Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
15908 vulnerabilities by linux
CVE-2026-52907 (GCVE-0-2026-52907)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-09 12:36
VLAI
Title
media: rockchip: rkcif: fix off by one bugs
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: rockchip: rkcif: fix off by one bugs
Change these comparisons from > vs >= to avoid accessing one element
beyond the end of the arrays.
While at it, use ARRAY_SIZE instead of the _MAX enum values.
[fix cosmetic issues]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f2353f5a1af995efbf7bea44341aa0d03460b28 , < 73e119036b3a799170ed89907b4273c07306d611
(git)
Affected: 1f2353f5a1af995efbf7bea44341aa0d03460b28 , < e4056b84af0fc18c84b4e5741df04ecd8ca17973 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "73e119036b3a799170ed89907b4273c07306d611",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
},
{
"lessThan": "e4056b84af0fc18c84b4e5741df04ecd8ca17973",
"status": "affected",
"version": "1f2353f5a1af995efbf7bea44341aa0d03460b28",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/rockchip/rkcif/rkcif-capture-mipi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rockchip: rkcif: fix off by one bugs\n\nChange these comparisons from \u003e vs \u003e= to avoid accessing one element\nbeyond the end of the arrays.\nWhile at it, use ARRAY_SIZE instead of the _MAX enum values.\n\n[fix cosmetic issues]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:36:04.617Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/73e119036b3a799170ed89907b4273c07306d611"
},
{
"url": "https://git.kernel.org/stable/c/e4056b84af0fc18c84b4e5741df04ecd8ca17973"
}
],
"title": "media: rockchip: rkcif: fix off by one bugs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52907",
"datePublished": "2026-06-09T12:36:04.617Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-09T12:36:04.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52906 (GCVE-0-2026-52906)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-09 12:36
VLAI
Title
9p: fix access mode flags being ORed instead of replaced
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p: fix access mode flags being ORed instead of replaced
Since commit 1f3e4142c0eb ("9p: convert to the new mount API"),
v9fs_apply_options() applies parsed mount flags with |= onto flags
already set by v9fs_session_init(). For 9P2000.L, session_init sets
V9FS_ACCESS_CLIENT as the default, so when the user mounts with
"access=user", both bits end up set. Access mode checks compare
against exact values, so having both bits set matches neither mode.
This causes v9fs_fid_lookup() to fall through to the default switch
case, using INVALID_UID (nobody/65534) instead of current_fsuid()
for all fid lookups. Root is then unable to chown or perform other
privileged operations.
Fix by clearing the access mask before applying the user's choice.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
1f3e4142c0eb178089ea0cbc97506a061470ad27 , < b8f037e87a083291190204b959cda417aaf01058
(git)
Affected: 1f3e4142c0eb178089ea0cbc97506a061470ad27 , < da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b8f037e87a083291190204b959cda417aaf01058",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
},
{
"lessThan": "da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9",
"status": "affected",
"version": "1f3e4142c0eb178089ea0cbc97506a061470ad27",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/9p/v9fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\n9p: fix access mode flags being ORed instead of replaced\n\nSince commit 1f3e4142c0eb (\"9p: convert to the new mount API\"),\nv9fs_apply_options() applies parsed mount flags with |= onto flags\nalready set by v9fs_session_init(). For 9P2000.L, session_init sets\nV9FS_ACCESS_CLIENT as the default, so when the user mounts with\n\"access=user\", both bits end up set. Access mode checks compare\nagainst exact values, so having both bits set matches neither mode.\n\nThis causes v9fs_fid_lookup() to fall through to the default switch\ncase, using INVALID_UID (nobody/65534) instead of current_fsuid()\nfor all fid lookups. Root is then unable to chown or perform other\nprivileged operations.\n\nFix by clearing the access mask before applying the user\u0027s choice."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:36:03.521Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b8f037e87a083291190204b959cda417aaf01058"
},
{
"url": "https://git.kernel.org/stable/c/da2346a48a5a1fed86c3fe3d73c0b60e7b3027c9"
}
],
"title": "9p: fix access mode flags being ORed instead of replaced",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52906",
"datePublished": "2026-06-09T12:36:03.521Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-09T12:36:03.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52905 (GCVE-0-2026-52905)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-09 12:36
VLAI
Title
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/core: disallow non-power of two min_region_sz on damon_start()
Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced
a bug that allows unaligned DAMON region address ranges. Commit
c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz")
fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs
interface can emit non-power of two min_region_sz via damon_start(). Fix
the path by adding the is_power_of_2() check on damon_start().
The issue was discovered by sashiko [1].
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d8f867fa0825fb3e358457566d7326d8aab2406a , < 1de2db19a6028abe7d905875922faef5b873de67
(git)
Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 89b6226b6c2a4add3939f361653a47c212d6ab75 (git) Affected: d8f867fa0825fb3e358457566d7326d8aab2406a , < 95093e5cb4c5b50a5b1a4b79f2942b62744bd66a (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1de2db19a6028abe7d905875922faef5b873de67",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "89b6226b6c2a4add3939f361653a47c212d6ab75",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
},
{
"lessThan": "95093e5cb4c5b50a5b1a4b79f2942b62744bd66a",
"status": "affected",
"version": "d8f867fa0825fb3e358457566d7326d8aab2406a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: disallow non-power of two min_region_sz on damon_start()\n\nCommit d8f867fa0825 (\"mm/damon: add damon_ctx-\u003emin_sz_region\") introduced\na bug that allows unaligned DAMON region address ranges. Commit\nc80f46ac228b (\"mm/damon/core: disallow non-power of two min_region_sz\")\nfixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs\ninterface can emit non-power of two min_region_sz via damon_start(). Fix\nthe path by adding the is_power_of_2() check on damon_start().\n\nThe issue was discovered by sashiko [1]."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:36:02.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1de2db19a6028abe7d905875922faef5b873de67"
},
{
"url": "https://git.kernel.org/stable/c/89b6226b6c2a4add3939f361653a47c212d6ab75"
},
{
"url": "https://git.kernel.org/stable/c/95093e5cb4c5b50a5b1a4b79f2942b62744bd66a"
}
],
"title": "mm/damon/core: disallow non-power of two min_region_sz on damon_start()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52905",
"datePublished": "2026-06-09T12:36:02.516Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-09T12:36:02.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-52904 (GCVE-0-2026-52904)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-09 12:36
VLAI
Title
drm/nouveau: fix nvkm_device leak on aperture removal failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix nvkm_device leak on aperture removal failure
When aperture_remove_conflicting_pci_devices() fails during probe, the
error path returns directly without unwinding the nvkm_device that was
just allocated by nvkm_device_pci_new(). This leaks both the device
wrapper and the pci_enable_device() reference taken inside it.
Jump to the existing fail_nvkm label so nvkm_device_del() runs and
balances both. The leak was introduced when the intermediate
nvkm_device_del() between detection and aperture removal was dropped
in favor of creating the pci device once.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 5edd564ccb002ffc830e7818c1c4a992db774678
(git)
Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 843c0247cf21364e33bb5a8ffc9af57107d04d05 (git) Affected: c0bfe34330b5fafdbbc63a7124841711651b96b9 , < 6597ff1d8de3f583be169587efeafd8af134e138 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5edd564ccb002ffc830e7818c1c4a992db774678",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "843c0247cf21364e33bb5a8ffc9af57107d04d05",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
},
{
"lessThan": "6597ff1d8de3f583be169587efeafd8af134e138",
"status": "affected",
"version": "c0bfe34330b5fafdbbc63a7124841711651b96b9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/nouveau/nouveau_drm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: fix nvkm_device leak on aperture removal failure\n\nWhen aperture_remove_conflicting_pci_devices() fails during probe, the\nerror path returns directly without unwinding the nvkm_device that was\njust allocated by nvkm_device_pci_new(). This leaks both the device\nwrapper and the pci_enable_device() reference taken inside it.\n\nJump to the existing fail_nvkm label so nvkm_device_del() runs and\nbalances both. The leak was introduced when the intermediate\nnvkm_device_del() between detection and aperture removal was dropped\nin favor of creating the pci device once."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:36:01.237Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5edd564ccb002ffc830e7818c1c4a992db774678"
},
{
"url": "https://git.kernel.org/stable/c/4404d7d2dda4f3cc84a8fb6ac5417a2afc3b22d6"
},
{
"url": "https://git.kernel.org/stable/c/843c0247cf21364e33bb5a8ffc9af57107d04d05"
},
{
"url": "https://git.kernel.org/stable/c/6597ff1d8de3f583be169587efeafd8af134e138"
}
],
"title": "drm/nouveau: fix nvkm_device leak on aperture removal failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-52904",
"datePublished": "2026-06-09T12:36:01.237Z",
"dateReserved": "2026-06-09T07:44:35.366Z",
"dateUpdated": "2026-06-09T12:36:01.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46332 (GCVE-0-2026-46332)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:36 – Updated: 2026-06-09 12:36
VLAI
Title
greybus: gb-beagleplay: bound bootloader receive buffering
Summary
In the Linux kernel, the following vulnerability has been resolved:
greybus: gb-beagleplay: bound bootloader receive buffering
cc1352_bootloader_rx() appends each serdev chunk into the fixed
rx_buffer before parsing bootloader packets. The helper can keep
leftover bytes between callbacks and may receive multiple packets in one
callback, so a single count value is not constrained by one packet
length.
Check that the incoming chunk fits in the remaining receive buffer space
before memcpy(). If it does not, drop the staged data and consume the
bytes instead of overflowing rx_buffer.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 663c2728a6d0f781044431111b53a27f71027e48
(git)
Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < fb91d4e49fcbea0b5091394ac5b8f7d4124265c3 (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 0339a746ff7cd3f9d10f565e89c99dc93191e58d (git) Affected: 0cf7befa3ea2e7284d8ba5b8f45a546865b09edb , < 1214bf28965ceaf584fb20d357731264dd2e10e1 (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "663c2728a6d0f781044431111b53a27f71027e48",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "fb91d4e49fcbea0b5091394ac5b8f7d4124265c3",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "0339a746ff7cd3f9d10f565e89c99dc93191e58d",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
},
{
"lessThan": "1214bf28965ceaf584fb20d357731264dd2e10e1",
"status": "affected",
"version": "0cf7befa3ea2e7284d8ba5b8f45a546865b09edb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/greybus/gb-beagleplay.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: gb-beagleplay: bound bootloader receive buffering\n\ncc1352_bootloader_rx() appends each serdev chunk into the fixed\nrx_buffer before parsing bootloader packets. The helper can keep\nleftover bytes between callbacks and may receive multiple packets in one\ncallback, so a single count value is not constrained by one packet\nlength.\n\nCheck that the incoming chunk fits in the remaining receive buffer space\nbefore memcpy(). If it does not, drop the staged data and consume the\nbytes instead of overflowing rx_buffer."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:36:00.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/663c2728a6d0f781044431111b53a27f71027e48"
},
{
"url": "https://git.kernel.org/stable/c/fb91d4e49fcbea0b5091394ac5b8f7d4124265c3"
},
{
"url": "https://git.kernel.org/stable/c/0339a746ff7cd3f9d10f565e89c99dc93191e58d"
},
{
"url": "https://git.kernel.org/stable/c/1214bf28965ceaf584fb20d357731264dd2e10e1"
}
],
"title": "greybus: gb-beagleplay: bound bootloader receive buffering",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46332",
"datePublished": "2026-06-09T12:36:00.450Z",
"dateReserved": "2026-05-13T15:03:33.113Z",
"dateUpdated": "2026-06-09T12:36:00.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46330 (GCVE-0-2026-46330)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
Revert "net/smc: Introduce TCP ULP support"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "net/smc: Introduce TCP ULP support"
This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.
As reported by Al Viro, the TCP ULP support for SMC is fundamentally
broken. The implementation attempts to convert an active TCP socket
into an SMC socket by modifying the underlying `struct file`, dentry,
and inode in-place, which violates core VFS invariants that assume
these structures are immutable for an open file, creating a risk of
use after free errors and general system instability.
