249c737f20ac0cace93d"
}
],
"title": "KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43483",
"datePublished": "2026-05-13T15:08:30.319Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:30.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43482 (GCVE-0-2026-43482)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched_ext: Disable preemption between scx_claim_exit() and kicking helper work
scx_claim_exit() atomically sets exit_kind, which prevents scx_error() from
triggering further error handling. After claiming exit, the caller must kick
the helper kthread work which initiates bypass mode and teardown.
If the calling task gets preempted between claiming exit and kicking the
helper work, and the BPF scheduler fails to schedule it back (since error
handling is now disabled), the helper work is never queued, bypass mode
never activates, tasks stop being dispatched, and the system wedges.
Disable preemption across scx_claim_exit() and the subsequent work kicking
in all callers - scx_disable() and scx_vexit(). Add
lockdep_assert_preemption_disabled() to scx_claim_exit() to enforce the
requirement.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f0e1a0643a59bf1f922fa209cec86a170b784f3f , < 41423912f7ac7494ccd6eef411227b4efce740e0
(git)
Affected: f0e1a0643a59bf1f922fa209cec86a170b784f3f , < 522acaae34aa7e05859260056b39c7c030592a0c (git) Affected: f0e1a0643a59bf1f922fa209cec86a170b784f3f , < 5131dbec2c10961b34f844bc30b400c3fa0bcc72 (git) Affected: f0e1a0643a59bf1f922fa209cec86a170b784f3f , < 83236b2e43dba00bee5b82eb5758816b1a674f6a (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "41423912f7ac7494ccd6eef411227b4efce740e0",
"status": "affected",
"version": "f0e1a0643a59bf1f922fa209cec86a170b784f3f",
"versionType": "git"
},
{
"lessThan": "522acaae34aa7e05859260056b39c7c030592a0c",
"status": "affected",
"version": "f0e1a0643a59bf1f922fa209cec86a170b784f3f",
"versionType": "git"
},
{
"lessThan": "5131dbec2c10961b34f844bc30b400c3fa0bcc72",
"status": "affected",
"version": "f0e1a0643a59bf1f922fa209cec86a170b784f3f",
"versionType": "git"
},
{
"lessThan": "83236b2e43dba00bee5b82eb5758816b1a674f6a",
"status": "affected",
"version": "f0e1a0643a59bf1f922fa209cec86a170b784f3f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/ext.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Disable preemption between scx_claim_exit() and kicking helper work\n\nscx_claim_exit() atomically sets exit_kind, which prevents scx_error() from\ntriggering further error handling. After claiming exit, the caller must kick\nthe helper kthread work which initiates bypass mode and teardown.\n\nIf the calling task gets preempted between claiming exit and kicking the\nhelper work, and the BPF scheduler fails to schedule it back (since error\nhandling is now disabled), the helper work is never queued, bypass mode\nnever activates, tasks stop being dispatched, and the system wedges.\n\nDisable preemption across scx_claim_exit() and the subsequent work kicking\nin all callers - scx_disable() and scx_vexit(). Add\nlockdep_assert_preemption_disabled() to scx_claim_exit() to enforce the\nrequirement."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:29.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/41423912f7ac7494ccd6eef411227b4efce740e0"
},
{
"url": "https://git.kernel.org/stable/c/522acaae34aa7e05859260056b39c7c030592a0c"
},
{
"url": "https://git.kernel.org/stable/c/5131dbec2c10961b34f844bc30b400c3fa0bcc72"
},
{
"url": "https://git.kernel.org/stable/c/83236b2e43dba00bee5b82eb5758816b1a674f6a"
}
],
"title": "sched_ext: Disable preemption between scx_claim_exit() and kicking helper work",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43482",
"datePublished": "2026-05-13T15:08:29.739Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:29.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43481 (GCVE-0-2026-43481)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
net-shapers: don't free reply skb after genlmsg_reply()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net-shapers: don't free reply skb after genlmsg_reply()
genlmsg_reply() hands the reply skb to netlink, and
netlink_unicast() consumes it on all return paths, whether the
skb is queued successfully or freed on an error path.
net_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()
currently jump to free_msg after genlmsg_reply() fails and call
nlmsg_free(msg), which can hit the same skb twice.
Return the genlmsg_reply() error directly and keep free_msg
only for pre-reply failures.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4b623f9f0f59652ea71fcb27d60b4c3b65126dbb , < 8738dcc844fff7d0157ee775230e95df3b1884d7
(git)
Affected: 4b623f9f0f59652ea71fcb27d60b4c3b65126dbb , < 83f7b54242d0abbfce35a55c01322f50962ed3ee (git) Affected: 4b623f9f0f59652ea71fcb27d60b4c3b65126dbb , < 57885276cc16a2e2b76282c808a4e84cbecb3aae (git) |
|
| Linux | Linux |
Affected:
6.13
Unaffected: 0 , < 6.13 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/shaper/shaper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8738dcc844fff7d0157ee775230e95df3b1884d7",
"status": "affected",
"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb",
"versionType": "git"
},
{
"lessThan": "83f7b54242d0abbfce35a55c01322f50962ed3ee",
"status": "affected",
"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb",
"versionType": "git"
},
{
"lessThan": "57885276cc16a2e2b76282c808a4e84cbecb3aae",
"status": "affected",
"version": "4b623f9f0f59652ea71fcb27d60b4c3b65126dbb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/shaper/shaper.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet-shapers: don\u0027t free reply skb after genlmsg_reply()\n\ngenlmsg_reply() hands the reply skb to netlink, and\nnetlink_unicast() consumes it on all return paths, whether the\nskb is queued successfully or freed on an error path.\n\nnet_shaper_nl_get_doit() and net_shaper_nl_cap_get_doit()\ncurrently jump to free_msg after genlmsg_reply() fails and call\nnlmsg_free(msg), which can hit the same skb twice.\n\nReturn the genlmsg_reply() error directly and keep free_msg\nonly for pre-reply failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:29.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8738dcc844fff7d0157ee775230e95df3b1884d7"
},
{
"url": "https://git.kernel.org/stable/c/83f7b54242d0abbfce35a55c01322f50962ed3ee"
},
{
"url": "https://git.kernel.org/stable/c/57885276cc16a2e2b76282c808a4e84cbecb3aae"
}
],
"title": "net-shapers: don\u0027t free reply skb after genlmsg_reply()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43481",
"datePublished": "2026-05-13T15:08:29.116Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:29.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43480 (GCVE-0-2026-43480)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
The acp3x_5682_init() function did not check the return value of
clk_get(), which could lead to dereferencing error pointers in
rt5682_clk_enable().
Fix this by:
1. Changing clk_get() to the device-managed devm_clk_get().
2. Adding proper IS_ERR() checks for both clock acquisitions.
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 2dc43ac8da7b2bebc5a51a3d86a6275d78f27cff
(git)
Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 4d802f23fcbfec05134653fd001f6c7c3fd55196 (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 2b0c4a399c8d27f20ecf17dda76751141d6dbb59 (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 35c7624d30cb45ec336cd16ce072acc32ae351cb (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 33de168afdd57265a0e0c20dbd3648a2d8f7cdc4 (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 790851ecc983c719fa2e6adb17b02f3acc1d217d (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 092522621901b5e6af61db04a53f5b313903c6d0 (git) Affected: 6b8e4e7db3cd236a2cbb720360fb135087a2ac1d , < 53f3a900e9a383d47af7253076e19f510c5708d0 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/acp3x-rt5682-max9836.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2dc43ac8da7b2bebc5a51a3d86a6275d78f27cff",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "4d802f23fcbfec05134653fd001f6c7c3fd55196",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "2b0c4a399c8d27f20ecf17dda76751141d6dbb59",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "35c7624d30cb45ec336cd16ce072acc32ae351cb",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "33de168afdd57265a0e0c20dbd3648a2d8f7cdc4",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "790851ecc983c719fa2e6adb17b02f3acc1d217d",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "092522621901b5e6af61db04a53f5b313903c6d0",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
},
{
"lessThan": "53f3a900e9a383d47af7253076e19f510c5708d0",
"status": "affected",
"version": "6b8e4e7db3cd236a2cbb720360fb135087a2ac1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/amd/acp3x-rt5682-max9836.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition\n\nThe acp3x_5682_init() function did not check the return value of\nclk_get(), which could lead to dereferencing error pointers in\nrt5682_clk_enable().\n\nFix this by:\n1. Changing clk_get() to the device-managed devm_clk_get().\n2. Adding proper IS_ERR() checks for both clock acquisitions."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:28.517Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2dc43ac8da7b2bebc5a51a3d86a6275d78f27cff"
},
{
"url": "https://git.kernel.org/stable/c/4d802f23fcbfec05134653fd001f6c7c3fd55196"
},
{
"url": "https://git.kernel.org/stable/c/2b0c4a399c8d27f20ecf17dda76751141d6dbb59"
},
{
"url": "https://git.kernel.org/stable/c/35c7624d30cb45ec336cd16ce072acc32ae351cb"
},
{
"url": "https://git.kernel.org/stable/c/33de168afdd57265a0e0c20dbd3648a2d8f7cdc4"
},
{
"url": "https://git.kernel.org/stable/c/790851ecc983c719fa2e6adb17b02f3acc1d217d"
},
{
"url": "https://git.kernel.org/stable/c/092522621901b5e6af61db04a53f5b313903c6d0"
},
{
"url": "https://git.kernel.org/stable/c/53f3a900e9a383d47af7253076e19f510c5708d0"
}
],
"title": "ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43480",
"datePublished": "2026-05-13T15:08:28.517Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:28.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43479 (GCVE-0-2026-43479)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
Remove redundant netif_napi_del() call from disconnect path.
A WARN may be triggered in __netif_napi_del_locked() during USB device
disconnect:
WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
This happens because netif_napi_del() is called in the disconnect path while
NAPI is still enabled. However, it is not necessary to call netif_napi_del()
explicitly, since unregister_netdev() will handle NAPI teardown automatically
and safely. Removing the redundant call avoids triggering the warning.