Given the severity of this design flaw and the fact that cleaner
alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application
transparency, the correct course of action is to remove this feature
entirely.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d7cd421da9da2cc7b4d25b8537f66db5c8331c40 , < 6c505d95c69e27dbf28fea29dc84d2498d69515c
(git)
Affected: d7cd421da9da2cc7b4d25b8537f66db5c8331c40 , < df31a6b0a3057e66994ad6ccf5d95b9b9514f033 (git) |
|
| Linux | Linux |
Affected:
5.17
Unaffected: 0 , < 5.17 (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6c505d95c69e27dbf28fea29dc84d2498d69515c",
"status": "affected",
"version": "d7cd421da9da2cc7b4d25b8537f66db5c8331c40",
"versionType": "git"
},
{
"lessThan": "df31a6b0a3057e66994ad6ccf5d95b9b9514f033",
"status": "affected",
"version": "d7cd421da9da2cc7b4d25b8537f66db5c8331c40",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/smc/af_smc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"net/smc: Introduce TCP ULP support\"\n\nThis reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40.\n\nAs reported by Al Viro, the TCP ULP support for SMC is fundamentally\nbroken. The implementation attempts to convert an active TCP socket\ninto an SMC socket by modifying the underlying `struct file`, dentry,\nand inode in-place, which violates core VFS invariants that assume\nthese structures are immutable for an open file, creating a risk of\nuse after free errors and general system instability.\n\nGiven the severity of this design flaw and the fact that cleaner\nalternatives (e.g., LD_PRELOAD, BPF) exist for legacy application\ntransparency, the correct course of action is to remove this feature\nentirely."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:59.413Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6c505d95c69e27dbf28fea29dc84d2498d69515c"
},
{
"url": "https://git.kernel.org/stable/c/df31a6b0a3057e66994ad6ccf5d95b9b9514f033"
}
],
"title": "Revert \"net/smc: Introduce TCP ULP support\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46330",
"datePublished": "2026-06-09T12:25:59.413Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:59.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46329 (GCVE-0-2026-46329)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
erofs: handle end of filesystem properly for file-backed mounts
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs: handle end of filesystem properly for file-backed mounts
I/O requests beyond the end of the filesystem should be zeroed out,
similar to loopback devices and that is what we expect.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < 8d582d65d20bb4796db01b19e86909ad68cb337b
(git)
Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < e49abde0ffc382a967b24f326d1614ac3bb06a94 (git) Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < fe4039034dcdf584afbf763787909e28e92a4927 (git) Affected: ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 , < bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc (git) |
|
| Linux | Linux |
Affected:
6.12
Unaffected: 0 , < 6.12 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8d582d65d20bb4796db01b19e86909ad68cb337b",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "e49abde0ffc382a967b24f326d1614ac3bb06a94",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "fe4039034dcdf584afbf763787909e28e92a4927",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
},
{
"lessThan": "bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc",
"status": "affected",
"version": "ce63cb62d794c98c7631c2296fa845f2a8d0a4a1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/fileio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.12"
},
{
"lessThan": "6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: handle end of filesystem properly for file-backed mounts\n\nI/O requests beyond the end of the filesystem should be zeroed out,\nsimilar to loopback devices and that is what we expect."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:58.520Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8d582d65d20bb4796db01b19e86909ad68cb337b"
},
{
"url": "https://git.kernel.org/stable/c/e49abde0ffc382a967b24f326d1614ac3bb06a94"
},
{
"url": "https://git.kernel.org/stable/c/fe4039034dcdf584afbf763787909e28e92a4927"
},
{
"url": "https://git.kernel.org/stable/c/bc804a8d7e865ef47fb7edcaf5e77d18bf444ebc"
}
],
"title": "erofs: handle end of filesystem properly for file-backed mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46329",
"datePublished": "2026-06-09T12:25:58.520Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:58.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46328 (GCVE-0-2026-46328)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
apparmor: fix rlimit for posix cpu timers
Summary
In the Linux kernel, the following vulnerability has been resolved:
apparmor: fix rlimit for posix cpu timers
Posix cpu timers requires an additional step beyond setting the rlimit.
Refactor the code so its clear when what code is setting the
limit and conditionally update the posix cpu timers when appropriate.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < e1cc11550b2f66687a374536c9dfdddcefca0efe
(git)
Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 2232d7cd243833ad750cae656d1817fe43744a09 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 1f736dfe27c857b78f8461cd7c3dd9640be74b37 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < e43818b16815c0c2bf933ef28316f8e704e5e0ef (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 9bf1fa150775b0c6b794e4b6a2c0395e13777999 (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 57d51d41b90eface809b72e0e009b50546492f1f (git) Affected: baa73d9e478ff32d62f3f9422822b59dd9a95a21 , < 6ca56813f4a589f536adceb42882855d91fb1125 (git) |
|
| Linux | Linux |
Affected:
4.10
Unaffected: 0 , < 4.10 (semver) Unaffected: 5.10.252 , ≤ 5.10.* (semver) Unaffected: 5.15.202 , ≤ 5.15.* (semver) Unaffected: 6.1.165 , ≤ 6.1.* (semver) Unaffected: 6.6.128 , ≤ 6.6.* (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"security/apparmor/resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e1cc11550b2f66687a374536c9dfdddcefca0efe",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "2232d7cd243833ad750cae656d1817fe43744a09",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "1f736dfe27c857b78f8461cd7c3dd9640be74b37",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "e43818b16815c0c2bf933ef28316f8e704e5e0ef",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "9bf1fa150775b0c6b794e4b6a2c0395e13777999",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "57d51d41b90eface809b72e0e009b50546492f1f",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
},
{
"lessThan": "6ca56813f4a589f536adceb42882855d91fb1125",
"status": "affected",
"version": "baa73d9e478ff32d62f3f9422822b59dd9a95a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"security/apparmor/resource.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.10"
},
{
"lessThan": "4.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.252",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.202",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.252",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.202",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.165",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.128",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "4.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: fix rlimit for posix cpu timers\n\nPosix cpu timers requires an additional step beyond setting the rlimit.\nRefactor the code so its clear when what code is setting the\nlimit and conditionally update the posix cpu timers when appropriate."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:57.629Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e1cc11550b2f66687a374536c9dfdddcefca0efe"
},
{
"url": "https://git.kernel.org/stable/c/2232d7cd243833ad750cae656d1817fe43744a09"
},
{
"url": "https://git.kernel.org/stable/c/28aa93fcfb33b6d580c5df4ae8b6d13fb0e6fcd3"
},
{
"url": "https://git.kernel.org/stable/c/1f736dfe27c857b78f8461cd7c3dd9640be74b37"
},
{
"url": "https://git.kernel.org/stable/c/e43818b16815c0c2bf933ef28316f8e704e5e0ef"
},
{
"url": "https://git.kernel.org/stable/c/9bf1fa150775b0c6b794e4b6a2c0395e13777999"
},
{
"url": "https://git.kernel.org/stable/c/57d51d41b90eface809b72e0e009b50546492f1f"
},
{
"url": "https://git.kernel.org/stable/c/6ca56813f4a589f536adceb42882855d91fb1125"
}
],
"title": "apparmor: fix rlimit for posix cpu timers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46328",
"datePublished": "2026-06-09T12:25:57.629Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:57.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46327 (GCVE-0-2026-46327)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
dm: fix unlocked test for dm_suspended_md
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix unlocked test for dm_suspended_md
The function dm_blk_report_zones tests if the device is suspended with
the "dm_suspended_md" call. However, this function is called without
holding any locks, so the device may be suspended just after it.
Move the call to dm_suspended_md after dm_get_live_table, so that the
device can't be suspended after the suspended state was tested.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f9c1bdf24615303d48a2d0fd629c88f3189563aa , < 175ac0a6115400278d3900f5a04a58b17b3f6cd0
(git)
Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < 7a3385e97af2b6f485fef11e82d8c29adee4be93 (git) Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < d809a36692ee1394cac85ce6ba7cf8ea58da5812 (git) Affected: 37f53a2c60d03743e0eacf7a0c01c279776fef4e , < 24c405fdbe215c45e57bba672cc42859038491ee (git) Affected: d19bc1b4dd5f322980b1f05f79b2ea4f0db10920 (git) Affected: 6.12.34 , < 6.12.75 (semver) Affected: 6.15.3 , < 6.16 (semver) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-zone.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "175ac0a6115400278d3900f5a04a58b17b3f6cd0",
"status": "affected",
"version": "f9c1bdf24615303d48a2d0fd629c88f3189563aa",
"versionType": "git"
},
{
"lessThan": "7a3385e97af2b6f485fef11e82d8c29adee4be93",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"lessThan": "d809a36692ee1394cac85ce6ba7cf8ea58da5812",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"lessThan": "24c405fdbe215c45e57bba672cc42859038491ee",
"status": "affected",
"version": "37f53a2c60d03743e0eacf7a0c01c279776fef4e",
"versionType": "git"
},
{
"status": "affected",
"version": "d19bc1b4dd5f322980b1f05f79b2ea4f0db10920",
"versionType": "git"
},
{
"lessThan": "6.12.75",
"status": "affected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThan": "6.16",
"status": "affected",
"version": "6.15.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-zone.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.12.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.15.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix unlocked test for dm_suspended_md\n\nThe function dm_blk_report_zones tests if the device is suspended with\nthe \"dm_suspended_md\" call. However, this function is called without\nholding any locks, so the device may be suspended just after it.\n\nMove the call to dm_suspended_md after dm_get_live_table, so that the\ndevice can\u0027t be suspended after the suspended state was tested."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:54.781Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/175ac0a6115400278d3900f5a04a58b17b3f6cd0"
},
{
"url": "https://git.kernel.org/stable/c/7a3385e97af2b6f485fef11e82d8c29adee4be93"
},
{
"url": "https://git.kernel.org/stable/c/d809a36692ee1394cac85ce6ba7cf8ea58da5812"
},
{
"url": "https://git.kernel.org/stable/c/24c405fdbe215c45e57bba672cc42859038491ee"
}
],
"title": "dm: fix unlocked test for dm_suspended_md",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46327",
"datePublished": "2026-06-09T12:25:54.781Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:54.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46326 (GCVE-0-2026-46326)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
iio: pressure: mprls0025pa: fix spi_transfer struct initialisation
Summary
In the Linux kernel, the following vulnerability has been resolved:
iio: pressure: mprls0025pa: fix spi_transfer struct initialisation
Make sure that the spi_transfer struct is zeroed out before use.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a0858f0cd28e822b91376ae288d5548bc1847531 , < 72158f9ae29a9e56d0f9704ce461a866feaf9925
(git)
Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 664ffdf34c01810085e4d85508b361c3fdd2ab40 (git) Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 9080c7ac30f5f8f8fcb7b27b56df60fea7909c21 (git) Affected: a0858f0cd28e822b91376ae288d5548bc1847531 , < 1e0ac56c92e26115cbc8cfc639843725cb3a7d6a (git) |
|
| Linux | Linux |
Affected:
6.9
Unaffected: 0 , < 6.9 (semver) Unaffected: 6.12.75 , ≤ 6.12.* (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iio/pressure/mprls0025pa_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "72158f9ae29a9e56d0f9704ce461a866feaf9925",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "664ffdf34c01810085e4d85508b361c3fdd2ab40",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "9080c7ac30f5f8f8fcb7b27b56df60fea7909c21",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
},
{
"lessThan": "1e0ac56c92e26115cbc8cfc639843725cb3a7d6a",
"status": "affected",
"version": "a0858f0cd28e822b91376ae288d5548bc1847531",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iio/pressure/mprls0025pa_spi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.9"
},
{
"lessThan": "6.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.75",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.75",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: pressure: mprls0025pa: fix spi_transfer struct initialisation\n\nMake sure that the spi_transfer struct is zeroed out before use."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:53.893Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/72158f9ae29a9e56d0f9704ce461a866feaf9925"
},
{
"url": "https://git.kernel.org/stable/c/664ffdf34c01810085e4d85508b361c3fdd2ab40"
},
{
"url": "https://git.kernel.org/stable/c/9080c7ac30f5f8f8fcb7b27b56df60fea7909c21"
},
{
"url": "https://git.kernel.org/stable/c/1e0ac56c92e26115cbc8cfc639843725cb3a7d6a"
}
],
"title": "iio: pressure: mprls0025pa: fix spi_transfer struct initialisation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46326",
"datePublished": "2026-06-09T12:25:53.893Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:53.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46325 (GCVE-0-2026-46325)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25
VLAI
Title
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
The current implementation incorrectly handles memory regions (MRs) with
page sizes different from the system PAGE_SIZE. The core issue is that
rxe_set_page() is called with mr->page_size step increments, but the
page_list stores individual struct page pointers, each representing
PAGE_SIZE of memory.
ib_sg_to_page() has ensured that when i>=1 either
a) SG[i-1].dma_end and SG[i].dma_addr are contiguous
or
b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned.
This leads to incorrect iova-to-va conversion in scenarios:
1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K):
ibmr->iova = 0x181800
sg[0]: dma_addr=0x181800, len=0x800
sg[1]: dma_addr=0x173000, len=0x1000
Access iova = 0x181800 + 0x810 = 0x182010
Expected VA: 0x173010 (second SG, offset 0x10)
Before fix:
- index = (0x182010 >> 12) - (0x181800 >> 12) = 1
- page_offset = 0x182010 & 0xFFF = 0x10
- xarray[1] stores system page base 0x170000
- Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)
2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K):
ibmr->iova = 0x18f800
sg[0]: dma_addr=0x18f800, len=0x800
sg[1]: dma_addr=0x170000, len=0x1000
Access iova = 0x18f800 + 0x810 = 0x190010
Expected VA: 0x170010 (second SG, offset 0x10)
Before fix:
- index = (0x190010 >> 16) - (0x18f800 >> 16) = 1
- page_offset = 0x190010 & 0xFFFF = 0x10
- xarray[1] stores system page for dma_addr 0x170000
- Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)
Yi Zhang reported a kernel panic[1] years ago related to this defect.
Solution:
1. Replace xarray with pre-allocated rxe_mr_page array for sequential
indexing (all MR page indices are contiguous)
2. Each rxe_mr_page stores both struct page* and offset within the
system page
3. Handle MR page_size != PAGE_SIZE relationships:
- page_size > PAGE_SIZE: Split MR pages into multiple system pages
- page_size <= PAGE_SIZE: Store offset within system page
4. Add boundary checks and compatibility validation
This ensures correct iova-to-va conversion regardless of MR page size
and system PAGE_SIZE relationship, while improving performance through
array-based sequential access.
Tests on 4K and 64K PAGE_SIZE hosts:
- rdma-core/pytests
$ ./build/bin/run_tests.py --dev eth0_rxe
- blktest:
$ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd
[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
592627ccbdff0ec6fff00fc761142a76db750dd4 , < 409c2c5508f3d30627bea576f8676de523cb906e
(git)
Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 836f6c13c9674027793f720be3f15ecd2b90b6ca (git) Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 12985e5915a0b8354796efadaaeb201eed115377 (git) Affected: 0e443760b8b7b1e6723f4408afa056b2bc4fea12 (git) Affected: 6.2.3 , < 6.3 (semver) |
|
| Linux | Linux |
Affected:
6.3
Unaffected: 0 , < 6.3 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "409c2c5508f3d30627bea576f8676de523cb906e",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"lessThan": "836f6c13c9674027793f720be3f15ecd2b90b6ca",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"lessThan": "12985e5915a0b8354796efadaaeb201eed115377",
"status": "affected",
"version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
"versionType": "git"
},
{
"status": "affected",
"version": "0e443760b8b7b1e6723f4408afa056b2bc4fea12",
"versionType": "git"
},
{
"lessThan": "6.3",
"status": "affected",
"version": "6.2.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/sw/rxe/rxe_mr.c",
"drivers/infiniband/sw/rxe/rxe_verbs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.14",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.4",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\n\nThe current implementation incorrectly handles memory regions (MRs) with\npage sizes different from the system PAGE_SIZE. The core issue is that\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\npage_list stores individual struct page pointers, each representing\nPAGE_SIZE of memory.\n\nib_sg_to_page() has ensured that when i\u003e=1 either\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\nor\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\n\nThis leads to incorrect iova-to-va conversion in scenarios:\n\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\n ibmr-\u003eiova = 0x181800\n sg[0]: dma_addr=0x181800, len=0x800\n sg[1]: dma_addr=0x173000, len=0x1000\n\n Access iova = 0x181800 + 0x810 = 0x182010\n Expected VA: 0x173010 (second SG, offset 0x10)\n Before fix:\n - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\n - page_offset = 0x182010 \u0026 0xFFF = 0x10\n - xarray[1] stores system page base 0x170000\n - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\n\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\n ibmr-\u003eiova = 0x18f800\n sg[0]: dma_addr=0x18f800, len=0x800\n sg[1]: dma_addr=0x170000, len=0x1000\n\n Access iova = 0x18f800 + 0x810 = 0x190010\n Expected VA: 0x170010 (second SG, offset 0x10)\n Before fix:\n - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\n - page_offset = 0x190010 \u0026 0xFFFF = 0x10\n - xarray[1] stores system page for dma_addr 0x170000\n - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\n\nYi Zhang reported a kernel panic[1] years ago related to this defect.\n\nSolution:\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\n indexing (all MR page indices are contiguous)\n2. Each rxe_mr_page stores both struct page* and offset within the\n system page\n3. Handle MR page_size != PAGE_SIZE relationships:\n - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\n - page_size \u003c= PAGE_SIZE: Store offset within system page\n4. Add boundary checks and compatibility validation\n\nThis ensures correct iova-to-va conversion regardless of MR page size\nand system PAGE_SIZE relationship, while improving performance through\narray-based sequential access.\n\nTests on 4K and 64K PAGE_SIZE hosts:\n- rdma-core/pytests\n $ ./build/bin/run_tests.py --dev eth0_rxe\n- blktest:\n $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\n\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:25:52.792Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e"
},
{
"url": "https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca"
},
{
"url": "https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377"
}
],
"title": "RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46325",
"datePublished": "2026-06-09T12:25:52.792Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:25:52.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46324 (GCVE-0-2026-46324)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
netfilter: nf_tables: use list_del_rcu for netlink hooks
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: use list_del_rcu for netlink hooks
nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need
to use list_del_rcu(), this list can be walked by concurrent dumpers.
Add a new helper and use it consistently.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < 0bd93ce4f3c35e845532184331d7917d7e562c80
(git)
Affected: f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < 0f33e8ad6ac563ae2233dd7f75884e0ee010521d (git) Affected: f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 , < f3224ee463f8f6f6ced7dcdf6081add4f8128527 (git) Affected: c73955a09408e7374d9abfd0e78ce3de9cda0635 (git) Affected: b09e6ccf0d12f9356e8e3508d3e3dce126298538 (git) Affected: 3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82 (git) Affected: 9c413a8c8bb49cc16796371805ecb260e885bb2b (git) Affected: a3940dcf552f2393d1e8f263b386593f98abe829 (git) Affected: 86c0154f4c3a56c5db8b9dd09e3ce885382c2c19 (git) Affected: 4.19.316 , < 4.20 (semver) Affected: 5.4.262 , < 5.5 (semver) Affected: 5.10.198 , < 5.11 (semver) Affected: 5.15.45 , < 5.16 (semver) Affected: 5.17.13 , < 5.18 (semver) Affected: 5.18.2 , < 5.19 (semver) |
|
| Linux | Linux |
Affected:
5.19
Unaffected: 0 , < 5.19 (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bd93ce4f3c35e845532184331d7917d7e562c80",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"lessThan": "0f33e8ad6ac563ae2233dd7f75884e0ee010521d",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"lessThan": "f3224ee463f8f6f6ced7dcdf6081add4f8128527",
"status": "affected",
"version": "f9a43007d3f7ba76d5e7f9421094f00f2ef202f8",
"versionType": "git"
},
{
"status": "affected",
"version": "c73955a09408e7374d9abfd0e78ce3de9cda0635",
"versionType": "git"
},
{
"status": "affected",
"version": "b09e6ccf0d12f9356e8e3508d3e3dce126298538",
"versionType": "git"
},
{
"status": "affected",
"version": "3fac8ce48fa9fd61ee9056d3ed48b2edefca8b82",
"versionType": "git"
},
{
"status": "affected",
"version": "9c413a8c8bb49cc16796371805ecb260e885bb2b",
"versionType": "git"
},
{
"status": "affected",
"version": "a3940dcf552f2393d1e8f263b386593f98abe829",
"versionType": "git"
},
{
"status": "affected",
"version": "86c0154f4c3a56c5db8b9dd09e3ce885382c2c19",
"versionType": "git"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.316",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.262",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.198",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.45",
"versionType": "semver"
},
{
"lessThan": "5.18",
"status": "affected",
"version": "5.17.13",
"versionType": "semver"
},
{
"lessThan": "5.19",
"status": "affected",
"version": "5.18.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_tables_api.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.316",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.262",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.198",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use list_del_rcu for netlink hooks\n\nnft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need\nto use list_del_rcu(), this list can be walked by concurrent dumpers.\n\nAdd a new helper and use it consistently."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:16.602Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bd93ce4f3c35e845532184331d7917d7e562c80"
},
{
"url": "https://git.kernel.org/stable/c/0f33e8ad6ac563ae2233dd7f75884e0ee010521d"
},
{
"url": "https://git.kernel.org/stable/c/f3224ee463f8f6f6ced7dcdf6081add4f8128527"
}
],
"title": "netfilter: nf_tables: use list_del_rcu for netlink hooks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46324",
"datePublished": "2026-06-09T12:11:16.602Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:16.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46323 (GCVE-0-2026-46323)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
net: gro: don't merge zcopy skbs
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gro: don't merge zcopy skbs
skb_gro_receive() can currently copy frags between the source and GRO
skb, without checking the zerocopy status, and in particular the
SKBFL_MANAGED_FRAG_REFS flag.
When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference
on the pages in shinfo->frags. Appending those frags to another skb's
frags without fixing up the page refcount can lead to UAF.
When either the last skb in the GRO chain (the one we would append
frags to) or the source skb is zerocopy, don't merge the skbs.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 1f9c828556416fbe3f49386708ce999fc4d4da06
(git)
Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 479084ae0e1d9cb7929cb4298d35623de189f80a (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < e334cbf3388fd9334503a778a82d9e9f14dd2f71 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 44bea2032af0425e4ce6d26a8af0ede79db49ec1 (git) Affected: 753f1ca4e1e50248a1b760c9774d6d6b354562cc , < 4db79a322db8c97f7b73b8a347395ef4d685eb40 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.6.142 , ≤ 6.6.* (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1-rc5 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1f9c828556416fbe3f49386708ce999fc4d4da06",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "479084ae0e1d9cb7929cb4298d35623de189f80a",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "e334cbf3388fd9334503a778a82d9e9f14dd2f71",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "44bea2032af0425e4ce6d26a8af0ede79db49ec1",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
},
{
"lessThan": "4db79a322db8c97f7b73b8a347395ef4d685eb40",
"status": "affected",
"version": "753f1ca4e1e50248a1b760c9774d6d6b354562cc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/gro.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc5",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gro: don\u0027t merge zcopy skbs\n\nskb_gro_receive() can currently copy frags between the source and GRO\nskb, without checking the zerocopy status, and in particular the\nSKBFL_MANAGED_FRAG_REFS flag.\n\nWhen SKBFL_MANAGED_FRAG_REFS is set, the skb doesn\u0027t hold a reference\non the pages in shinfo-\u003efrags. Appending those frags to another skb\u0027s\nfrags without fixing up the page refcount can lead to UAF.\n\nWhen either the last skb in the GRO chain (the one we would append\nfrags to) or the source skb is zerocopy, don\u0027t merge the skbs."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:15.562Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1f9c828556416fbe3f49386708ce999fc4d4da06"
},
{
"url": "https://git.kernel.org/stable/c/479084ae0e1d9cb7929cb4298d35623de189f80a"
},
{
"url": "https://git.kernel.org/stable/c/e334cbf3388fd9334503a778a82d9e9f14dd2f71"
},
{
"url": "https://git.kernel.org/stable/c/44bea2032af0425e4ce6d26a8af0ede79db49ec1"
},
{
"url": "https://git.kernel.org/stable/c/4db79a322db8c97f7b73b8a347395ef4d685eb40"
}
],
"title": "net: gro: don\u0027t merge zcopy skbs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46323",
"datePublished": "2026-06-09T12:11:15.562Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:15.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46322 (GCVE-0-2026-46322)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
tun: free page on build_skb failure in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on build_skb failure in tun_xdp_one()
When build_skb() fails in tun_xdp_one(), the function sets ret to
-ENOMEM and jumps to the out label, which returns without freeing the
page that vhost_net_build_xdp() allocated for the frame. As with the
short-frame rejection path, tun_sendmsg() discards the per-buffer error
and still returns total_len, so vhost_tx_batch() takes the success path
and never frees the page. Each build_skb() failure in a batch leaks one
page-frag chunk.