Full trace:
lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV
lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV
lan78xx 1-1:1.0 enu1: Link is Down
lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
Modules linked in: flexcan can_dev fuse
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT
Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)
Workqueue: usb_hub_wq hub_event
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __netif_napi_del_locked+0x2b4/0x350
lr : __netif_napi_del_locked+0x7c/0x350
sp : ffffffc085b673c0
x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8
x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb
x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000
x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000
x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028
x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8
x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000
x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001
x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000
Call trace:
__netif_napi_del_locked+0x2b4/0x350 (P)
lan78xx_disconnect+0xf4/0x360
usb_unbind_interface+0x158/0x718
device_remove+0x100/0x150
device_release_driver_internal+0x308/0x478
device_release_driver+0x1c/0x30
bus_remove_device+0x1a8/0x368
device_del+0x2e0/0x7b0
usb_disable_device+0x244/0x540
usb_disconnect+0x220/0x758
hub_event+0x105c/0x35e0
process_one_work+0x760/0x17b0
worker_thread+0x768/0xce8
kthread+0x3bc/0x690
ret_from_fork+0x10/0x20
irq event stamp: 211604
hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98
hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80
softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8
softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20
---[ end trace 0000000000000000 ]---
lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e110bc82589752909e283ba5cbc160e0ab56c085 , < 20ce2bd1c1848414c5d3520d301ed3f5751ed634
(git)
Affected: e110bc82589752909e283ba5cbc160e0ab56c085 , < 395a8b903738511f536c97c427e15ef038e1a11c (git) Affected: e110bc82589752909e283ba5cbc160e0ab56c085 , < 312c816c6bc30342bc30dca0d6db617ab4d3ae4e (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/lan78xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "20ce2bd1c1848414c5d3520d301ed3f5751ed634",
"status": "affected",
"version": "e110bc82589752909e283ba5cbc160e0ab56c085",
"versionType": "git"
},
{
"lessThan": "395a8b903738511f536c97c427e15ef038e1a11c",
"status": "affected",
"version": "e110bc82589752909e283ba5cbc160e0ab56c085",
"versionType": "git"
},
{
"lessThan": "312c816c6bc30342bc30dca0d6db617ab4d3ae4e",
"status": "affected",
"version": "e110bc82589752909e283ba5cbc160e0ab56c085",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/lan78xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect\n\nRemove redundant netif_napi_del() call from disconnect path.\n\nA WARN may be triggered in __netif_napi_del_locked() during USB device\ndisconnect:\n\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n\nThis happens because netif_napi_del() is called in the disconnect path while\nNAPI is still enabled. However, it is not necessary to call netif_napi_del()\nexplicitly, since unregister_netdev() will handle NAPI teardown automatically\nand safely. Removing the redundant call avoids triggering the warning.\n\nFull trace:\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV\n lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV\n lan78xx 1-1:1.0 enu1: Link is Down\n lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350\n Modules linked in: flexcan can_dev fuse\n CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT\n Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)\n Workqueue: usb_hub_wq hub_event\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __netif_napi_del_locked+0x2b4/0x350\n lr : __netif_napi_del_locked+0x7c/0x350\n sp : ffffffc085b673c0\n x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8\n x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb\n x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000\n x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000\n x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028\n x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8\n x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000\n x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001\n x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000\n x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000\n Call trace:\n __netif_napi_del_locked+0x2b4/0x350 (P)\n lan78xx_disconnect+0xf4/0x360\n usb_unbind_interface+0x158/0x718\n device_remove+0x100/0x150\n device_release_driver_internal+0x308/0x478\n device_release_driver+0x1c/0x30\n bus_remove_device+0x1a8/0x368\n device_del+0x2e0/0x7b0\n usb_disable_device+0x244/0x540\n usb_disconnect+0x220/0x758\n hub_event+0x105c/0x35e0\n process_one_work+0x760/0x17b0\n worker_thread+0x768/0xce8\n kthread+0x3bc/0x690\n ret_from_fork+0x10/0x20\n irq event stamp: 211604\n hardirqs last enabled at (211603): [\u003cffffffc0828cc9ec\u003e] _raw_spin_unlock_irqrestore+0x84/0x98\n hardirqs last disabled at (211604): [\u003cffffffc0828a9a84\u003e] el1_dbg+0x24/0x80\n softirqs last enabled at (211296): [\u003cffffffc080095f10\u003e] handle_softirqs+0x820/0xbc8\n softirqs last disabled at (210993): [\u003cffffffc080010288\u003e] __do_softirq+0x18/0x20\n ---[ end trace 0000000000000000 ]---\n lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:27.932Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/20ce2bd1c1848414c5d3520d301ed3f5751ed634"
},
{
"url": "https://git.kernel.org/stable/c/395a8b903738511f536c97c427e15ef038e1a11c"
},
{
"url": "https://git.kernel.org/stable/c/312c816c6bc30342bc30dca0d6db617ab4d3ae4e"
}
],
"title": "net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43479",
"datePublished": "2026-05-13T15:08:27.932Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:27.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43478 (GCVE-0-2026-43478)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put
The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the
DAPM context is snd_soc_component_to_dapm(), from kcontrol we will
receive NULL pointer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5b35bb517f27fc2401ec3cfd8c02a127627a0188 , < b10b2b15b45923ff2807eeb034d91a39b0a3e690
(git)
Affected: 5b35bb517f27fc2401ec3cfd8c02a127627a0188 , < 30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt1011.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b10b2b15b45923ff2807eeb034d91a39b0a3e690",
"status": "affected",
"version": "5b35bb517f27fc2401ec3cfd8c02a127627a0188",
"versionType": "git"
},
{
"lessThan": "30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399",
"status": "affected",
"version": "5b35bb517f27fc2401ec3cfd8c02a127627a0188",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/codecs/rt1011.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put\n\nThe correct helper to use in rt1011_recv_spk_mode_put() to retrieve the\nDAPM context is snd_soc_component_to_dapm(), from kcontrol we will\nreceive NULL pointer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:27.352Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b10b2b15b45923ff2807eeb034d91a39b0a3e690"
},
{
"url": "https://git.kernel.org/stable/c/30e4b2290cc2a8d1b9ddb9dcb9c981df1f2a7399"
}
],
"title": "ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43478",
"datePublished": "2026-05-13T15:08:27.352Z",
"dateReserved": "2026-05-01T14:12:56.012Z",
"dateUpdated": "2026-05-13T15:08:27.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43477 (GCVE-0-2026-43477)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL
Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE
before enabling TRANS_DDI_FUNC_CTL.
Personally I was only able to reproduce a hang (on an Dell XPS 7390
2-in-1) with an external display connected via a dock using a dodgy
type-C cable that made the link training fail. After the failed
link training the machine would hang. TGL seemed immune to the
problem for whatever reason.
BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL
as well. The DMC firmware also does the VRR restore in two stages:
- first stage seems to be unconditional and includes TRANS_VRR_CTL
and a few other VRR registers, among other things
- second stage is conditional on the DDI being enabled,
and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,
among other things
So let's reorder the steps to match to avoid the hang, and
toss in an extra WARN to make sure we don't screw this up later.
BSpec: 22243
(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
dda7dcd9da73c5327aef42b89f0519bb51e84217 , < 8a7d29b8bda144d44e61df1b2705b1d4378f4e44
(git)
Affected: dda7dcd9da73c5327aef42b89f0519bb51e84217 , < bf9e3b6ffd76da38dd4961c65d80571b25bf10a5 (git) Affected: dda7dcd9da73c5327aef42b89f0519bb51e84217 , < 237aab549676288d9255bb8dcc284738e56eaa31 (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_display.c",
"drivers/gpu/drm/i915/display/intel_vrr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8a7d29b8bda144d44e61df1b2705b1d4378f4e44",
"status": "affected",
"version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
"versionType": "git"
},
{
"lessThan": "bf9e3b6ffd76da38dd4961c65d80571b25bf10a5",
"status": "affected",
"version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
"versionType": "git"
},
{
"lessThan": "237aab549676288d9255bb8dcc284738e56eaa31",
"status": "affected",
"version": "dda7dcd9da73c5327aef42b89f0519bb51e84217",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/display/intel_display.c",
"drivers/gpu/drm/i915/display/intel_vrr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL\n\nApparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE\nbefore enabling TRANS_DDI_FUNC_CTL.\n\nPersonally I was only able to reproduce a hang (on an Dell XPS 7390\n2-in-1) with an external display connected via a dock using a dodgy\ntype-C cable that made the link training fail. After the failed\nlink training the machine would hang. TGL seemed immune to the\nproblem for whatever reason.\n\nBSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL\nas well. The DMC firmware also does the VRR restore in two stages:\n- first stage seems to be unconditional and includes TRANS_VRR_CTL\n and a few other VRR registers, among other things\n- second stage is conditional on the DDI being enabled,\n and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,\n among other things\n\nSo let\u0027s reorder the steps to match to avoid the hang, and\ntoss in an extra WARN to make sure we don\u0027t screw this up later.\n\nBSpec: 22243\n(cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:26.763Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8a7d29b8bda144d44e61df1b2705b1d4378f4e44"
},
{
"url": "https://git.kernel.org/stable/c/bf9e3b6ffd76da38dd4961c65d80571b25bf10a5"
},
{
"url": "https://git.kernel.org/stable/c/237aab549676288d9255bb8dcc284738e56eaa31"
}
],
"title": "drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43477",
"datePublished": "2026-05-13T15:08:26.763Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-13T15:08:26.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43476 (GCVE-0-2026-43476)
Vulnerability from cvelistv5 – Published: 2026-05-13 15:08 – Updated: 2026-05-13 15:08
VLAI?
Title
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead
of the intended __be32 element size (4 bytes). Use sizeof(*meas) to
correctly match the buffer element type.
Severity ?
No CVSS data available.