Free the page before taking the error path, matching the put_page() the
other error exits of tun_xdp_one() already perform.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
043d222f93ab8c76b56a3b315cd8692e35affb6c , < d16e38fac09a47bfcf98c1ad65a1bb53f94540f5
(git)
Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa308e9dbb9acb17cacdbbce9e4504f69bac8385 (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < 4fefc6156a162a9f50035c12091a5e5130c82c6e (git) Affected: 043d222f93ab8c76b56a3b315cd8692e35affb6c , < aa8963fdce667a42fb7f0bdd2909fadcab02f9a8 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d16e38fac09a47bfcf98c1ad65a1bb53f94540f5",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa308e9dbb9acb17cacdbbce9e4504f69bac8385",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "4fefc6156a162a9f50035c12091a5e5130c82c6e",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
},
{
"lessThan": "aa8963fdce667a42fb7f0bdd2909fadcab02f9a8",
"status": "affected",
"version": "043d222f93ab8c76b56a3b315cd8692e35affb6c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc6",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on build_skb failure in tun_xdp_one()\n\nWhen build_skb() fails in tun_xdp_one(), the function sets ret to\n-ENOMEM and jumps to the out label, which returns without freeing the\npage that vhost_net_build_xdp() allocated for the frame. As with the\nshort-frame rejection path, tun_sendmsg() discards the per-buffer error\nand still returns total_len, so vhost_tx_batch() takes the success path\nand never frees the page. Each build_skb() failure in a batch leaks one\npage-frag chunk.\n\nFree the page before taking the error path, matching the put_page() the\nother error exits of tun_xdp_one() already perform."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:14.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d16e38fac09a47bfcf98c1ad65a1bb53f94540f5"
},
{
"url": "https://git.kernel.org/stable/c/aa308e9dbb9acb17cacdbbce9e4504f69bac8385"
},
{
"url": "https://git.kernel.org/stable/c/4fefc6156a162a9f50035c12091a5e5130c82c6e"
},
{
"url": "https://git.kernel.org/stable/c/aa8963fdce667a42fb7f0bdd2909fadcab02f9a8"
}
],
"title": "tun: free page on build_skb failure in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46322",
"datePublished": "2026-06-09T12:11:14.776Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:14.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46321 (GCVE-0-2026-46321)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
tun: free page on short-frame rejection in tun_xdp_one()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tun: free page on short-frame rejection in tun_xdp_one()
tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without
freeing the page that vhost_net_build_xdp() allocated for it.
tun_sendmsg() discards that -EINVAL and still returns total_len, so
vhost_tx_batch() takes the success path and never frees the page; each
short frame in a batch leaks one page-frag chunk.
A local process that can open /dev/net/tun and /dev/vhost-net can hit
this path: it attaches a tun/tap device as the vhost-net backend and
feeds TX descriptors whose length minus the virtio-net header is below
ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a
tight submission loop exhausts host memory and triggers an OOM panic.
Free the page before returning -EINVAL, matching the XDP-program error
path in the same function.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
049584807f1d797fc3078b68035450a9769eb5c3 , < 69863ff2720a0e9871f1a5710f2a33a94217fee0
(git)
Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 37a1c268c2c8090bf4dc552d732bd23ba36f8eb0 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < 98c67be9eb9de72465a071949e84a3cdb8fab5a3 (git) Affected: 049584807f1d797fc3078b68035450a9769eb5c3 , < f4feb1e20058e407cb00f45aff47f5b7e19a6bbf (git) Affected: 32b0aaba5dbc85816898167d9b5d45a22eae82e9 (git) Affected: 6100e0237204890269e3f934acfc50d35fd6f319 (git) Affected: 589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 (git) Affected: ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 (git) Affected: d5ad89b7d01ed4e66fd04734fc63d6e78536692a (git) Affected: a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb (git) Affected: 8418f55302fa1d2eeb73e16e345167e545c598a5 (git) Affected: 5.4.281 , < 5.5 (semver) Affected: 5.10.223 , < 5.11 (semver) Affected: 5.15.164 , < 5.16 (semver) Affected: 6.1.102 , < 6.2 (semver) Affected: 6.6.43 , < 6.7 (semver) Affected: 6.9.12 , < 6.10 (semver) Affected: 6.10.2 , < 6.11 (semver) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "69863ff2720a0e9871f1a5710f2a33a94217fee0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "37a1c268c2c8090bf4dc552d732bd23ba36f8eb0",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "98c67be9eb9de72465a071949e84a3cdb8fab5a3",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"lessThan": "f4feb1e20058e407cb00f45aff47f5b7e19a6bbf",
"status": "affected",
"version": "049584807f1d797fc3078b68035450a9769eb5c3",
"versionType": "git"
},
{
"status": "affected",
"version": "32b0aaba5dbc85816898167d9b5d45a22eae82e9",
"versionType": "git"
},
{
"status": "affected",
"version": "6100e0237204890269e3f934acfc50d35fd6f319",
"versionType": "git"
},
{
"status": "affected",
"version": "589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2",
"versionType": "git"
},
{
"status": "affected",
"version": "ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146",
"versionType": "git"
},
{
"status": "affected",
"version": "d5ad89b7d01ed4e66fd04734fc63d6e78536692a",
"versionType": "git"
},
{
"status": "affected",
"version": "a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb",
"versionType": "git"
},
{
"status": "affected",
"version": "8418f55302fa1d2eeb73e16e345167e545c598a5",
"versionType": "git"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.281",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.223",
"versionType": "semver"
},
{
"lessThan": "5.16",
"status": "affected",
"version": "5.15.164",
"versionType": "semver"
},
{
"lessThan": "6.2",
"status": "affected",
"version": "6.1.102",
"versionType": "semver"
},
{
"lessThan": "6.7",
"status": "affected",
"version": "6.6.43",
"versionType": "semver"
},
{
"lessThan": "6.10",
"status": "affected",
"version": "6.9.12",
"versionType": "semver"
},
{
"lessThan": "6.11",
"status": "affected",
"version": "6.10.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tun.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.102",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.6.43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.9.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: free page on short-frame rejection in tun_xdp_one()\n\ntun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\nfreeing the page that vhost_net_build_xdp() allocated for it.\ntun_sendmsg() discards that -EINVAL and still returns total_len, so\nvhost_tx_batch() takes the success path and never frees the page; each\nshort frame in a batch leaks one page-frag chunk.\n\nA local process that can open /dev/net/tun and /dev/vhost-net can hit\nthis path: it attaches a tun/tap device as the vhost-net backend and\nfeeds TX descriptors whose length minus the virtio-net header is below\nETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\ntight submission loop exhausts host memory and triggers an OOM panic.\nFree the page before returning -EINVAL, matching the XDP-program error\npath in the same function."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:13.872Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/69863ff2720a0e9871f1a5710f2a33a94217fee0"
},
{
"url": "https://git.kernel.org/stable/c/37a1c268c2c8090bf4dc552d732bd23ba36f8eb0"
},
{
"url": "https://git.kernel.org/stable/c/98c67be9eb9de72465a071949e84a3cdb8fab5a3"
},
{
"url": "https://git.kernel.org/stable/c/f4feb1e20058e407cb00f45aff47f5b7e19a6bbf"
}
],
"title": "tun: free page on short-frame rejection in tun_xdp_one()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46321",
"datePublished": "2026-06-09T12:11:13.872Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:13.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46320 (GCVE-0-2026-46320)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
tap: free page on error paths in tap_get_user_xdp()
Summary
In the Linux kernel, the following vulnerability has been resolved:
tap: free page on error paths in tap_get_user_xdp()
tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,
and returns -ENOMEM when build_skb() fails. Both paths jump to the err
label without freeing the page that vhost_net_build_xdp() allocated for
the frame. tap_sendmsg() discards the per-buffer return value and always
returns 0, so vhost_tx_batch() takes the success path and never frees
the page; each rejected frame in a batch leaks one page-frag chunk.
Free the page on both error paths, before the skb is built. This is the
tap counterpart of the same leak in tun_xdp_one().
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
0efac27791ee068075d80f07c55a229b1335ce12 , < 18a84c35842e19cd3c5534d8cee73d31863f696d
(git)
Affected: 0efac27791ee068075d80f07c55a229b1335ce12 , < 3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2 (git) |
|
| Linux | Linux |
Affected:
4.20
Unaffected: 0 , < 4.20 (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18a84c35842e19cd3c5534d8cee73d31863f696d",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
},
{
"lessThan": "3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2",
"status": "affected",
"version": "0efac27791ee068075d80f07c55a229b1335ce12",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/tap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc6",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntap: free page on error paths in tap_get_user_xdp()\n\ntap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL,\nand returns -ENOMEM when build_skb() fails. Both paths jump to the err\nlabel without freeing the page that vhost_net_build_xdp() allocated for\nthe frame. tap_sendmsg() discards the per-buffer return value and always\nreturns 0, so vhost_tx_batch() takes the success path and never frees\nthe page; each rejected frame in a batch leaks one page-frag chunk.\n\nFree the page on both error paths, before the skb is built. This is the\ntap counterpart of the same leak in tun_xdp_one()."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:12.882Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18a84c35842e19cd3c5534d8cee73d31863f696d"
},
{
"url": "https://git.kernel.org/stable/c/3bcf7aec6a9d16438f2cec29f5d7c8d5b8edf9b2"
}
],
"title": "tap: free page on error paths in tap_get_user_xdp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46320",
"datePublished": "2026-06-09T12:11:12.882Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:12.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46319 (GCVE-0-2026-46319)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
net/sched: act_ct: Only release RCU read lock after ct_ft
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: act_ct: Only release RCU read lock after ct_ft
When looking up a flow table in act_ct in tcf_ct_flow_table_get(),
rhashtable_lookup_fast() internally opens and closes an RCU read critical
section before returning ct_ft.
The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()
is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft
object. This vulnerability can lead to privilege escalation.
Analysis from zdi-disclosures@trendmicro.com:
When initializing act_ct, tcf_ct_init() is called, which internally triggers
tcf_ct_flow_table_get().
static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)
{
struct zones_ht_key key = { .net = net, .zone = params->zone };
struct tcf_ct_flow_table *ct_ft;
int err = -ENOMEM;
mutex_lock(&zones_mutex);
ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1]
if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2]
goto out_unlock;
...
}
static __always_inline void *rhashtable_lookup_fast(
struct rhashtable *ht, const void *key,
const struct rhashtable_params params)
{
void *obj;
rcu_read_lock();
obj = rhashtable_lookup(ht, key, params);
rcu_read_unlock();
return obj;
}
At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft
from zones_ht . The lookup is performed within an RCU read critical section
through rcu_read_lock() / rcu_read_unlock(), which prevents the object from
being freed. However, at the point of function return, rcu_read_unlock() has
already been called, and there is nothing preventing ct_ft from being freed
before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes
the race window, during which ct_ft can be freed.
Free Process:
tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()
tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().
static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)
{
if (refcount_dec_and_test(&ct_ft->ref)) {
rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params);
INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3]
queue_rcu_work(act_ct_wq, &ct_ft->rwork);
}
}
At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work
static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
{
struct tcf_ct_flow_table *ct_ft;
struct flow_block *block;
ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
rwork);
nf_flow_table_free(&ct_ft->nf_ft);
block = &ct_ft->nf_ft.flow_block;
down_write(&ct_ft->nf_ft.flow_block_lock);
WARN_ON(!list_empty(&block->cb_list));
up_write(&ct_ft->nf_ft.flow_block_lock);
kfree(ct_ft); // [4]
module_put(THIS_MODULE);
}
tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes
between [1] and [2], UAF occurs.
This race condition has a very short race window, making it generally
difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was
inserted after[1]
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
138470a9b2cc2e26e6018300394afc3858a54e6a , < ece578ca61e572df96cfc80456357ebfae0b4b9e
(git)
Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < a2e0c045c87aa252eb61412e67dd91f2c2b19f81 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 67c9ecc9f2575273ed1323e312881fc98ac83d6d (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f23424a0ddadb494d4bd57056a7ca703312d3a7b (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 17dfb67cb399b660105d9a8c6100851c0d0cdc70 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 4c727c6967a41b37efe0f26332ca9ec5b74785a3 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < 3e20e1b3058e0b94638e7b931c138e840e266724 (git) Affected: 138470a9b2cc2e26e6018300394afc3858a54e6a , < f462dca0c8415bf0058d0ffa476354c4476d0f09 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.141 , ≤ 6.6.* (semver) Unaffected: 6.12.91 , ≤ 6.12.* (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.10 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ece578ca61e572df96cfc80456357ebfae0b4b9e",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "a2e0c045c87aa252eb61412e67dd91f2c2b19f81",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "67c9ecc9f2575273ed1323e312881fc98ac83d6d",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f23424a0ddadb494d4bd57056a7ca703312d3a7b",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "17dfb67cb399b660105d9a8c6100851c0d0cdc70",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "4c727c6967a41b37efe0f26332ca9ec5b74785a3",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "3e20e1b3058e0b94638e7b931c138e840e266724",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
},
{
"lessThan": "f462dca0c8415bf0058d0ffa476354c4476d0f09",
"status": "affected",
"version": "138470a9b2cc2e26e6018300394afc3858a54e6a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/act_ct.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.141",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.91",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.10",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: Only release RCU read lock after ct_ft\n\nWhen looking up a flow table in act_ct in tcf_ct_flow_table_get(),\nrhashtable_lookup_fast() internally opens and closes an RCU read critical\nsection before returning ct_ft.\nThe tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero()\nis invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft\nobject. This vulnerability can lead to privilege escalation.\n\nAnalysis from zdi-disclosures@trendmicro.com:\nWhen initializing act_ct, tcf_ct_init() is called, which internally triggers\ntcf_ct_flow_table_get().\n\nstatic int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params)\n\n{\n struct zones_ht_key key = { .net = net, .zone = params-\u003ezone };\n struct tcf_ct_flow_table *ct_ft;\n int err = -ENOMEM;\n\n mutex_lock(\u0026zones_mutex);\n ct_ft = rhashtable_lookup_fast(\u0026zones_ht, \u0026key, zones_params); // [1]\n if (ct_ft \u0026\u0026 refcount_inc_not_zero(\u0026ct_ft-\u003eref)) // [2]\n goto out_unlock;\n ...\n}\n\nstatic __always_inline void *rhashtable_lookup_fast(\n struct rhashtable *ht, const void *key,\n const struct rhashtable_params params)\n{\n void *obj;\n\n rcu_read_lock();\n obj = rhashtable_lookup(ht, key, params);\n rcu_read_unlock();\n\n return obj;\n}\n\nAt [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft\nfrom zones_ht . The lookup is performed within an RCU read critical section\nthrough rcu_read_lock() / rcu_read_unlock(), which prevents the object from\nbeing freed. However, at the point of function return, rcu_read_unlock() has\nalready been called, and there is nothing preventing ct_ft from being freed\nbefore reaching refcount_inc_not_zero(\u0026ct_ft-\u003eref) at [2]. This interval becomes\nthe race window, during which ct_ft can be freed.\n\nFree Process:\n\ntcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu()\ntcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put().\n\nstatic void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft)\n{\n if (refcount_dec_and_test(\u0026ct_ft-\u003eref)) {\n rhashtable_remove_fast(\u0026zones_ht, \u0026ct_ft-\u003enode, zones_params);\n INIT_RCU_WORK(\u0026ct_ft-\u003erwork, tcf_ct_flow_table_cleanup_work); // [3]\n queue_rcu_work(act_ct_wq, \u0026ct_ft-\u003erwork);\n }\n}\n\nAt [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work\n\nstatic void tcf_ct_flow_table_cleanup_work(struct work_struct *work)\n\n{\n struct tcf_ct_flow_table *ct_ft;\n struct flow_block *block;\n\n ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,\n rwork);\n nf_flow_table_free(\u0026ct_ft-\u003enf_ft);\n block = \u0026ct_ft-\u003enf_ft.flow_block;\n down_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n WARN_ON(!list_empty(\u0026block-\u003ecb_list));\n up_write(\u0026ct_ft-\u003enf_ft.flow_block_lock);\n kfree(ct_ft); // [4]\n\n module_put(THIS_MODULE);\n}\n\ntcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes\nbetween [1] and [2], UAF occurs.\n\nThis race condition has a very short race window, making it generally\ndifficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was\ninserted after[1]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:12.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ece578ca61e572df96cfc80456357ebfae0b4b9e"
},
{
"url": "https://git.kernel.org/stable/c/a2e0c045c87aa252eb61412e67dd91f2c2b19f81"
},
{
"url": "https://git.kernel.org/stable/c/67c9ecc9f2575273ed1323e312881fc98ac83d6d"
},
{
"url": "https://git.kernel.org/stable/c/f23424a0ddadb494d4bd57056a7ca703312d3a7b"
},
{
"url": "https://git.kernel.org/stable/c/17dfb67cb399b660105d9a8c6100851c0d0cdc70"
},
{
"url": "https://git.kernel.org/stable/c/4c727c6967a41b37efe0f26332ca9ec5b74785a3"
},
{
"url": "https://git.kernel.org/stable/c/3e20e1b3058e0b94638e7b931c138e840e266724"
},
{
"url": "https://git.kernel.org/stable/c/f462dca0c8415bf0058d0ffa476354c4476d0f09"
}
],
"title": "net/sched: act_ct: Only release RCU read lock after ct_ft",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46319",
"datePublished": "2026-06-09T12:11:12.128Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:12.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46318 (GCVE-0-2026-46318)
Vulnerability from cvelistv5 – Published: 2026-06-09 12:11 – Updated: 2026-06-09 12:11
VLAI
Title
Revert "mm/hugetlbfs: update hugetlbfs to use mmap_prepare"
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "mm/hugetlbfs: update hugetlbfs to use mmap_prepare"
This reverts commit ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use
mmap_prepare") with conflict resolution to account for changes in commit
ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use mmap_prepare").
The patch incorrectly handled hugetlb VMA lock allocation at the
mmap_prepare stage, where a failed allocation occurring after mmap_prepare
is called might result in the lock leaking.
There is no risk of a merge causing a similar issues, as
VMA_DONTEXPAND_BIT is set for hugetlb mappings.
As a first step in addressing this issue, simply revert the change so we
can rework how we do this having corrected the underlying issues.
We maintain the VMA flags changes as best we can, accounting for the fact
that we were working with a VMA descriptor previously and propagating
like-for-like changes for this.
Note that we invoke vma_set_flags() and do not call vma_start_write() as
vm_flags_set() does. This is OK as it's being done in an .mmap hook where
the VMA is not yet linked into the tree so nobody else can be accessing
it.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ea52cb24cd3fb121283754ab82b2cb3044609359 , < 3af5fc3f0ac98c624c109c8c0796fa46e814344c
(git)
Affected: ea52cb24cd3fb121283754ab82b2cb3044609359 , < 83f9efcce93f8574be2279090ee2aec58b86cda7 (git) |
|
| Linux | Linux |
Affected:
6.19
Unaffected: 0 , < 6.19 (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc6 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c",
"include/linux/hugetlb.h",
"include/linux/hugetlb_inline.h",
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3af5fc3f0ac98c624c109c8c0796fa46e814344c",
"status": "affected",
"version": "ea52cb24cd3fb121283754ab82b2cb3044609359",
"versionType": "git"
},
{
"lessThan": "83f9efcce93f8574be2279090ee2aec58b86cda7",
"status": "affected",
"version": "ea52cb24cd3fb121283754ab82b2cb3044609359",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/hugetlbfs/inode.c",
"include/linux/hugetlb.h",
"include/linux/hugetlb_inline.h",
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.19"
},
{
"lessThan": "6.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc6",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc6",
"versionStartIncluding": "6.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"\n\nThis reverts commit ea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use\nmmap_prepare\") with conflict resolution to account for changes in commit\nea52cb24cd3f (\"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\").\n\nThe patch incorrectly handled hugetlb VMA lock allocation at the\nmmap_prepare stage, where a failed allocation occurring after mmap_prepare\nis called might result in the lock leaking.\n\nThere is no risk of a merge causing a similar issues, as\nVMA_DONTEXPAND_BIT is set for hugetlb mappings.\n\nAs a first step in addressing this issue, simply revert the change so we\ncan rework how we do this having corrected the underlying issues.\n\nWe maintain the VMA flags changes as best we can, accounting for the fact\nthat we were working with a VMA descriptor previously and propagating\nlike-for-like changes for this.\n\nNote that we invoke vma_set_flags() and do not call vma_start_write() as\nvm_flags_set() does. This is OK as it\u0027s being done in an .mmap hook where\nthe VMA is not yet linked into the tree so nobody else can be accessing\nit."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:11:11.181Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3af5fc3f0ac98c624c109c8c0796fa46e814344c"
},
{
"url": "https://git.kernel.org/stable/c/83f9efcce93f8574be2279090ee2aec58b86cda7"
}
],
"title": "Revert \"mm/hugetlbfs: update hugetlbfs to use mmap_prepare\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46318",
"datePublished": "2026-06-09T12:11:11.181Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T12:11:11.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46317 (GCVE-0-2026-46317)
Vulnerability from cvelistv5 – Published: 2026-06-09 11:52 – Updated: 2026-06-09 11:52
VLAI
Title
KVM: arm64: Reassign nested_mmus array behind mmu_lock
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Reassign nested_mmus array behind mmu_lock
kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the
MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which
can run at any time. kvm_vcpu_init_nested() reallocates the array and frees
the old buffer while holding only kvm->arch.config_lock, so such a walker
can reference the freed array.
Allocate the new array outside of mmu_lock, as the allocation can sleep.
Under the lock, copy the existing entries, fix up the back pointers and
reassign the array. Free the old buffer after dropping the lock, as
kvfree() can sleep as well.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 918450ad6010df6ecd2efde12a1409e011da22d6
(git)
Affected: 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 4424dbcb06d68e34e51c019a5781a7dc00731971 (git) Affected: 4f128f8e1aaac189f83d0f828bcdb2986d8d2e51 , < 70543358fa08e0f7cebc3447c3b70fe97ad7aaa8 (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc7 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "918450ad6010df6ecd2efde12a1409e011da22d6",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
},
{
"lessThan": "4424dbcb06d68e34e51c019a5781a7dc00731971",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
},
{
"lessThan": "70543358fa08e0f7cebc3447c3b70fe97ad7aaa8",
"status": "affected",
"version": "4f128f8e1aaac189f83d0f828bcdb2986d8d2e51",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/nested.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc7",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Reassign nested_mmus array behind mmu_lock\n\nkvm-\u003earch.nested_mmus[] is walked under kvm-\u003emmu_lock, including from the\nMMU notifier path (kvm_unmap_gfn_range() -\u003e kvm_nested_s2_unmap()), which\ncan run at any time. kvm_vcpu_init_nested() reallocates the array and frees\nthe old buffer while holding only kvm-\u003earch.config_lock, so such a walker\ncan reference the freed array.\n\nAllocate the new array outside of mmu_lock, as the allocation can sleep.\nUnder the lock, copy the existing entries, fix up the back pointers and\nreassign the array. Free the old buffer after dropping the lock, as\nkvfree() can sleep as well."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:52:30.333Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/918450ad6010df6ecd2efde12a1409e011da22d6"
},
{
"url": "https://git.kernel.org/stable/c/4424dbcb06d68e34e51c019a5781a7dc00731971"
},
{
"url": "https://git.kernel.org/stable/c/70543358fa08e0f7cebc3447c3b70fe97ad7aaa8"
}
],
"title": "KVM: arm64: Reassign nested_mmus array behind mmu_lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46317",
"datePublished": "2026-06-09T11:52:30.333Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T11:52:30.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46316 (GCVE-0-2026-46316)
Vulnerability from cvelistv5 – Published: 2026-06-09 11:52 – Updated: 2026-06-09 11:52
VLAI
Title
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
vgic_its_invalidate_cache() walks the per-ITS translation cache with
xa_for_each() and drops the cache's reference on each entry with
vgic_put_irq(). It puts the iterated pointer, though, rather than the
value returned by xa_erase().