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8f3f130852785dac0759843835ca97c3bacc2b10 , < 9aff2e9c2927ecd9652872a43a0725f101128104
(git)
Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < 08881d82f94deaa51800360029908863e5c4c39d (git) Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < dcdf1e92674efb6692f4ebe189e0aa9fde23a541 (git) Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < 2a4d111a6a34afb8bb4f118009e7728ed2ec7e10 (git) Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < 90e978ace598567e6e30de79805bddf37cf892ac (git) Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < 165f12b40901c6a7aca15796da239726ddcdc5ad (git) Affected: 8f3f130852785dac0759843835ca97c3bacc2b10 , < 216345f98cae7fcc84f49728c67478ac00321c87 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/chemical/sps30_i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9aff2e9c2927ecd9652872a43a0725f101128104",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "08881d82f94deaa51800360029908863e5c4c39d",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "dcdf1e92674efb6692f4ebe189e0aa9fde23a541",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "2a4d111a6a34afb8bb4f118009e7728ed2ec7e10",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "90e978ace598567e6e30de79805bddf37cf892ac",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "165f12b40901c6a7aca15796da239726ddcdc5ad",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
},
{
"lessThan": "216345f98cae7fcc84f49728c67478ac00321c87",
"status": "affected",
"version": "8f3f130852785dac0759843835ca97c3bacc2b10",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/chemical/sps30_i2c.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()\n\nsizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead\nof the intended __be32 element size (4 bytes). Use sizeof(*meas) to\ncorrectly match the buffer element type."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:08:26.152Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9aff2e9c2927ecd9652872a43a0725f101128104"
},
{
"url": "https://git.kernel.org/stable/c/08881d82f94deaa51800360029908863e5c4c39d"
},
{
"url": "https://git.kernel.org/stable/c/dcdf1e92674efb6692f4ebe189e0aa9fde23a541"
},
{
"url": "https://git.kernel.org/stable/c/2a4d111a6a34afb8bb4f118009e7728ed2ec7e10"
},
{
"url": "https://git.kernel.org/stable/c/90e978ace598567e6e30de79805bddf37cf892ac"
},
{
"url": "https://git.kernel.org/stable/c/165f12b40901c6a7aca15796da239726ddcdc5ad"
},
{
"url": "https://git.kernel.org/stable/c/216345f98cae7fcc84f49728c67478ac00321c87"
}
],
"title": "iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43476",
"datePublished": "2026-05-13T15:08:26.152Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-13T15:08:26.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8449 (GCVE-0-2026-8449)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:34 – Updated: 2026-05-13 15:14
VLAI?
This CVE ID has been rejected or withdrawn.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2026-05-13T15:14:52.974Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn."
}
],
"value": "This CVE ID has been rejected or withdrawn."
}
],
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-8449",
"datePublished": "2026-05-12T21:34:59.782Z",
"dateRejected": "2026-05-13T15:14:52.974Z",
"dateReserved": "2026-05-12T21:15:19.856Z",
"dateUpdated": "2026-05-13T15:14:52.974Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43500 (GCVE-0-2026-43500)
Vulnerability from cvelistv5 – Published: 2026-05-11 06:26 – Updated: 2026-05-17 15:21
VLAI?
Title
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
Summary
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
Severity ?
7.8 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 7c504ffab3efce8f7e4f463b314ae31030bdf18b
(git)
Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3711382a77342a9a1c3d2e7330dcfc7ea927f568 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < 3eae0f4f9f7206a4801efa5e0235c25bbd5a412c (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < d45179f8795222ce858770dc619abe51f9d24411 (git) Affected: d0d5c0cd1e711c98703f3544c1e6fc1372898de5 , < aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71 (git) |
|
| Linux | Linux |
Affected:
5.3
Unaffected: 0 , < 5.3 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.29 , ≤ 6.18.* (semver) Unaffected: 7.0.6 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-43500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:51:19.227001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:53:36.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/V4bel/dirtyfrag"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7c504ffab3efce8f7e4f463b314ae31030bdf18b",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3711382a77342a9a1c3d2e7330dcfc7ea927f568",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "3eae0f4f9f7206a4801efa5e0235c25bbd5a412c",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "d45179f8795222ce858770dc619abe51f9d24411",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
},
{
"lessThan": "aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71",
"status": "affected",
"version": "d0d5c0cd1e711c98703f3544c1e6fc1372898de5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rxrpc/call_event.c",
"net/rxrpc/conn_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.29",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.29",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Also unshare DATA/RESPONSE packets when paged frags are present\n\nThe DATA-packet handler in rxrpc_input_call_event() and the RESPONSE\nhandler in rxrpc_verify_response() copy the skb to a linear one before\ncalling into the security ops only when skb_cloned() is true. An skb\nthat is not cloned but still carries externally-owned paged fragments\n(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via\n__ip_append_data, or a chained skb_has_frag_list()) falls through to\nthe in-place decryption path, which binds the frag pages directly into\nthe AEAD/skcipher SGL via skb_to_sgvec().\n\nExtend the gate to also unshare when skb_has_frag_list() or\nskb_has_shared_frag() is true. This catches the splice-loopback vector\nand other externally-shared frag sources while preserving the\nzero-copy fast path for skbs whose frags are kernel-private (e.g. NIC\npage_pool RX, GRO). The OOM/trace handling already in place is reused."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:39.755Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7c504ffab3efce8f7e4f463b314ae31030bdf18b"
},
{
"url": "https://git.kernel.org/stable/c/3711382a77342a9a1c3d2e7330dcfc7ea927f568"
},
{
"url": "https://git.kernel.org/stable/c/3eae0f4f9f7206a4801efa5e0235c25bbd5a412c"
},
{
"url": "https://git.kernel.org/stable/c/d45179f8795222ce858770dc619abe51f9d24411"
},
{
"url": "https://git.kernel.org/stable/c/aa54b1d27fe0c2b78e664a34fd0fdf7cd1960d71"
}
],
"title": "rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43500",
"datePublished": "2026-05-11T06:26:45.838Z",
"dateReserved": "2026-05-01T14:12:56.014Z",
"dateUpdated": "2026-05-17T15:21:39.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43475 (GCVE-0-2026-43475)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
This resolves the follow splat and lock-up when running with PREEMPT_RT
enabled on Hyper-V:
[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002
[ 415.140822] INFO: lockdep is turned off.
[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common
[ 415.140846] Preemption disabled at:
[ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}
[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024
[ 415.140857] Call Trace:
[ 415.140861] <TASK>
[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]
[ 415.140863] dump_stack_lvl+0x91/0xb0
[ 415.140870] __schedule_bug+0x9c/0xc0
[ 415.140875] __schedule+0xdf6/0x1300
[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980
[ 415.140879] ? rcu_is_watching+0x12/0x60
[ 415.140883] schedule_rtlock+0x21/0x40
[ 415.140885] rtlock_slowlock_locked+0x502/0x1980
[ 415.140891] rt_spin_lock+0x89/0x1e0
[ 415.140893] hv_ringbuffer_write+0x87/0x2a0
[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0
[ 415.140900] ? rcu_is_watching+0x12/0x60
[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]
[ 415.140904] ? HARDIRQ_verbose+0x10/0x10
[ 415.140908] ? __rq_qos_issue+0x28/0x40
[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]
[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0
[ 415.140928] blk_mq_issue_direct+0x87/0x2b0
[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440
[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0
[ 415.140935] __blk_flush_plug+0xf4/0x150
[ 415.140940] __submit_bio+0x2b2/0x5c0
[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360
[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360
[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]
[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]
[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]
[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]
[ 415.141060] generic_perform_write+0x14e/0x2c0
[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]
[ 415.141083] vfs_write+0x2ca/0x570
[ 415.141087] ksys_write+0x76/0xf0
[ 415.141089] do_syscall_64+0x99/0x1490
[ 415.141093] ? rcu_is_watching+0x12/0x60
[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0
[ 415.141097] ? rcu_is_watching+0x12/0x60
[ 415.141098] ? lock_release+0x1f0/0x2a0
[ 415.141100] ? rcu_is_watching+0x12/0x60
[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0
[ 415.141103] ? rcu_is_watching+0x12/0x60
[ 415.141104] ? __schedule+0xb34/0x1300
[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170
[ 415.141109] ? do_nanosleep+0x8b/0x160
[ 415.141111] ? hrtimer_nanosleep+0x89/0x100
[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10
[ 415.141116] ? xfd_validate_state+0x26/0x90
[ 415.141118] ? rcu_is_watching+0x12/0x60
[ 415.141120] ? do_syscall_64+0x1e0/0x1490
[ 415.141121] ? do_syscall_64+0x1e0/0x1490
[ 415.141123] ? rcu_is_watching+0x12/0x60
[ 415.141124] ? do_syscall_64+0x1e0/0x1490
[ 415.141125] ? do_syscall_64+0x1e0/0x1490
[ 415.141127] ? irqentry_exit+0x140/0
---truncated---
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < cf00cb15f2515e38d3b7571bf6800b7c6ce70a84
(git)
Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < b82462af23e45e066dd56d2736ea70159a6ad647 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < 91ab59f76d0866079420ebff1c7959fcd87a242e (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < e7919a293f9b6101e38bde0d8613daea6c9955df (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < f8db760f4f52a73a022a3d6c84c488ead952a9b5 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < c2e73d8acd056347a70047e6be7cd98e0e811dfa (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < c7984d196476adcbd51c0ce386d7e90277198d57 (git) Affected: d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1 , < 57297736c08233987e5d29ce6584c6ca2a831b12 (git) |
|
| Linux | Linux |
Affected:
4.11
Unaffected: 0 , < 4.11 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf00cb15f2515e38d3b7571bf6800b7c6ce70a84",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "b82462af23e45e066dd56d2736ea70159a6ad647",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "91ab59f76d0866079420ebff1c7959fcd87a242e",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "e7919a293f9b6101e38bde0d8613daea6c9955df",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "f8db760f4f52a73a022a3d6c84c488ead952a9b5",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "c2e73d8acd056347a70047e6be7cd98e0e811dfa",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "c7984d196476adcbd51c0ce386d7e90277198d57",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
},
{
"lessThan": "57297736c08233987e5d29ce6584c6ca2a831b12",
"status": "affected",
"version": "d86adf482b843b3a58a9ec3b7c1ccdbf7c705db1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/storvsc_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.11"
},
{
"lessThan": "4.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: storvsc: Fix scheduling while atomic on PREEMPT_RT\n\nThis resolves the follow splat and lock-up when running with PREEMPT_RT\nenabled on Hyper-V:\n\n[ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002\n[ 415.140822] INFO: lockdep is turned off.\n[ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common\n[ 415.140846] Preemption disabled at:\n[ 415.140847] [\u003cffffffffc0656171\u003e] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)}\n[ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024\n[ 415.140857] Call Trace:\n[ 415.140861] \u003cTASK\u003e\n[ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc]\n[ 415.140863] dump_stack_lvl+0x91/0xb0\n[ 415.140870] __schedule_bug+0x9c/0xc0\n[ 415.140875] __schedule+0xdf6/0x1300\n[ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980\n[ 415.140879] ? rcu_is_watching+0x12/0x60\n[ 415.140883] schedule_rtlock+0x21/0x40\n[ 415.140885] rtlock_slowlock_locked+0x502/0x1980\n[ 415.140891] rt_spin_lock+0x89/0x1e0\n[ 415.140893] hv_ringbuffer_write+0x87/0x2a0\n[ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0\n[ 415.140900] ? rcu_is_watching+0x12/0x60\n[ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc]\n[ 415.140904] ? HARDIRQ_verbose+0x10/0x10\n[ 415.140908] ? __rq_qos_issue+0x28/0x40\n[ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod]\n[ 415.140926] __blk_mq_issue_directly+0x4a/0xc0\n[ 415.140928] blk_mq_issue_direct+0x87/0x2b0\n[ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440\n[ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0\n[ 415.140935] __blk_flush_plug+0xf4/0x150\n[ 415.140940] __submit_bio+0x2b2/0x5c0\n[ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140946] submit_bio_noacct_nocheck+0x272/0x360\n[ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4]\n[ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4]\n[ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4]\n[ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4]\n[ 415.141060] generic_perform_write+0x14e/0x2c0\n[ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4]\n[ 415.141083] vfs_write+0x2ca/0x570\n[ 415.141087] ksys_write+0x76/0xf0\n[ 415.141089] do_syscall_64+0x99/0x1490\n[ 415.141093] ? rcu_is_watching+0x12/0x60\n[ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0\n[ 415.141097] ? rcu_is_watching+0x12/0x60\n[ 415.141098] ? lock_release+0x1f0/0x2a0\n[ 415.141100] ? rcu_is_watching+0x12/0x60\n[ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0\n[ 415.141103] ? rcu_is_watching+0x12/0x60\n[ 415.141104] ? __schedule+0xb34/0x1300\n[ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170\n[ 415.141109] ? do_nanosleep+0x8b/0x160\n[ 415.141111] ? hrtimer_nanosleep+0x89/0x100\n[ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10\n[ 415.141116] ? xfd_validate_state+0x26/0x90\n[ 415.141118] ? rcu_is_watching+0x12/0x60\n[ 415.141120] ? do_syscall_64+0x1e0/0x1490\n[ 415.141121] ? do_syscall_64+0x1e0/0x1490\n[ 415.141123] ? rcu_is_watching+0x12/0x60\n[ 415.141124] ? do_syscall_64+0x1e0/0x1490\n[ 415.141125] ? do_syscall_64+0x1e0/0x1490\n[ 415.141127] ? irqentry_exit+0x140/0\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:19.772Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84"
},
{
"url": "https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647"
},
{
"url": "https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e"
},
{
"url": "https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df"
},
{
"url": "https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5"
},
{
"url": "https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa"
},
{
"url": "https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57"
},
{
"url": "https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12"
}
],
"title": "scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43475",
"datePublished": "2026-05-08T14:22:33.553Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:19.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43474 (GCVE-0-2026-43474)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
fs: init flags_valid before calling vfs_fileattr_get
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: init flags_valid before calling vfs_fileattr_get
syzbot reported a uninit-value bug in [1].
Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.
[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]
Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
be7efb2d20d67f334a7de2aef77ae6c69367e646 , < 379e19e820dd1c6145426b97467728b3b89c0b42
(git)
Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < b8c182b2c8c44c6016b11d8af61715ad7ef958a1 (git) Affected: be7efb2d20d67f334a7de2aef77ae6c69367e646 , < cb184dd19154fc486fa3d9e02afe70a97e54e055 (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "379e19e820dd1c6145426b97467728b3b89c0b42",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "b8c182b2c8c44c6016b11d8af61715ad7ef958a1",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
},
{
"lessThan": "cb184dd19154fc486fa3d9e02afe70a97e54e055",
"status": "affected",
"version": "be7efb2d20d67f334a7de2aef77ae6c69367e646",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/file_attr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: init flags_valid before calling vfs_fileattr_get\n\nsyzbot reported a uninit-value bug in [1].\n\nSimilar to the \"*get\" context where the kernel\u0027s internal file_kattr\nstructure is initialized before calling vfs_fileattr_get(), we should\nuse the same mechanism when using fa.\n\n[1]\nBUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517\n vfs_fileattr_get fs/file_attr.c:94 [inline]\n __do_sys_file_getattr fs/file_attr.c:416 [inline]\n\nLocal variable fa.i created at:\n __do_sys_file_getattr fs/file_attr.c:380 [inline]\n __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:18.616Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42"
},
{
"url": "https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1"
},
{
"url": "https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055"
}
],
"title": "fs: init flags_valid before calling vfs_fileattr_get",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43474",
"datePublished": "2026-05-08T14:22:32.871Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:18.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43473 (GCVE-0-2026-43473)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
The driver encountered a crash during resource cleanup when the reply and
request queues were NULL due to freed memory. This issue occurred when the
creation of reply or request queues failed, and the driver freed the memory
first, but attempted to mem set the content of the freed memory, leading to
a system crash.
Add NULL pointer checks for reply and request queues before accessing the
reply/request memory during cleanup
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 7df0296ad4e9253d12c6dbe7f120044dddc95600
(git)
Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 7da755e0d02e9ca035065127e108d1fed8950dc8 (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 78d3f201f8b609928eade53cf03a52df5415aaf7 (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < e978a36f332ede78eb4de037b517db16265d420d (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < 220d7ca70611a73d50ef8e9edac630ed1ececb7c (git) Affected: fe6db615156573d3f6a37564b8a590cb03bbaf25 , < fa96392ebebc8fade2b878acb14cce0f71016503 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7df0296ad4e9253d12c6dbe7f120044dddc95600",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "7da755e0d02e9ca035065127e108d1fed8950dc8",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "78d3f201f8b609928eade53cf03a52df5415aaf7",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "e978a36f332ede78eb4de037b517db16265d420d",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "220d7ca70611a73d50ef8e9edac630ed1ececb7c",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
},
{
"lessThan": "fa96392ebebc8fade2b878acb14cce0f71016503",
"status": "affected",
"version": "fe6db615156573d3f6a37564b8a590cb03bbaf25",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/mpi3mr/mpi3mr_fw.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Add NULL checks when resetting request and reply queues\n\nThe driver encountered a crash during resource cleanup when the reply and\nrequest queues were NULL due to freed memory. This issue occurred when the\ncreation of reply or request queues failed, and the driver freed the memory\nfirst, but attempted to mem set the content of the freed memory, leading to\na system crash.\n\nAdd NULL pointer checks for reply and request queues before accessing the\nreply/request memory during cleanup"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:17.395Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600"
},
{
"url": "https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8"
},
{
"url": "https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7"
},
{
"url": "https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d"
},
{
"url": "https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c"
},
{
"url": "https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503"
}
],
"title": "scsi: mpi3mr: Add NULL checks when resetting request and reply queues",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43473",
"datePublished": "2026-05-08T14:22:32.210Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:17.395Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43472 (GCVE-0-2026-43472)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
unshare: fix unshare_fs() handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
unshare: fix unshare_fs() handling
There's an unpleasant corner case in unshare(2), when we have a
CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that
case copy_mnt_ns() gets passed current->fs instead of a private copy,
which causes interesting warts in proof of correctness]
> I guess if private means fs->users == 1, the condition could still be true.
Unfortunately, it's worse than just a convoluted proof of correctness.
Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS
(and current->fs->users == 1).
We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and
flips current->fs->{pwd,root} to corresponding locations in the new namespace.
Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).
We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's
destroyed and its mount tree is dissolved, but... current->fs->root and
current->fs->pwd are both left pointing to now detached mounts.
They are pinning those, so it's not a UAF, but it leaves the calling
process with unshare(2) failing with -ENOMEM _and_ leaving it with
pwd and root on detached isolated mounts. The last part is clearly a bug.
There is other fun related to that mess (races with pivot_root(), including
the one between pivot_root() and fork(), of all things), but this one
is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new
fs_struct even if it hadn't been shared in the first place". Sure, we could
go for something like "if both CLONE_NEWNS *and* one of the things that might
end up failing after copy_mnt_ns() call in create_new_namespaces() are set,
force allocation of new fs_struct", but let's keep it simple - the cost
of copy_fs_struct() is trivial.
Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets
a freshly allocated fs_struct, yet to be attached to anything. That
seriously simplifies the analysis...
FWIW, that bug had been there since the introduction of unshare(2) ;-/
Severity ?
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
741a295130606143edbf9fc740f633dbc1e6225f , < 845bf3c6963a52096d0d3866e4a92db77a0c03d8
(git)
Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d3ffc8f13034af895531a02c30b1fe3a34b46432 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d0d99f60538ddb4a62ccaac2168d8f448965f083 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < d7963d6997fea86a6def242ac36198b86655f912 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < aa9ebc084505fb26dd90f4d7a249045aad152043 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < 42e21e74061b0ebbd859839f81acf10efad02a27 (git) Affected: 741a295130606143edbf9fc740f633dbc1e6225f , < 6c4b2243cb6c0755159bd567130d5e12e7b10d9f (git) |
|
| Linux | Linux |
Affected:
2.6.16
Unaffected: 0 , < 2.6.16 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "845bf3c6963a52096d0d3866e4a92db77a0c03d8",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d3ffc8f13034af895531a02c30b1fe3a34b46432",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d0d99f60538ddb4a62ccaac2168d8f448965f083",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "d7963d6997fea86a6def242ac36198b86655f912",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "aa9ebc084505fb26dd90f4d7a249045aad152043",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "42e21e74061b0ebbd859839f81acf10efad02a27",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
},
{
"lessThan": "6c4b2243cb6c0755159bd567130d5e12e7b10d9f",
"status": "affected",
"version": "741a295130606143edbf9fc740f633dbc1e6225f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/fork.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.16"
},
{
"lessThan": "2.6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "2.6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nunshare: fix unshare_fs() handling\n\nThere\u0027s an unpleasant corner case in unshare(2), when we have a\nCLONE_NEWNS in flags and current-\u003efs hadn\u0027t been shared at all; in that\ncase copy_mnt_ns() gets passed current-\u003efs instead of a private copy,\nwhich causes interesting warts in proof of correctness]\n\n\u003e I guess if private means fs-\u003eusers == 1, the condition could still be true.\n\nUnfortunately, it\u0027s worse than just a convoluted proof of correctness.\nConsider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS\n(and current-\u003efs-\u003eusers == 1).\n\nWe pass current-\u003efs to copy_mnt_ns(), all right. Suppose it succeeds and\nflips current-\u003efs-\u003e{pwd,root} to corresponding locations in the new namespace.\nNow we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM).\nWe call put_mnt_ns() on the namespace created by copy_mnt_ns(), it\u0027s\ndestroyed and its mount tree is dissolved, but... current-\u003efs-\u003eroot and\ncurrent-\u003efs-\u003epwd are both left pointing to now detached mounts.\n\nThey are pinning those, so it\u0027s not a UAF, but it leaves the calling\nprocess with unshare(2) failing with -ENOMEM _and_ leaving it with\npwd and root on detached isolated mounts. The last part is clearly a bug.\n\nThere is other fun related to that mess (races with pivot_root(), including\nthe one between pivot_root() and fork(), of all things), but this one\nis easy to isolate and fix - treat CLONE_NEWNS as \"allocate a new\nfs_struct even if it hadn\u0027t been shared in the first place\". Sure, we could\ngo for something like \"if both CLONE_NEWNS *and* one of the things that might\nend up failing after copy_mnt_ns() call in create_new_namespaces() are set,\nforce allocation of new fs_struct\", but let\u0027s keep it simple - the cost\nof copy_fs_struct() is trivial.\n\nAnother benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets\na freshly allocated fs_struct, yet to be attached to anything. That\nseriously simplifies the analysis...\n\nFWIW, that bug had been there since the introduction of unshare(2) ;-/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:16.258Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/845bf3c6963a52096d0d3866e4a92db77a0c03d8"
},
{
"url": "https://git.kernel.org/stable/c/d3ffc8f13034af895531a02c30b1fe3a34b46432"
},
{
"url": "https://git.kernel.org/stable/c/d0d99f60538ddb4a62ccaac2168d8f448965f083"
},
{
"url": "https://git.kernel.org/stable/c/d7963d6997fea86a6def242ac36198b86655f912"
},
{
"url": "https://git.kernel.org/stable/c/aa9ebc084505fb26dd90f4d7a249045aad152043"
},
{
"url": "https://git.kernel.org/stable/c/af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0"
},
{
"url": "https://git.kernel.org/stable/c/42e21e74061b0ebbd859839f81acf10efad02a27"
},
{
"url": "https://git.kernel.org/stable/c/6c4b2243cb6c0755159bd567130d5e12e7b10d9f"
}
],
"title": "unshare: fix unshare_fs() handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43472",
"datePublished": "2026-05-08T14:22:31.556Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:16.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43471 (GCVE-0-2026-43471)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()
The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL
pointer dereference when accessing hwq->id. This can happen if
ufshcd_mcq_req_to_hwq() returns NULL.