The function is called from contexts that do not exclude one another: the
ITS command handlers hold its_lock, the GITS_CTLR write path holds
cmd_lock, and the path that clears EnableLPIs in a redistributor's
GICR_CTLR holds neither. Two or more of them can drain the same cache
concurrently, and if each one observes the same entry, erases it and then
puts it, the single reference the cache holds on that entry is dropped
more than once. The entry can then be freed while an ITE still maps it.
xa_erase() is atomic and returns the previous entry, so put only the entry
that this context actually removed. The cache reference is then dropped
exactly once per entry even when the invalidations run concurrently, and
the behavior is unchanged when only one context runs.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
8201d1028caa4fae88e222c4e8cf541fdf45b821 , < b7b72e88046328c9fdc638fe887d4240257dd5dc
(git)
Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 2bbc395e81bd29c543a0529a678327e932a7ec69 (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 9121f4605ab94969f62d1b5714ca3c6c69bd202f (git) Affected: 8201d1028caa4fae88e222c4e8cf541fdf45b821 , < 13031fb6b8357fbbcded2a7f4cba73e4781ee594 (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.93 , ≤ 6.12.* (semver) Unaffected: 6.18.35 , ≤ 6.18.* (semver) Unaffected: 7.0.12 , ≤ 7.0.* (semver) Unaffected: 7.1-rc7 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b7b72e88046328c9fdc638fe887d4240257dd5dc",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "2bbc395e81bd29c543a0529a678327e932a7ec69",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "9121f4605ab94969f62d1b5714ca3c6c69bd202f",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
},
{
"lessThan": "13031fb6b8357fbbcded2a7f4cba73e4781ee594",
"status": "affected",
"version": "8201d1028caa4fae88e222c4e8cf541fdf45b821",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/kvm/vgic/vgic-its.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.93",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.35",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.12",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc7",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry\n\nvgic_its_invalidate_cache() walks the per-ITS translation cache with\nxa_for_each() and drops the cache\u0027s reference on each entry with\nvgic_put_irq(). It puts the iterated pointer, though, rather than the\nvalue returned by xa_erase().\n\nThe function is called from contexts that do not exclude one another: the\nITS command handlers hold its_lock, the GITS_CTLR write path holds\ncmd_lock, and the path that clears EnableLPIs in a redistributor\u0027s\nGICR_CTLR holds neither. Two or more of them can drain the same cache\nconcurrently, and if each one observes the same entry, erases it and then\nputs it, the single reference the cache holds on that entry is dropped\nmore than once. The entry can then be freed while an ITE still maps it.\n\nxa_erase() is atomic and returns the previous entry, so put only the entry\nthat this context actually removed. The cache reference is then dropped\nexactly once per entry even when the invalidations run concurrently, and\nthe behavior is unchanged when only one context runs."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:52:29.349Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b7b72e88046328c9fdc638fe887d4240257dd5dc"
},
{
"url": "https://git.kernel.org/stable/c/2bbc395e81bd29c543a0529a678327e932a7ec69"
},
{
"url": "https://git.kernel.org/stable/c/9121f4605ab94969f62d1b5714ca3c6c69bd202f"
},
{
"url": "https://git.kernel.org/stable/c/13031fb6b8357fbbcded2a7f4cba73e4781ee594"
}
],
"title": "KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46316",
"datePublished": "2026-06-09T11:52:29.349Z",
"dateReserved": "2026-05-13T15:03:33.112Z",
"dateUpdated": "2026-06-09T11:52:29.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46315 (GCVE-0-2026-46315)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:38 – Updated: 2026-06-09 07:38
VLAI
Title
io_uring/waitid: clear waitid info before copying it to userspace
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/waitid: clear waitid info before copying it to userspace
IORING_OP_WAITID stores its result fields in struct io_waitid::info and
later copies them to userspace siginfo. The prep path initializes the
request arguments, but it does not initialize info itself.
If the wait operation completes without reporting a child event, the common
wait code can return without writing wo_info. In that case io_waitid_finish()
still copies iw->info to userspace, exposing stale bytes from the reused
io_kiocb command storage.
Clear the result storage during prep so the io_uring path matches the
regular waitid syscall, which uses a zero-initialized struct waitid_info.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f31ecf671ddc498f20219453395794ff2383e06b , < 954518e5a4a5efc5033253f6e36fc7b9f98363a3
(git)
Affected: f31ecf671ddc498f20219453395794ff2383e06b , < b737c6612c60c23b40a9f31749b99e6f61943847 (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 4d2a0de611ab60d02fc768ae0cd5918b16bd5474 (git) Affected: f31ecf671ddc498f20219453395794ff2383e06b , < 93d93f5f8da791e98159795c6ef683f45bd95d13 (git) |
|
| Linux | Linux |
Affected:
6.7
Unaffected: 0 , < 6.7 (semver) Unaffected: 6.12.92 , ≤ 6.12.* (semver) Unaffected: 6.18.34 , ≤ 6.18.* (semver) Unaffected: 7.0.11 , ≤ 7.0.* (semver) Unaffected: 7.1-rc5 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "954518e5a4a5efc5033253f6e36fc7b9f98363a3",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "b737c6612c60c23b40a9f31749b99e6f61943847",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "4d2a0de611ab60d02fc768ae0cd5918b16bd5474",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
},
{
"lessThan": "93d93f5f8da791e98159795c6ef683f45bd95d13",
"status": "affected",
"version": "f31ecf671ddc498f20219453395794ff2383e06b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"io_uring/waitid.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.92",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.34",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc5",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/waitid: clear waitid info before copying it to userspace\n\nIORING_OP_WAITID stores its result fields in struct io_waitid::info and\nlater copies them to userspace siginfo. The prep path initializes the\nrequest arguments, but it does not initialize info itself.\n\nIf the wait operation completes without reporting a child event, the common\nwait code can return without writing wo_info. In that case io_waitid_finish()\nstill copies iw-\u003einfo to userspace, exposing stale bytes from the reused\nio_kiocb command storage.\n\nClear the result storage during prep so the io_uring path matches the\nregular waitid syscall, which uses a zero-initialized struct waitid_info."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:38:13.713Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/954518e5a4a5efc5033253f6e36fc7b9f98363a3"
},
{
"url": "https://git.kernel.org/stable/c/b737c6612c60c23b40a9f31749b99e6f61943847"
},
{
"url": "https://git.kernel.org/stable/c/4d2a0de611ab60d02fc768ae0cd5918b16bd5474"
},
{
"url": "https://git.kernel.org/stable/c/93d93f5f8da791e98159795c6ef683f45bd95d13"
}
],
"title": "io_uring/waitid: clear waitid info before copying it to userspace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46315",
"datePublished": "2026-06-09T07:38:13.713Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-09T07:38:13.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46314 (GCVE-0-2026-46314)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-08 15:50
VLAI
Title
drm/v3d: Reject empty multisync extension to prevent infinite loop
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/v3d: Reject empty multisync extension to prevent infinite loop
v3d_get_extensions() walks a userspace-provided singly-linked list of
ioctl extensions without any bound on the chain length. A local user
can craft a self-referential extension (ext->next == &ext) with zero
in_sync_count and out_sync_count, which bypasses the existing duplicate-
extension guard:
if (se->in_sync_count || se->out_sync_count)
return -EINVAL;
The guard never fires because v3d_get_multisync_post_deps() returns
immediately when count is zero, leaving both fields at zero on every
iteration. The result is an infinite loop in kernel context, blocking
the calling thread and pegging a CPU core indefinitely.
Fix this by rejecting a multisync extension where both in_sync_count
and out_sync_count are zero in v3d_get_multisync_submit_deps(). An
empty multisync carries no synchronization information and serves no
useful purpose, so returning -EINVAL for such an extension is the
correct defense against this attack vector.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e4165ae8304e5ea822fbe5909dd3be5445c058b7 , < 4fa42a249e8cd6ed17aea04e5695b6e9001f2433
(git)
Affected: e4165ae8304e5ea822fbe5909dd3be5445c058b7 , < 9c5164781cb388d219d8f49fa0f0b04cf86ad544 (git) Affected: e4165ae8304e5ea822fbe5909dd3be5445c058b7 , < fb44d589bf3148e13452185a6e772a7efbf2d684 (git) |
|
| Linux | Linux |
Affected:
5.16
Unaffected: 0 , < 5.16 (semver) Unaffected: 6.18.33 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4fa42a249e8cd6ed17aea04e5695b6e9001f2433",
"status": "affected",
"version": "e4165ae8304e5ea822fbe5909dd3be5445c058b7",
"versionType": "git"
},
{
"lessThan": "9c5164781cb388d219d8f49fa0f0b04cf86ad544",
"status": "affected",
"version": "e4165ae8304e5ea822fbe5909dd3be5445c058b7",
"versionType": "git"
},
{
"lessThan": "fb44d589bf3148e13452185a6e772a7efbf2d684",
"status": "affected",
"version": "e4165ae8304e5ea822fbe5909dd3be5445c058b7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/v3d/v3d_submit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.33",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.33",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/v3d: Reject empty multisync extension to prevent infinite loop\n\nv3d_get_extensions() walks a userspace-provided singly-linked list of\nioctl extensions without any bound on the chain length. A local user\ncan craft a self-referential extension (ext-\u003enext == \u0026ext) with zero\nin_sync_count and out_sync_count, which bypasses the existing duplicate-\nextension guard:\n\n if (se-\u003ein_sync_count || se-\u003eout_sync_count)\n return -EINVAL;\n\nThe guard never fires because v3d_get_multisync_post_deps() returns\nimmediately when count is zero, leaving both fields at zero on every\niteration. The result is an infinite loop in kernel context, blocking\nthe calling thread and pegging a CPU core indefinitely.\n\nFix this by rejecting a multisync extension where both in_sync_count\nand out_sync_count are zero in v3d_get_multisync_submit_deps(). An\nempty multisync carries no synchronization information and serves no\nuseful purpose, so returning -EINVAL for such an extension is the\ncorrect defense against this attack vector."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:50:45.305Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4fa42a249e8cd6ed17aea04e5695b6e9001f2433"
},
{
"url": "https://git.kernel.org/stable/c/9c5164781cb388d219d8f49fa0f0b04cf86ad544"
},
{
"url": "https://git.kernel.org/stable/c/fb44d589bf3148e13452185a6e772a7efbf2d684"
}
],
"title": "drm/v3d: Reject empty multisync extension to prevent infinite loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46314",
"datePublished": "2026-06-08T15:50:45.305Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:50:45.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46313 (GCVE-0-2026-46313)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-08 15:50
VLAI
Title
media: intel/ipu6: fix error pointer dereference
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: intel/ipu6: fix error pointer dereference
In a error path isp->psys is confirmed to be an error pointer not NULL so
this condition is true and the error pointer is dereferenced. So isp-psys
should be set to NULL before going to out_ipu6_bus_del_devices.
Detected by Smatch:
drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error:
'isp->psys' dereferencing possible ERR_PTR()
[Sakari Ailus: Fix commit message.]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
25fedc021985a66a357a599ab771d6b495b6f78c , < fad134c446189e9bb48cea1a5ca426d2889a9c71
(git)
Affected: 25fedc021985a66a357a599ab771d6b495b6f78c , < f43e30646fc93799f3f48530d0ccbd52902c0541 (git) Affected: 25fedc021985a66a357a599ab771d6b495b6f78c , < c352f90e093ae49902e47f41579e1aa41899ff64 (git) Affected: 25fedc021985a66a357a599ab771d6b495b6f78c , < 8dd088b8b106f7b119664f965b691785998edcfb (git) |
|
| Linux | Linux |
Affected:
6.10
Unaffected: 0 , < 6.10 (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ipu6/ipu6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fad134c446189e9bb48cea1a5ca426d2889a9c71",
"status": "affected",
"version": "25fedc021985a66a357a599ab771d6b495b6f78c",
"versionType": "git"
},
{
"lessThan": "f43e30646fc93799f3f48530d0ccbd52902c0541",
"status": "affected",
"version": "25fedc021985a66a357a599ab771d6b495b6f78c",
"versionType": "git"
},
{
"lessThan": "c352f90e093ae49902e47f41579e1aa41899ff64",
"status": "affected",
"version": "25fedc021985a66a357a599ab771d6b495b6f78c",
"versionType": "git"
},
{
"lessThan": "8dd088b8b106f7b119664f965b691785998edcfb",
"status": "affected",
"version": "25fedc021985a66a357a599ab771d6b495b6f78c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/pci/intel/ipu6/ipu6.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: intel/ipu6: fix error pointer dereference\n\nIn a error path isp-\u003epsys is confirmed to be an error pointer not NULL so\nthis condition is true and the error pointer is dereferenced. So isp-psys\nshould be set to NULL before going to out_ipu6_bus_del_devices.\n\nDetected by Smatch:\ndrivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error:\n\u0027isp-\u003epsys\u0027 dereferencing possible ERR_PTR()\n\n[Sakari Ailus: Fix commit message.]"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:50:44.065Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fad134c446189e9bb48cea1a5ca426d2889a9c71"
},
{
"url": "https://git.kernel.org/stable/c/f43e30646fc93799f3f48530d0ccbd52902c0541"
},
{
"url": "https://git.kernel.org/stable/c/c352f90e093ae49902e47f41579e1aa41899ff64"
},
{
"url": "https://git.kernel.org/stable/c/8dd088b8b106f7b119664f965b691785998edcfb"
}
],
"title": "media: intel/ipu6: fix error pointer dereference",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46313",
"datePublished": "2026-06-08T15:50:44.065Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:50:44.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46312 (GCVE-0-2026-46312)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-08 15:50
VLAI
Title
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not
see a reason why vb2_dma_sg should behave differently. This avoids
hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in
drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of
tree Apple ISP camera capture driver which uses vb2_dma_sg_memops.