This patch adds a NULL check for hwq before accessing its id field to
prevent a kernel crash.
Kernel log excerpt:
[<ffffffd5d192dc4c>] notify_die+0x4c/0x8c
[<ffffffd5d1814e58>] __die+0x60/0xb0
[<ffffffd5d1814d64>] die+0x4c/0xe0
[<ffffffd5d181575c>] die_kernel_fault+0x74/0x88
[<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318
[<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8
[<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54
[<ffffffd5d1864524>] do_mem_abort+0x50/0xa8
[<ffffffd5d2a297dc>] el1_abort+0x3c/0x64
[<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc
[<ffffffd5d181133c>] el1h_64_sync+0x80/0x88
[<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320
[<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404
[<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104
[<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]
[<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348
[<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8
[<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294
[<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80
[<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330
[<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68
[<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8
[<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8
[<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24
[<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88
[<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c
[<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54
[<ffffffd5d195a678>] do_idle+0x1dc/0x2f8
[<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c
[<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac
[<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
bed0896008334eeee4b4bfd7150491ca098cbf72 , < 0614f5618c24fbc3d555efade22887b102ad7ad6
(git)
Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < be730f9ee92ae08f2bc4b336967bcfd8183c06fe (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < f4f590c6c9df7453bbda2ef9170b1b09e42a124c (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < 93b9e7ee9e93629db80bbc9dab8a874215b89ccf (git) Affected: 9307a998cb9846a2557fdca286997430bee36a2a , < 30df81f2228d65bddf492db3929d9fcaffd38fc5 (git) Affected: 11d81233f4ebe6907b12c79ad7d8787aa4db0633 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0614f5618c24fbc3d555efade22887b102ad7ad6",
"status": "affected",
"version": "bed0896008334eeee4b4bfd7150491ca098cbf72",
"versionType": "git"
},
{
"lessThan": "be730f9ee92ae08f2bc4b336967bcfd8183c06fe",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "f4f590c6c9df7453bbda2ef9170b1b09e42a124c",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "93b9e7ee9e93629db80bbc9dab8a874215b89ccf",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"lessThan": "30df81f2228d65bddf492db3929d9fcaffd38fc5",
"status": "affected",
"version": "9307a998cb9846a2557fdca286997430bee36a2a",
"versionType": "git"
},
{
"status": "affected",
"version": "11d81233f4ebe6907b12c79ad7d8787aa4db0633",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufshcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.6.41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()\n\nThe kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL\npointer dereference when accessing hwq-\u003eid. This can happen if\nufshcd_mcq_req_to_hwq() returns NULL.\n\nThis patch adds a NULL check for hwq before accessing its id field to\nprevent a kernel crash.\n\nKernel log excerpt:\n[\u003cffffffd5d192dc4c\u003e] notify_die+0x4c/0x8c\n[\u003cffffffd5d1814e58\u003e] __die+0x60/0xb0\n[\u003cffffffd5d1814d64\u003e] die+0x4c/0xe0\n[\u003cffffffd5d181575c\u003e] die_kernel_fault+0x74/0x88\n[\u003cffffffd5d1864db4\u003e] __do_kernel_fault+0x314/0x318\n[\u003cffffffd5d2a3cdf8\u003e] do_page_fault+0xa4/0x5f8\n[\u003cffffffd5d2a3cd34\u003e] do_translation_fault+0x34/0x54\n[\u003cffffffd5d1864524\u003e] do_mem_abort+0x50/0xa8\n[\u003cffffffd5d2a297dc\u003e] el1_abort+0x3c/0x64\n[\u003cffffffd5d2a29718\u003e] el1h_64_sync_handler+0x44/0xcc\n[\u003cffffffd5d181133c\u003e] el1h_64_sync+0x80/0x88\n[\u003cffffffd5d255c1dc\u003e] ufshcd_add_command_trace+0x23c/0x320\n[\u003cffffffd5d255bad8\u003e] ufshcd_compl_one_cqe+0xa4/0x404\n[\u003cffffffd5d2572968\u003e] ufshcd_mcq_poll_cqe_lock+0xac/0x104\n[\u003cffffffd5d11c7460\u003e] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod]\n[\u003cffffffd5d19ab92c\u003e] __handle_irq_event_percpu+0xc8/0x348\n[\u003cffffffd5d19abca8\u003e] handle_irq_event+0x3c/0xa8\n[\u003cffffffd5d19b1f0c\u003e] handle_fasteoi_irq+0xf8/0x294\n[\u003cffffffd5d19aa778\u003e] generic_handle_domain_irq+0x54/0x80\n[\u003cffffffd5d18102bc\u003e] gic_handle_irq+0x1d4/0x330\n[\u003cffffffd5d1838210\u003e] call_on_irq_stack+0x44/0x68\n[\u003cffffffd5d183af30\u003e] do_interrupt_handler+0x78/0xd8\n[\u003cffffffd5d2a29c00\u003e] el1_interrupt+0x48/0xa8\n[\u003cffffffd5d2a29ba8\u003e] el1h_64_irq_handler+0x14/0x24\n[\u003cffffffd5d18113c4\u003e] el1h_64_irq+0x80/0x88\n[\u003cffffffd5d2527fb4\u003e] arch_local_irq_enable+0x4/0x1c\n[\u003cffffffd5d25282e4\u003e] cpuidle_enter+0x34/0x54\n[\u003cffffffd5d195a678\u003e] do_idle+0x1dc/0x2f8\n[\u003cffffffd5d195a7c4\u003e] cpu_startup_entry+0x30/0x3c\n[\u003cffffffd5d18155c4\u003e] secondary_start_kernel+0x134/0x1ac\n[\u003cffffffd5d18640bc\u003e] __secondary_switched+0xc4/0xcc"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:15.121Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0614f5618c24fbc3d555efade22887b102ad7ad6"
},
{
"url": "https://git.kernel.org/stable/c/be730f9ee92ae08f2bc4b336967bcfd8183c06fe"
},
{
"url": "https://git.kernel.org/stable/c/f4f590c6c9df7453bbda2ef9170b1b09e42a124c"
},
{
"url": "https://git.kernel.org/stable/c/93b9e7ee9e93629db80bbc9dab8a874215b89ccf"
},
{
"url": "https://git.kernel.org/stable/c/30df81f2228d65bddf492db3929d9fcaffd38fc5"
}
],
"title": "scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43471",
"datePublished": "2026-05-08T14:22:30.909Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:15.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43470 (GCVE-0-2026-43470)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfs: return EISDIR on nfs3_proc_create if d_alias is a dir
If we found an alias through nfs3_do_create/nfs_add_or_obtain
/d_splice_alias which happens to be a dir dentry, we don't return
any error, and simply forget about this alias, but the original
dentry we were adding and passed as parameter remains negative.
This later causes an oops on nfs_atomic_open_v23/finish_open since we
supply a negative dentry to do_dentry_open.
This has been observed running lustre-racer, where dirs and files are
created/removed concurrently with the same name and O_EXCL is not
used to open files (frequent file redirection).
While d_splice_alias typically returns a directory alias or NULL, we
explicitly check d_is_dir() to ensure that we don't attempt to perform
file operations (like finish_open) on a directory inode, which triggers
the observed oops.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7c6c5249f061b64fc6b5b90bc147169a048691bf , < 7e2963773760a664684435201960dd2fb712f1b5
(git)
Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 203c792cb4315360d49973ae2e57feeb6d3dcf7e (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 9ee1770fcb2f1b48354622b926e7dc10222805f5 (git) Affected: 7c6c5249f061b64fc6b5b90bc147169a048691bf , < 410666a298c34ebd57256fde6b24c96bd23059a2 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7e2963773760a664684435201960dd2fb712f1b5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "203c792cb4315360d49973ae2e57feeb6d3dcf7e",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "9ee1770fcb2f1b48354622b926e7dc10222805f5",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
},
{
"lessThan": "410666a298c34ebd57256fde6b24c96bd23059a2",
"status": "affected",
"version": "7c6c5249f061b64fc6b5b90bc147169a048691bf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/nfs3proc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: return EISDIR on nfs3_proc_create if d_alias is a dir\n\nIf we found an alias through nfs3_do_create/nfs_add_or_obtain\n/d_splice_alias which happens to be a dir dentry, we don\u0027t return\nany error, and simply forget about this alias, but the original\ndentry we were adding and passed as parameter remains negative.\n\nThis later causes an oops on nfs_atomic_open_v23/finish_open since we\nsupply a negative dentry to do_dentry_open.\n\nThis has been observed running lustre-racer, where dirs and files are\ncreated/removed concurrently with the same name and O_EXCL is not\nused to open files (frequent file redirection).\n\nWhile d_splice_alias typically returns a directory alias or NULL, we\nexplicitly check d_is_dir() to ensure that we don\u0027t attempt to perform\nfile operations (like finish_open) on a directory inode, which triggers\nthe observed oops."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:13.820Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5"
},
{
"url": "https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e"
},
{
"url": "https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5"
},
{
"url": "https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2"
}
],
"title": "nfs: return EISDIR on nfs3_proc_create if d_alias is a dir",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43470",
"datePublished": "2026-05-08T14:22:30.218Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:13.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43469 (GCVE-0-2026-43469)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
xprtrdma: Decrement re_receiving on the early exit paths
Summary
In the Linux kernel, the following vulnerability has been resolved:
xprtrdma: Decrement re_receiving on the early exit paths
In the event that rpcrdma_post_recvs() fails to create a work request
(due to memory allocation failure, say) or otherwise exits early, we
should decrement ep->re_receiving before returning. Otherwise we will
hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and
the completion will never be triggered.
On a system with high memory pressure, this can appear as the following
hung task:
INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.
Tainted: G S E 6.19.0 #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000
Workqueue: xprtiod xprt_autoclose [sunrpc]
Call Trace:
<TASK>
__schedule+0x48b/0x18b0
? ib_post_send_mad+0x247/0xae0 [ib_core]
schedule+0x27/0xf0
schedule_timeout+0x104/0x110
__wait_for_common+0x98/0x180
? __pfx_schedule_timeout+0x10/0x10
wait_for_completion+0x24/0x40
rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]
xprt_rdma_close+0x12/0x40 [rpcrdma]
xprt_autoclose+0x5f/0x120 [sunrpc]
process_one_work+0x191/0x3e0
worker_thread+0x2e3/0x420
? __pfx_worker_thread+0x10/0x10
kthread+0x10d/0x230
? __pfx_kthread+0x10/0x10
ret_from_fork+0x273/0x2b0
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
Severity ?
7.5 (High)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
15788d1d1077ebe029c48842c738876516d85076 , < 7ea69259a60a364f56cf4aa9e2eafb588d1c762b
(git)
Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 8cb6b5d8296b1f99a8d36849901ebabfe3f749db (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 74c39a47856bddcde7874f2196a00143b5cd0af9 (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 49f53ee4e25297d886f14e31f355ad1c2735ddfb (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 8127b5fec04757c2a41ed65bca0b3266968efd3b (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf (git) Affected: 15788d1d1077ebe029c48842c738876516d85076 , < 7b6275c80a0c81c5f8943272292dfe67730ce849 (git) |
|
| Linux | Linux |
Affected:
5.13
Unaffected: 0 , < 5.13 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7ea69259a60a364f56cf4aa9e2eafb588d1c762b",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "8cb6b5d8296b1f99a8d36849901ebabfe3f749db",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "74c39a47856bddcde7874f2196a00143b5cd0af9",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "49f53ee4e25297d886f14e31f355ad1c2735ddfb",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "8127b5fec04757c2a41ed65bca0b3266968efd3b",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
},
{
"lessThan": "7b6275c80a0c81c5f8943272292dfe67730ce849",
"status": "affected",
"version": "15788d1d1077ebe029c48842c738876516d85076",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/xprtrdma/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxprtrdma: Decrement re_receiving on the early exit paths\n\nIn the event that rpcrdma_post_recvs() fails to create a work request\n(due to memory allocation failure, say) or otherwise exits early, we\nshould decrement ep-\u003ere_receiving before returning. Otherwise we will\nhang in rpcrdma_xprt_drain() as re_receiving will never reach zero and\nthe completion will never be triggered.\n\nOn a system with high memory pressure, this can appear as the following\nhung task:\n\n INFO: task kworker/u385:17:8393 blocked for more than 122 seconds.\n Tainted: G S E 6.19.0 #3\n \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000\n Workqueue: xprtiod xprt_autoclose [sunrpc]\n Call Trace:\n \u003cTASK\u003e\n __schedule+0x48b/0x18b0\n ? ib_post_send_mad+0x247/0xae0 [ib_core]\n schedule+0x27/0xf0\n schedule_timeout+0x104/0x110\n __wait_for_common+0x98/0x180\n ? __pfx_schedule_timeout+0x10/0x10\n wait_for_completion+0x24/0x40\n rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma]\n xprt_rdma_close+0x12/0x40 [rpcrdma]\n xprt_autoclose+0x5f/0x120 [sunrpc]\n process_one_work+0x191/0x3e0\n worker_thread+0x2e3/0x420\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x10d/0x230\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x273/0x2b0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:12.698Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7ea69259a60a364f56cf4aa9e2eafb588d1c762b"
},
{
"url": "https://git.kernel.org/stable/c/8cb6b5d8296b1f99a8d36849901ebabfe3f749db"
},
{
"url": "https://git.kernel.org/stable/c/74c39a47856bddcde7874f2196a00143b5cd0af9"
},
{
"url": "https://git.kernel.org/stable/c/49f53ee4e25297d886f14e31f355ad1c2735ddfb"
},
{
"url": "https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b"
},
{
"url": "https://git.kernel.org/stable/c/dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf"
},
{
"url": "https://git.kernel.org/stable/c/7b6275c80a0c81c5f8943272292dfe67730ce849"
}
],
"title": "xprtrdma: Decrement re_receiving on the early exit paths",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43469",
"datePublished": "2026-05-08T14:22:29.550Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:12.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43468 (GCVE-0-2026-43468)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5: Fix deadlock between devlink lock and esw->wq
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix deadlock between devlink lock and esw->wq
esw->work_queue executes esw_functions_changed_event_handler ->
esw_vfs_changed_event_handler and acquires the devlink lock.
.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) ->
mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked ->
mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks
when esw_vfs_changed_event_handler executes.
Fix that by no longer flushing the work to avoid the deadlock, and using
a generation counter to keep track of work relevance. This avoids an old
handler manipulating an esw that has undergone one or more mode changes:
- the counter is incremented in mlx5_eswitch_event_handler_unregister.
- the counter is read and passed to the ephemeral mlx5_host_work struct.
- the work handler takes the devlink lock and bails out if the current
generation is different than the one it was scheduled to operate on.
- mlx5_eswitch_cleanup does the final draining before destroying the wq.
No longer flushing the workqueue has the side effect of maybe no longer
cancelling pending vport_change_handler work items, but that's ok since
those are disabled elsewhere:
- mlx5_eswitch_disable_locked disables the vport eq notifier.
- mlx5_esw_vport_disable disarms the HW EQ notification and marks
vport->enabled under state_lock to false to prevent pending vport
handler from doing anything.
- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events
are disabled/finished.
Severity ?
No CVSS data available.
Assigner
References
6 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 0de867f6e34eae6907b367fd152c55e61cb98608
(git)
Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 957d2a58f7f8ebcbdd0a85935e0d2675134b890d (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 3c7313cb41b1b427078440364d2f042c276a1c0b (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 4a7838bebc38374f74baaf88bf2cf8d439a92923 (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < 90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1 (git) Affected: f1bc646c9a06f09aad5d8bacb87103b5573ee45e , < aed763abf0e905b4b8d747d1ba9e172961572f57 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0de867f6e34eae6907b367fd152c55e61cb98608",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "957d2a58f7f8ebcbdd0a85935e0d2675134b890d",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "3c7313cb41b1b427078440364d2f042c276a1c0b",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "4a7838bebc38374f74baaf88bf2cf8d439a92923",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
},
{
"lessThan": "aed763abf0e905b4b8d747d1ba9e172961572f57",
"status": "affected",
"version": "f1bc646c9a06f09aad5d8bacb87103b5573ee45e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.h",
"drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix deadlock between devlink lock and esw-\u003ewq\n\nesw-\u003ework_queue executes esw_functions_changed_event_handler -\u003e\nesw_vfs_changed_event_handler and acquires the devlink lock.\n\n.eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -\u003e\nmlx5_devlink_eswitch_mode_set -\u003e mlx5_eswitch_disable_locked -\u003e\nmlx5_eswitch_event_handler_unregister -\u003e flush_workqueue deadlocks\nwhen esw_vfs_changed_event_handler executes.\n\nFix that by no longer flushing the work to avoid the deadlock, and using\na generation counter to keep track of work relevance. This avoids an old\nhandler manipulating an esw that has undergone one or more mode changes:\n- the counter is incremented in mlx5_eswitch_event_handler_unregister.\n- the counter is read and passed to the ephemeral mlx5_host_work struct.\n- the work handler takes the devlink lock and bails out if the current\n generation is different than the one it was scheduled to operate on.\n- mlx5_eswitch_cleanup does the final draining before destroying the wq.\n\nNo longer flushing the workqueue has the side effect of maybe no longer\ncancelling pending vport_change_handler work items, but that\u0027s ok since\nthose are disabled elsewhere:\n- mlx5_eswitch_disable_locked disables the vport eq notifier.\n- mlx5_esw_vport_disable disarms the HW EQ notification and marks\n vport-\u003eenabled under state_lock to false to prevent pending vport\n handler from doing anything.\n- mlx5_eswitch_cleanup destroys the workqueue and makes sure all events\n are disabled/finished."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:11.471Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0de867f6e34eae6907b367fd152c55e61cb98608"
},
{
"url": "https://git.kernel.org/stable/c/957d2a58f7f8ebcbdd0a85935e0d2675134b890d"
},
{
"url": "https://git.kernel.org/stable/c/3c7313cb41b1b427078440364d2f042c276a1c0b"
},
{
"url": "https://git.kernel.org/stable/c/4a7838bebc38374f74baaf88bf2cf8d439a92923"
},
{
"url": "https://git.kernel.org/stable/c/90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1"
},
{
"url": "https://git.kernel.org/stable/c/aed763abf0e905b4b8d747d1ba9e172961572f57"
}
],
"title": "net/mlx5: Fix deadlock between devlink lock and esw-\u003ewq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43468",
"datePublished": "2026-05-08T14:22:28.889Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:11.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43467 (GCVE-0-2026-43467)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5: Fix crash when moving to switchdev mode
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix crash when moving to switchdev mode
When moving to switchdev mode when the device doesn't support IPsec,
we try to clean up the IPsec resources anyway which causes the crash
below, fix that by correctly checking for IPsec support before trying
to clean up its resources.