gst-launch-1.0 v4l2src ! gtk4paintablesink
[ 38.201528] ------------[ cut here ]------------
[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210
[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer
snd_seq snd_seq_device uinput nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat
nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep
nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc
hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic
cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev
aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2
snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor
macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi
macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3
snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon
apple_sart apple_dockchannel macsmc apple_rtkit_helper
spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses
pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core
spi_apple
[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram
[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)
[ 38.219040] Tainted: [W]=WARN
[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)
[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210
[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210
[ 38.222178] sp : ffffc0008dc678e0
[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480
[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968
[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0
[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968
[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8
[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff
[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8
[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000
[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038
[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb
[ 38.231488] Call trace:
[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)
[ 38.232342] drm_gem_mmap+0x140/0x260
[ 38.232813] __mmap_region+0x488/0x9a0
[ 38.233277] mmap_region+0xd0/0x148
[ 38.233703] do_mmap+0x350/0x5c0
[ 38.234148] vm_mmap_pgoff+0x14c/0x200
[ 38.234612] ksys_mmap_pgoff+0x150/0x208
[ 38.235107] __arm64_sys_mmap+0x34/0x50
[ 38.235611] invoke_syscall+0x50/0x120
[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0
[ 38.236680] do_el0_svc+0x24/0x38
[ 38.237113] el0_svc+0x38/0x168
[ 38.237507] el0t_64_sync_handler+0xa0/0xe8
[ 38.238034] el0t_64_sync+0x198/0x1a0
[ 38.238491] ---[ end trace 0000000000000000 ]---
There were discussions in [1] at the end of 2023 that mmap() on imported
---truncated---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5ba3f757f0592ca001266b4a6214d0332349909c , < feb17524aa4ec337749344be0db52b88663e25ab
(git)
Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 1a1360264f699521e001e7739009ee3ee3c6a4f5 (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 21fade52ab9fb13368a5709e60b0d9909197aeae (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < b4cf91658a636618f1437beec971dec25dec28eb (git) Affected: 5ba3f757f0592ca001266b4a6214d0332349909c , < 7254b31a13aaa0c2c0f9ffbc335b718656117ff4 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "feb17524aa4ec337749344be0db52b88663e25ab",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "1a1360264f699521e001e7739009ee3ee3c6a4f5",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "21fade52ab9fb13368a5709e60b0d9909197aeae",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "b4cf91658a636618f1437beec971dec25dec28eb",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
},
{
"lessThan": "7254b31a13aaa0c2c0f9ffbc335b718656117ff4",
"status": "affected",
"version": "5ba3f757f0592ca001266b4a6214d0332349909c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/common/videobuf2/videobuf2-dma-sg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: Set vma_flags in vb2_dma_sg_mmap\n\nvb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not\nsee a reason why vb2_dma_sg should behave differently. This avoids\nhitting `WARN_ON(!(vma-\u003evm_flags \u0026 VM_DONTEXPAND));` in\ndrm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of\ntree Apple ISP camera capture driver which uses vb2_dma_sg_memops.\n\ngst-launch-1.0 v4l2src ! gtk4paintablesink\n\n[ 38.201528] ------------[ cut here ]------------\n[ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210\n[ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer\nsnd_seq snd_seq_device uinput nf_conntrack_netbios_ns\nnf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib\nnft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat\nnf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep\nnls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc\nhid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic\ncfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev\naop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2\nsnd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor\nmacsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi\nmacsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3\nsnd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon\napple_sart apple_dockchannel macsmc apple_rtkit_helper\nspmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses\npinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core\nspi_apple\n[ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram\n[ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full)\n[ 38.219040] Tainted: [W]=WARN\n[ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT)\n[ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210\n[ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210\n[ 38.222178] sp : ffffc0008dc678e0\n[ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480\n[ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968\n[ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0\n[ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968\n[ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8\n[ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff\n[ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8\n[ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000\n[ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038\n[ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb\n[ 38.231488] Call trace:\n[ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P)\n[ 38.232342] drm_gem_mmap+0x140/0x260\n[ 38.232813] __mmap_region+0x488/0x9a0\n[ 38.233277] mmap_region+0xd0/0x148\n[ 38.233703] do_mmap+0x350/0x5c0\n[ 38.234148] vm_mmap_pgoff+0x14c/0x200\n[ 38.234612] ksys_mmap_pgoff+0x150/0x208\n[ 38.235107] __arm64_sys_mmap+0x34/0x50\n[ 38.235611] invoke_syscall+0x50/0x120\n[ 38.236075] el0_svc_common.constprop.0+0x48/0xf0\n[ 38.236680] do_el0_svc+0x24/0x38\n[ 38.237113] el0_svc+0x38/0x168\n[ 38.237507] el0t_64_sync_handler+0xa0/0xe8\n[ 38.238034] el0t_64_sync+0x198/0x1a0\n[ 38.238491] ---[ end trace 0000000000000000 ]---\n\nThere were discussions in [1] at the end of 2023 that mmap() on imported\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:50:42.964Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/feb17524aa4ec337749344be0db52b88663e25ab"
},
{
"url": "https://git.kernel.org/stable/c/1a1360264f699521e001e7739009ee3ee3c6a4f5"
},
{
"url": "https://git.kernel.org/stable/c/21fade52ab9fb13368a5709e60b0d9909197aeae"
},
{
"url": "https://git.kernel.org/stable/c/b4cf91658a636618f1437beec971dec25dec28eb"
},
{
"url": "https://git.kernel.org/stable/c/7254b31a13aaa0c2c0f9ffbc335b718656117ff4"
}
],
"title": "media: videobuf2: Set vma_flags in vb2_dma_sg_mmap",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46312",
"datePublished": "2026-06-08T15:50:42.964Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:50:42.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46311 (GCVE-0-2026-46311)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-09 07:37
VLAI
Title
drm/amdgpu/userq: fix access to stale wptr mapping
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/userq: fix access to stale wptr mapping
Use drm_exec to take both locks i.e vm root bo and
wptr_obj bo to access the mapping data properly.
This fixes the security issue of unmap the wptr_obj while
a queue creation is in progress and passing other
bo at same address.
(cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
5fb2f7fc21a3668e5794cc0d153641b9719713e1 , < 336a9186f3a4b65bbd865d93936605ac8a1a3991
(git)
Affected: 5fb2f7fc21a3668e5794cc0d153641b9719713e1 , < 6da7b1242da4455b11c24ce667d1cab1a348c8ea (git) |
|
| Linux | Linux |
Affected:
6.16
Unaffected: 0 , < 6.16 (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "336a9186f3a4b65bbd865d93936605ac8a1a3991",
"status": "affected",
"version": "5fb2f7fc21a3668e5794cc0d153641b9719713e1",
"versionType": "git"
},
{
"lessThan": "6da7b1242da4455b11c24ce667d1cab1a348c8ea",
"status": "affected",
"version": "5fb2f7fc21a3668e5794cc0d153641b9719713e1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdgpu/mes_userqueue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.16"
},
{
"lessThan": "6.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: fix access to stale wptr mapping\n\nUse drm_exec to take both locks i.e vm root bo and\nwptr_obj bo to access the mapping data properly.\n\nThis fixes the security issue of unmap the wptr_obj while\na queue creation is in progress and passing other\nbo at same address.\n\n(cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:37:29.573Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/336a9186f3a4b65bbd865d93936605ac8a1a3991"
},
{
"url": "https://git.kernel.org/stable/c/6da7b1242da4455b11c24ce667d1cab1a348c8ea"
}
],
"title": "drm/amdgpu/userq: fix access to stale wptr mapping",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46311",
"datePublished": "2026-06-08T15:50:41.866Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-09T07:37:29.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46310 (GCVE-0-2026-46310)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-08 15:50
VLAI
Title
media: renesas: vsp1: Fix NULL pointer deref on module unload
Summary
In the Linux kernel, the following vulnerability has been resolved:
media: renesas: vsp1: Fix NULL pointer deref on module unload
When unloading the module on gen 4, we hit a NULL pointer dereference.
This is caused by the cleanup code calling vsp1_drm_cleanup() where it
should be calling vsp1_vspx_cleanup().
Fix this by checking the IP version and calling the drm or vspx function
accordingly, the same way as the init code does.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d06c1a9f348d22478c6bc5684f9c990e15ada1e9 , < bfb2081ba00afbbd15a5ed1ed1acdc3edeea5a98
(git)
Affected: d06c1a9f348d22478c6bc5684f9c990e15ada1e9 , < c4bb1515b26663e5230603892e67f2cc7df9f0ca (git) Affected: d06c1a9f348d22478c6bc5684f9c990e15ada1e9 , < 58b1e9664d8f74d55d8411cc7a7b275a76a6f24f (git) |
|
| Linux | Linux |
Affected:
6.17
Unaffected: 0 , < 6.17 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/renesas/vsp1/vsp1_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfb2081ba00afbbd15a5ed1ed1acdc3edeea5a98",
"status": "affected",
"version": "d06c1a9f348d22478c6bc5684f9c990e15ada1e9",
"versionType": "git"
},
{
"lessThan": "c4bb1515b26663e5230603892e67f2cc7df9f0ca",
"status": "affected",
"version": "d06c1a9f348d22478c6bc5684f9c990e15ada1e9",
"versionType": "git"
},
{
"lessThan": "58b1e9664d8f74d55d8411cc7a7b275a76a6f24f",
"status": "affected",
"version": "d06c1a9f348d22478c6bc5684f9c990e15ada1e9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/media/platform/renesas/vsp1/vsp1_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: renesas: vsp1: Fix NULL pointer deref on module unload\n\nWhen unloading the module on gen 4, we hit a NULL pointer dereference.\nThis is caused by the cleanup code calling vsp1_drm_cleanup() where it\nshould be calling vsp1_vspx_cleanup().\n\nFix this by checking the IP version and calling the drm or vspx function\naccordingly, the same way as the init code does."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:50:40.776Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfb2081ba00afbbd15a5ed1ed1acdc3edeea5a98"
},
{
"url": "https://git.kernel.org/stable/c/c4bb1515b26663e5230603892e67f2cc7df9f0ca"
},
{
"url": "https://git.kernel.org/stable/c/58b1e9664d8f74d55d8411cc7a7b275a76a6f24f"
}
],
"title": "media: renesas: vsp1: Fix NULL pointer deref on module unload",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46310",
"datePublished": "2026-06-08T15:50:40.776Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:50:40.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46309 (GCVE-0-2026-46309)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:50 – Updated: 2026-06-08 15:50
VLAI
Title
drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
Add validation in xe_vm_madvise_ioctl() to reject PAT indices with
XE_COH_NONE coherency mode when applied to CPU cached memory.
Using coh_none with CPU cached buffers is a security issue. When the
kernel clears pages before reallocation, the clear operation stays in
CPU cache (dirty). GPU with coh_none can bypass CPU caches and read
stale sensitive data directly from DRAM, potentially leaking data from
previously freed pages of other processes.