[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at
do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490
[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE
ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype
rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink
zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi
scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core
ib_core
[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted
6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE
[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680
[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22
00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb
ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d
41
[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046
[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:
ffff88810b980f00
[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:
ffff88810770f728
[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:
0000000000000000
[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff888103f3c4c0
[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:
0000000000000000
[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)
knlGS:0000000000000000
[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:
0000000000172eb0
[27642.537982] Call Trace:
[27642.538466] <TASK>
[27642.538907] exc_page_fault+0x76/0x140
[27642.539583] asm_exc_page_fault+0x22/0x30
[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30
[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8
01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00
00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8
5b
[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046
[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:
ffff888113ad96d8
[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:
00000000000000a0
[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:
ffff88810b980f00
[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:
00000000000000a8
[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:
ffff8881130d8a40
[27642.550379] complete_all+0x20/0x90
[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]
[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]
[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]
[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]
[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]
[27642.555757] ? xa_load+0x53/0x90
[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]
[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]
[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]
[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]
[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]
[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]
[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0
[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0
[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130
[27642.564816] genl_rcv_msg+0x183/0x290
[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160
[27642.566329] ? d
---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
7e212cebc863c2c7a82f480446cd731721451691 , < 05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9
(git)
Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < 835778685f157b4fd4683b670cfe4010265bac60 (git) Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < bc72f739f398d9d2e4f3d06f3f75fe98876d5579 (git) Affected: 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 , < 24b2795f9683e092dc22a68f487e7aaaf2ddafea (git) Affected: 8956686d398eca6d324d2d164f9d2a281175a3a1 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9",
"status": "affected",
"version": "7e212cebc863c2c7a82f480446cd731721451691",
"versionType": "git"
},
{
"lessThan": "835778685f157b4fd4683b670cfe4010265bac60",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"lessThan": "bc72f739f398d9d2e4f3d06f3f75fe98876d5579",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"lessThan": "24b2795f9683e092dc22a68f487e7aaaf2ddafea",
"status": "affected",
"version": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
"versionType": "git"
},
{
"status": "affected",
"version": "8956686d398eca6d324d2d164f9d2a281175a3a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix crash when moving to switchdev mode\n\nWhen moving to switchdev mode when the device doesn\u0027t support IPsec,\nwe try to clean up the IPsec resources anyway which causes the crash\nbelow, fix that by correctly checking for IPsec support before trying\nto clean up its resources.\n\n[27642.515799] WARNING: arch/x86/mm/fault.c:1276 at\ndo_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490\n[27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE\nip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype\nrpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink\nzram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi\nscsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core\nib_core\n[27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted\n6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE\n[27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\nrel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n[27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680\n[27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22\n00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb\n ae \u003c0f\u003e 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d\n41\n[27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046\n[27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX:\nffff88810b980f00\n[27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI:\nffff88810770f728\n[27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09:\n0000000000000000\n[27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12:\nffff888103f3c4c0\n[27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15:\n0000000000000000\n[27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000)\nknlGS:0000000000000000\n[27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4:\n0000000000172eb0\n[27642.537982] Call Trace:\n[27642.538466] \u003cTASK\u003e\n[27642.538907] exc_page_fault+0x76/0x140\n[27642.539583] asm_exc_page_fault+0x22/0x30\n[27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30\n[27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8\n01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00\n 00 \u003cf0\u003e 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8\n 5b\n[27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046\n[27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX:\nffff888113ad96d8\n[27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI:\n00000000000000a0\n[27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09:\nffff88810b980f00\n[27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12:\n00000000000000a8\n[27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15:\nffff8881130d8a40\n[27642.550379] complete_all+0x20/0x90\n[27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core]\n[27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core]\n[27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core]\n[27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core]\n[27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core]\n[27642.555757] ? xa_load+0x53/0x90\n[27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core]\n[27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core]\n[27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core]\n[27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core]\n[27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core]\n[27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core]\n[27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0\n[27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0\n[27642.564026] genl_family_rcv_msg_doit+0xe0/0x130\n[27642.564816] genl_rcv_msg+0x183/0x290\n[27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160\n[27642.566329] ? d\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:10.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9"
},
{
"url": "https://git.kernel.org/stable/c/835778685f157b4fd4683b670cfe4010265bac60"
},
{
"url": "https://git.kernel.org/stable/c/bc72f739f398d9d2e4f3d06f3f75fe98876d5579"
},
{
"url": "https://git.kernel.org/stable/c/24b2795f9683e092dc22a68f487e7aaaf2ddafea"
}
],
"title": "net/mlx5: Fix crash when moving to switchdev mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43467",
"datePublished": "2026-05-08T14:22:28.216Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:10.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43466 (GCVE-0-2026-43466)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
In case of a TX error CQE, a recovery flow is triggered,
mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,
desyncing the DMA FIFO producer and consumer.
After recovery, the producer pushes new DMA entries at the old
dma_fifo_pc, while the consumer reads from position 0.
This causes us to unmap stale DMA addresses from before the recovery.
The DMA FIFO is a purely software construct with no HW counterpart.
At the point of reset, all WQEs have been flushed so dma_fifo_cc is
already equal to dma_fifo_pc. There is no need to reset either counter,
similar to how skb_fifo pc/cc are untouched.
Remove the 'dma_fifo_cc = 0' reset.
This fixes the following WARNING:
WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90
Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00
Call Trace:
<IRQ>
? __warn+0x7d/0x110
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0x16d/0x180
? handle_bug+0x4f/0x90
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
? iommu_dma_unmap_page+0x2e/0x90
dma_unmap_page_attrs+0x10d/0x1b0
mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]
mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]
mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]
__napi_poll+0x24/0x190
net_rx_action+0x32a/0x3b0
? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]
? notifier_call_chain+0x35/0xa0
handle_softirqs+0xc9/0x270
irq_exit_rcu+0x71/0xd0
common_interrupt+0x7f/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
Severity ?
8.2 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 821f85d619f7f22cda7b9d7de89cf5eeb1d11544
(git)
Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 6eb68ecc5acc3b319986566c595990b8a7265b23 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 383b37c04a4827ba60b2bafc1a6cdfd995aed58f (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < ce1b19dd0684eeb68a124c11085bd611260b36d9 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 829efcccfa8f69db5dc8332961295587d218cee6 (git) Affected: db75373c91b0cfb6a68ad6ae88721e4e21ae6261 , < 1633111d69053512d099658d4a05fc736fab36b0 (git) |
|
| Linux | Linux |
Affected:
4.17
Unaffected: 0 , < 4.17 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.130 , ≤ 6.6.* (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "821f85d619f7f22cda7b9d7de89cf5eeb1d11544",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "6eb68ecc5acc3b319986566c595990b8a7265b23",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "383b37c04a4827ba60b2bafc1a6cdfd995aed58f",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "ce1b19dd0684eeb68a124c11085bd611260b36d9",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "829efcccfa8f69db5dc8332961295587d218cee6",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
},
{
"lessThan": "1633111d69053512d099658d4a05fc736fab36b0",
"status": "affected",
"version": "db75373c91b0cfb6a68ad6ae88721e4e21ae6261",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery\n\nIn case of a TX error CQE, a recovery flow is triggered,\nmlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc,\ndesyncing the DMA FIFO producer and consumer.\n\nAfter recovery, the producer pushes new DMA entries at the old\ndma_fifo_pc, while the consumer reads from position 0.\nThis causes us to unmap stale DMA addresses from before the recovery.\n\nThe DMA FIFO is a purely software construct with no HW counterpart.\nAt the point of reset, all WQEs have been flushed so dma_fifo_cc is\nalready equal to dma_fifo_pc. There is no need to reset either counter,\nsimilar to how skb_fifo pc/cc are untouched.\n\nRemove the \u0027dma_fifo_cc = 0\u0027 reset.\n\nThis fixes the following WARNING:\n WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90\n Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables]\n CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:iommu_dma_unmap_page+0x79/0x90\n Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00\n Call Trace:\n \u003cIRQ\u003e\n ? __warn+0x7d/0x110\n ? iommu_dma_unmap_page+0x79/0x90\n ? report_bug+0x16d/0x180\n ? handle_bug+0x4f/0x90\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? iommu_dma_unmap_page+0x79/0x90\n ? iommu_dma_unmap_page+0x2e/0x90\n dma_unmap_page_attrs+0x10d/0x1b0\n mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core]\n mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core]\n mlx5e_napi_poll+0x8b/0xac0 [mlx5_core]\n __napi_poll+0x24/0x190\n net_rx_action+0x32a/0x3b0\n ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core]\n ? notifier_call_chain+0x35/0xa0\n handle_softirqs+0xc9/0x270\n irq_exit_rcu+0x71/0xd0\n common_interrupt+0x7f/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:09.042Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/821f85d619f7f22cda7b9d7de89cf5eeb1d11544"
},
{
"url": "https://git.kernel.org/stable/c/6eb68ecc5acc3b319986566c595990b8a7265b23"
},
{
"url": "https://git.kernel.org/stable/c/6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e"
},
{
"url": "https://git.kernel.org/stable/c/383b37c04a4827ba60b2bafc1a6cdfd995aed58f"
},
{
"url": "https://git.kernel.org/stable/c/9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8"
},
{
"url": "https://git.kernel.org/stable/c/ce1b19dd0684eeb68a124c11085bd611260b36d9"
},
{
"url": "https://git.kernel.org/stable/c/829efcccfa8f69db5dc8332961295587d218cee6"
},
{
"url": "https://git.kernel.org/stable/c/1633111d69053512d099658d4a05fc736fab36b0"
}
],
"title": "net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43466",
"datePublished": "2026-05-08T14:22:27.513Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:09.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43465 (GCVE-0-2026-43465)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
The issue was discovered by the drivers/net/xdp.py selftest,
more specifically the test_xdp_native_tx_mb:
- The mlx5 driver allocates a page_pool page and initializes it with
a frag counter of 64 (pp_ref_count=64) and the internal frag counter
to 0.
- The test sends one packet with no payload.
- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP
buffer with the packet data starting in the first fragment which is the
page mentioned above.
- The XDP program runs and calls bpf_xdp_pull_data() which moves the
header into the linear part of the XDP buffer. As the packet doesn't
contain more data, the program drops the tail fragment since it no
longer contains any payload (pp_ref_count=63).
- mlx5 device skips counting this fragment. Internal frag counter
remains 0.
- mlx5 releases all 64 fragments of the page but page pp_ref_count is
63 => negative reference counting error.
Resulting splat during the test:
WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
Modules linked in: [...]
CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]
mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]
mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]
mlx5e_close_rq+0x78/0xa0 [mlx5_core]
mlx5e_close_queues+0x46/0x2a0 [mlx5_core]
mlx5e_close_channel+0x24/0x90 [mlx5_core]
mlx5e_close_channels+0x5d/0xf0 [mlx5_core]
mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]
mlx5e_change_mtu+0x11d/0x490 [mlx5_core]
mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]
netif_set_mtu_ext+0xfc/0x240
do_setlink.isra.0+0x226/0x1100
rtnl_newlink+0x7a9/0xba0
rtnetlink_rcv_msg+0x220/0x3c0
netlink_rcv_skb+0x4b/0xf0
netlink_unicast+0x255/0x380
netlink_sendmsg+0x1f3/0x420
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x1e8/0x240
___sys_sendmsg+0x7c/0xb0
[...]
__sys_sendmsg+0x5f/0xb0
do_syscall_64+0x55/0xc70
The problem applies for XDP_PASS as well which is handled in a different
code path in the driver.
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
87bcef158ac1faca1bd7e0104588e8e2956d10be , < 7d7342a18fadcdb70a63b3c930dc63528ce51832
(git)
Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < 043bd62f748bc9fd98154037aa598cffbd3c667c (git) Affected: 87bcef158ac1faca1bd7e0104588e8e2956d10be , < db25c42c2e1f9c0d136420fff5e5700f7e771a6f (git) Affected: 8b051d7f530e8a5237da242fbeafef02fec6b813 (git) Affected: cb9edd583e23979ee546981be963ad5f217e8b18 (git) Affected: f2557d7fa38e9475b38588f5c124476091480f53 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d7342a18fadcdb70a63b3c930dc63528ce51832",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"lessThan": "043bd62f748bc9fd98154037aa598cffbd3c667c",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"lessThan": "db25c42c2e1f9c0d136420fff5e5700f7e771a6f",
"status": "affected",
"version": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
"versionType": "git"
},
{
"status": "affected",
"version": "8b051d7f530e8a5237da242fbeafef02fec6b813",
"versionType": "git"
},
{
"status": "affected",
"version": "cb9edd583e23979ee546981be963ad5f217e8b18",
"versionType": "git"
},
{
"status": "affected",
"version": "f2557d7fa38e9475b38588f5c124476091480f53",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn\u0027t change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nThe issue was discovered by the drivers/net/xdp.py selftest,\nmore specifically the test_xdp_native_tx_mb:\n- The mlx5 driver allocates a page_pool page and initializes it with\n a frag counter of 64 (pp_ref_count=64) and the internal frag counter\n to 0.\n- The test sends one packet with no payload.\n- On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP\n buffer with the packet data starting in the first fragment which is the\n page mentioned above.\n- The XDP program runs and calls bpf_xdp_pull_data() which moves the\n header into the linear part of the XDP buffer. As the packet doesn\u0027t\n contain more data, the program drops the tail fragment since it no\n longer contains any payload (pp_ref_count=63).\n- mlx5 device skips counting this fragment. Internal frag counter\n remains 0.\n- mlx5 releases all 64 fragments of the page but page pp_ref_count is\n 63 =\u003e negative reference counting error.\n\nResulting splat during the test:\n\n WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n Modules linked in: [...]\n CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core]\n [...]\n Call Trace:\n \u003cTASK\u003e\n mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core]\n mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core]\n mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core]\n mlx5e_close_rq+0x78/0xa0 [mlx5_core]\n mlx5e_close_queues+0x46/0x2a0 [mlx5_core]\n mlx5e_close_channel+0x24/0x90 [mlx5_core]\n mlx5e_close_channels+0x5d/0xf0 [mlx5_core]\n mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core]\n mlx5e_change_mtu+0x11d/0x490 [mlx5_core]\n mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core]\n netif_set_mtu_ext+0xfc/0x240\n do_setlink.isra.0+0x226/0x1100\n rtnl_newlink+0x7a9/0xba0\n rtnetlink_rcv_msg+0x220/0x3c0\n netlink_rcv_skb+0x4b/0xf0\n netlink_unicast+0x255/0x380\n netlink_sendmsg+0x1f3/0x420\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x1e8/0x240\n ___sys_sendmsg+0x7c/0xb0\n [...]\n __sys_sendmsg+0x5f/0xb0\n do_syscall_64+0x55/0xc70\n\nThe problem applies for XDP_PASS as well which is handled in a different\ncode path in the driver.\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:07.890Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832"
},
{
"url": "https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c"
},
{
"url": "https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f"
}
],
"title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43465",
"datePublished": "2026-05-08T14:22:26.822Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:07.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43464 (GCVE-0-2026-43464)
Vulnerability from cvelistv5 – Published: 2026-05-08 14:22 – Updated: 2026-05-11 22:25
VLAI?
Title
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ
XDP multi-buf programs can modify the layout of the XDP buffer when the
program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The
referenced commit in the fixes tag corrected the assumption in the mlx5
driver that the XDP buffer layout doesn't change during a program
execution. However, this fix introduced another issue: the dropped
fragments still need to be counted on the driver side to avoid page
fragment reference counting issues.
Such issue can be observed with the
test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of
3600 and shrinking by 256 bytes (an upcoming selftest patch): the last
fragment gets released by the XDP code but doesn't get tracked by the
driver. This results in a negative pp_ref_count during page release and
the following splat:
WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137
Modules linked in: [...]
CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]
[...]
Call Trace:
<TASK>
mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]
mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]
mlx5e_close_rq+0x50/0x60 [mlx5_core]
mlx5e_close_queues+0x36/0x2c0 [mlx5_core]
mlx5e_close_channel+0x1c/0x50 [mlx5_core]
mlx5e_close_channels+0x45/0x80 [mlx5_core]
mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]
mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]
netif_set_mtu_ext+0xf1/0x230
do_setlink.isra.0+0x219/0x1180
rtnl_newlink+0x79f/0xb60
rtnetlink_rcv_msg+0x213/0x3a0
netlink_rcv_skb+0x48/0xf0
netlink_unicast+0x24a/0x350
netlink_sendmsg+0x1ee/0x410
__sock_sendmsg+0x38/0x60
____sys_sendmsg+0x232/0x280
___sys_sendmsg+0x78/0xb0
__sys_sendmsg+0x5f/0xb0
[...]
do_syscall_64+0x57/0xc50
This patch fixes the issue by doing page frag counting on all the
original XDP buffer fragments for all relevant XDP actions (XDP_TX ,
XDP_REDIRECT and XDP_PASS). This is basically reverting to the original
counting before the commit in the fixes tag.
As frag_page is still pointing to the original tail, the nr_frags
parameter to xdp_update_skb_frags_info() needs to be calculated
in a different way to reflect the new nr_frags.
Severity ?
7.5 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
afd5ba577c10639f62e8120df67dc70ea4b61176 , < c74557495efb4bd0adefdfc8678ecdbc82a06da3
(git)
Affected: afd5ba577c10639f62e8120df67dc70ea4b61176 , < 03cb50e5b74fce8bf6d92b860371b66253cf0f8d (git) Affected: afd5ba577c10639f62e8120df67dc70ea4b61176 , < a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa (git) Affected: 72328f25755ee966724f46e3a0e8e59bef2091ba (git) Affected: 0049fd63881505566824e88cfa624638f921c808 (git) Affected: d969645b9b7810289bf3c353ea06957373756b8e (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.19 , ≤ 6.18.* (semver) Unaffected: 6.19.9 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c74557495efb4bd0adefdfc8678ecdbc82a06da3",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"lessThan": "03cb50e5b74fce8bf6d92b860371b66253cf0f8d",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"lessThan": "a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa",
"status": "affected",
"version": "afd5ba577c10639f62e8120df67dc70ea4b61176",
"versionType": "git"
},
{
"status": "affected",
"version": "72328f25755ee966724f46e3a0e8e59bef2091ba",
"versionType": "git"
},
{
"status": "affected",
"version": "0049fd63881505566824e88cfa624638f921c808",
"versionType": "git"
},
{
"status": "affected",
"version": "d969645b9b7810289bf3c353ea06957373756b8e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.115",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.12.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.17.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ\n\nXDP multi-buf programs can modify the layout of the XDP buffer when the\nprogram calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The\nreferenced commit in the fixes tag corrected the assumption in the mlx5\ndriver that the XDP buffer layout doesn\u0027t change during a program\nexecution. However, this fix introduced another issue: the dropped\nfragments still need to be counted on the driver side to avoid page\nfragment reference counting issues.\n\nSuch issue can be observed with the\ntest_xdp_native_adjst_tail_shrnk_data selftest when using a payload of\n3600 and shrinking by 256 bytes (an upcoming selftest patch): the last\nfragment gets released by the XDP code but doesn\u0027t get tracked by the\ndriver. This results in a negative pp_ref_count during page release and\nthe following splat:\n\n WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137\n Modules linked in: [...]\n CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core]\n [...]\n Call Trace:\n \u003cTASK\u003e\n mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core]\n mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core]\n mlx5e_close_rq+0x50/0x60 [mlx5_core]\n mlx5e_close_queues+0x36/0x2c0 [mlx5_core]\n mlx5e_close_channel+0x1c/0x50 [mlx5_core]\n mlx5e_close_channels+0x45/0x80 [mlx5_core]\n mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core]\n mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core]\n netif_set_mtu_ext+0xf1/0x230\n do_setlink.isra.0+0x219/0x1180\n rtnl_newlink+0x79f/0xb60\n rtnetlink_rcv_msg+0x213/0x3a0\n netlink_rcv_skb+0x48/0xf0\n netlink_unicast+0x24a/0x350\n netlink_sendmsg+0x1ee/0x410\n __sock_sendmsg+0x38/0x60\n ____sys_sendmsg+0x232/0x280\n ___sys_sendmsg+0x78/0xb0\n __sys_sendmsg+0x5f/0xb0\n [...]\n do_syscall_64+0x57/0xc50\n\nThis patch fixes the issue by doing page frag counting on all the\noriginal XDP buffer fragments for all relevant XDP actions (XDP_TX ,\nXDP_REDIRECT and XDP_PASS). This is basically reverting to the original\ncounting before the commit in the fixes tag.\n\nAs frag_page is still pointing to the original tail, the nr_frags\nparameter to xdp_update_skb_frags_info() needs to be calculated\nin a different way to reflect the new nr_frags."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:25:06.725Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3"
},
{
"url": "https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d"
},
{
"url": "https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa"
}
],
"title": "net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43464",
"datePublished": "2026-05-08T14:22:26.039Z",
"dateReserved": "2026-05-01T14:12:56.011Z",
"dateUpdated": "2026-05-11T22:25:06.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}