This aligns with the existing validation in vm_bind path
(xe_vm_bind_ioctl_validate_bo).
v2(Matthew brost)
- Add fixes
- Move one debug print to better place
v3(Matthew Auld)
- Should be drm/xe/uapi
- More Cc
v4(Shuicheng Lin)
- Fix kmem leak issues by the way
v5
- Remove kmem leak because it has been merged by another patch
v6
- Remove the fix which is not related to current fix
v7
- No change
v8
- Rebase
v9
- Limit the restrictions to iGPU
v10
- No change
(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
ada7486c5668db542a7d361268df931aca5b726a , < 87f9b1528e1ffc1da3615d552c9a06aba5e20b00
(git)
Affected: ada7486c5668db542a7d361268df931aca5b726a , < fea04cf6f2345bc50f15b6638906c35962b89424 (git) Affected: ada7486c5668db542a7d361268df931aca5b726a , < 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.32 , ≤ 6.18.* (semver) Unaffected: 7.0.9 , ≤ 7.0.* (semver) Unaffected: 7.1-rc2 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm_madvise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87f9b1528e1ffc1da3615d552c9a06aba5e20b00",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
},
{
"lessThan": "fea04cf6f2345bc50f15b6638906c35962b89424",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
},
{
"lessThan": "4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39",
"status": "affected",
"version": "ada7486c5668db542a7d361268df931aca5b726a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm_madvise.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.32",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.32",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.9",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc2",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise\n\nAdd validation in xe_vm_madvise_ioctl() to reject PAT indices with\nXE_COH_NONE coherency mode when applied to CPU cached memory.\n\nUsing coh_none with CPU cached buffers is a security issue. When the\nkernel clears pages before reallocation, the clear operation stays in\nCPU cache (dirty). GPU with coh_none can bypass CPU caches and read\nstale sensitive data directly from DRAM, potentially leaking data from\npreviously freed pages of other processes.\n\nThis aligns with the existing validation in vm_bind path\n(xe_vm_bind_ioctl_validate_bo).\n\nv2(Matthew brost)\n- Add fixes\n- Move one debug print to better place\n\nv3(Matthew Auld)\n- Should be drm/xe/uapi\n- More Cc\n\nv4(Shuicheng Lin)\n- Fix kmem leak issues by the way\n\nv5\n- Remove kmem leak because it has been merged by another patch\n\nv6\n- Remove the fix which is not related to current fix\n\nv7\n- No change\n\nv8\n- Rebase\n\nv9\n- Limit the restrictions to iGPU\n\nv10\n- No change\n\n(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:50:39.689Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87f9b1528e1ffc1da3615d552c9a06aba5e20b00"
},
{
"url": "https://git.kernel.org/stable/c/fea04cf6f2345bc50f15b6638906c35962b89424"
},
{
"url": "https://git.kernel.org/stable/c/4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39"
}
],
"title": "drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46309",
"datePublished": "2026-06-08T15:50:39.689Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:50:39.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46308 (GCVE-0-2026-46308)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-08 15:46
VLAI
Title
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
Summary
In the Linux kernel, the following vulnerability has been resolved:
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
In scpsys_get_bus_protection_legacy(), of_find_node_with_property()
returns a device node with its reference count incremented. The function
then calls of_node_put(node) before checking whether
syscon_regmap_lookup_by_phandle() returns an error. If an error occurs,
dev_err_probe() dereferences the node pointer to print diagnostic
information, but the node memory may have already been freed due to the
earlier of_node_put(), leading to a use-after-free vulnerability.
Fix this by moving the of_node_put() call after the error check, ensuring
the node is still valid when accessed in the error path.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c29345fa5f66bea0790cf2219f57b974d4fc177b , < cb27e43c0511e9e1ca8818d231656070b11c18cf
(git)
Affected: c29345fa5f66bea0790cf2219f57b974d4fc177b , < 38d8410021b55d226847b2ac8d189d89fe5a8866 (git) Affected: c29345fa5f66bea0790cf2219f57b974d4fc177b , < ec1fcddb3117d9452210e838fd37389ee61e10e8 (git) |
|
| Linux | Linux |
Affected:
6.18
Unaffected: 0 , < 6.18 (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/mediatek/mtk-pm-domains.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb27e43c0511e9e1ca8818d231656070b11c18cf",
"status": "affected",
"version": "c29345fa5f66bea0790cf2219f57b974d4fc177b",
"versionType": "git"
},
{
"lessThan": "38d8410021b55d226847b2ac8d189d89fe5a8866",
"status": "affected",
"version": "c29345fa5f66bea0790cf2219f57b974d4fc177b",
"versionType": "git"
},
{
"lessThan": "ec1fcddb3117d9452210e838fd37389ee61e10e8",
"status": "affected",
"version": "c29345fa5f66bea0790cf2219f57b974d4fc177b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/pmdomain/mediatek/mtk-pm-domains.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.18"
},
{
"lessThan": "6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()\n\nIn scpsys_get_bus_protection_legacy(), of_find_node_with_property()\nreturns a device node with its reference count incremented. The function\nthen calls of_node_put(node) before checking whether\nsyscon_regmap_lookup_by_phandle() returns an error. If an error occurs,\ndev_err_probe() dereferences the node pointer to print diagnostic\ninformation, but the node memory may have already been freed due to the\nearlier of_node_put(), leading to a use-after-free vulnerability.\n\nFix this by moving the of_node_put() call after the error check, ensuring\nthe node is still valid when accessed in the error path."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:46:36.218Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb27e43c0511e9e1ca8818d231656070b11c18cf"
},
{
"url": "https://git.kernel.org/stable/c/38d8410021b55d226847b2ac8d189d89fe5a8866"
},
{
"url": "https://git.kernel.org/stable/c/ec1fcddb3117d9452210e838fd37389ee61e10e8"
}
],
"title": "pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46308",
"datePublished": "2026-06-08T15:46:36.218Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:46:36.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46307 (GCVE-0-2026-46307)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-08 15:46
VLAI
Title
wifi: ath5k: do not access array OOB
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath5k: do not access array OOB
Vincent reports:
> The ath5k driver seems to do an array-index-out-of-bounds access as
> shown by the UBSAN kernel message:
> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
> index 4 is out of range for type 'ieee80211_tx_rate [4]'
> ...
> Call Trace:
> <TASK>
> dump_stack_lvl+0x5d/0x80
> ubsan_epilogue+0x5/0x2b
> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
> tasklet_action_common+0xb5/0x1c0
It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
#define IEEE80211_TX_MAX_RATES 4
is indeed bogus.
Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).
Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
6d7b97b23e114c8fbb825e6721164d228c1af3fc , < ecb1c163166759dec004c1fdb9709b8a5992fc8e
(git)
Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 9dd6aae4bc7bfa11088d928670a3315eae542769 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 744c19e266b0d2628c5951439195dcef27eadacf (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 83226c71af53fb9b3cad40cb9a9a79f36d68c020 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d6869537013b1f21b292342752d97868b79b5934 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < e9f1081bc775146156def0dbc821b92f35d56afb (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < 568173ad9bd0b46cc6cd937dea8791e9b5eefa57 (git) Affected: 6d7b97b23e114c8fbb825e6721164d228c1af3fc , < d748603f12baff112caa3ab7d39f50100f010dbd (git) |
|
| Linux | Linux |
Affected:
3.0
Unaffected: 0 , < 3.0 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc3 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ecb1c163166759dec004c1fdb9709b8a5992fc8e",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "9dd6aae4bc7bfa11088d928670a3315eae542769",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "744c19e266b0d2628c5951439195dcef27eadacf",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "83226c71af53fb9b3cad40cb9a9a79f36d68c020",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d6869537013b1f21b292342752d97868b79b5934",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "e9f1081bc775146156def0dbc821b92f35d56afb",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "568173ad9bd0b46cc6cd937dea8791e9b5eefa57",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
},
{
"lessThan": "d748603f12baff112caa3ab7d39f50100f010dbd",
"status": "affected",
"version": "6d7b97b23e114c8fbb825e6721164d228c1af3fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath5k/base.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"lessThan": "3.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc3",
"versionStartIncluding": "3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath5k: do not access array OOB\n\nVincent reports:\n\u003e The ath5k driver seems to do an array-index-out-of-bounds access as\n\u003e shown by the UBSAN kernel message:\n\u003e UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20\n\u003e index 4 is out of range for type \u0027ieee80211_tx_rate [4]\u0027\n\u003e ...\n\u003e Call Trace:\n\u003e \u003cTASK\u003e\n\u003e dump_stack_lvl+0x5d/0x80\n\u003e ubsan_epilogue+0x5/0x2b\n\u003e __ubsan_handle_out_of_bounds.cold+0x46/0x4b\n\u003e ath5k_tasklet_tx+0x4e0/0x560 [ath5k]\n\u003e tasklet_action_common+0xb5/0x1c0\n\nIt is real. \u0027ts-\u003ets_final_idx\u0027 can be 3 on 5212, so:\n info-\u003estatus.rates[ts-\u003ets_final_idx + 1].idx = -1;\nwith the array defined as:\n struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];\nwhile the size is:\n #define IEEE80211_TX_MAX_RATES 4\nis indeed bogus.\n\nSet this \u0027idx = -1\u0027 sentinel only if the array index is less than the\narray size. As mac80211 will not look at rates beyond the size\n(IEEE80211_TX_MAX_RATES).\n\nNote: The effect of the OOB write is negligible. It just overwrites the\nnext member of info-\u003estatus, i.e. ack_signal."
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:46:35.059Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ecb1c163166759dec004c1fdb9709b8a5992fc8e"
},
{
"url": "https://git.kernel.org/stable/c/9dd6aae4bc7bfa11088d928670a3315eae542769"
},
{
"url": "https://git.kernel.org/stable/c/744c19e266b0d2628c5951439195dcef27eadacf"
},
{
"url": "https://git.kernel.org/stable/c/83226c71af53fb9b3cad40cb9a9a79f36d68c020"
},
{
"url": "https://git.kernel.org/stable/c/d6869537013b1f21b292342752d97868b79b5934"
},
{
"url": "https://git.kernel.org/stable/c/e9f1081bc775146156def0dbc821b92f35d56afb"
},
{
"url": "https://git.kernel.org/stable/c/568173ad9bd0b46cc6cd937dea8791e9b5eefa57"
},
{
"url": "https://git.kernel.org/stable/c/d748603f12baff112caa3ab7d39f50100f010dbd"
}
],
"title": "wifi: ath5k: do not access array OOB",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46307",
"datePublished": "2026-06-08T15:46:35.059Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:46:35.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46306 (GCVE-0-2026-46306)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-08 15:46
VLAI
Title
flow_dissector: do not dissect PPPoE PFC frames
Summary
In the Linux kernel, the following vulnerability has been resolved:
flow_dissector: do not dissect PPPoE PFC frames
RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT
RECOMMENDED for PPPoE. In practice, pppd does not support negotiating
PFC for PPPoE sessions, and the flow dissector driver has assumed an
uncompressed frame until the blamed commit.
During the review process of that commit [1], support for PFC is
suggested. However, having a compressed (1-byte) protocol field means
the subsequent PPP payload is shifted by one byte, causing 4-byte
misalignment for the network header and an unaligned access exception
on some architectures.
The exception can be reproduced by sending a PPPoE PFC frame to an
ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE
session is active on that interface:
$ 0 : 00000000 80c40000 00000000 85144817
$ 4 : 00000008 00000100 80a75758 81dc9bb8
$ 8 : 00000010 8087ae2c 0000003d 00000000
$12 : 000000e0 00000039 00000000 00000000
$16 : 85043240 80a75758 81dc9bb8 00006488
$20 : 0000002f 00000007 85144810 80a70000
$24 : 81d1bda0 00000000
$28 : 81dc8000 81dc9aa8 00000000 805ead08
Hi : 00009d51
Lo : 2163358a
epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50
ra : 805ead08 __skb_get_hash_net+0x74/0x12c
Status: 11000403 KERNEL EXL IE
Cause : 40800010 (ExcCode 04)
BadVA : 85144817
PrId : 0001992f (MIPS 1004Kc)
Call Trace:
[<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50
[<805ead08>] __skb_get_hash_net+0x74/0x12c
[<805ef330>] get_rps_cpu+0x1b8/0x3fc
[<805fca70>] netif_receive_skb_list_internal+0x324/0x364
[<805fd120>] napi_complete_done+0x68/0x2a4
[<8058de5c>] mtk_napi_rx+0x228/0xfec
[<805fd398>] __napi_poll+0x3c/0x1c4
[<805fd754>] napi_threaded_poll_loop+0x234/0x29c
[<805fd848>] napi_threaded_poll+0x8c/0xb0
[<80053544>] kthread+0x104/0x12c
[<80002bd8>] ret_from_kernel_thread+0x14/0x1c
Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000
To reduce the attack surface and maintain performance, do not process
PPPoE PFC frames.
[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home
Severity
No CVSS data available.
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
10f665b52a75df6eb26ddebbbc072ee264183731 , < e7c811ca372d53c2be7d01a1614e71fae1054836
(git)
Affected: d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8 , < abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < db104b0d8a7856397c0469d83a4289adf7c54863 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 6044392d9cace3a3672b02c8bc7d38b502e51734 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 0d00b9015069712944934bab09eaa6c542143049 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < 7c93f353eab4ea911e394630f07d72e040a729d8 (git) Affected: 46126db9c86110e5fc1e369b9bb89735ddefdae4 , < d6c19b31a3c1d519fabdcf0aa239e6b6109b9473 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7c811ca372d53c2be7d01a1614e71fae1054836",
"status": "affected",
"version": "10f665b52a75df6eb26ddebbbc072ee264183731",
"versionType": "git"
},
{
"lessThan": "abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200",
"status": "affected",
"version": "d7e541e86122d21f71eb71c5dfa7fb1eb6623fe8",
"versionType": "git"
},
{
"lessThan": "18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "db104b0d8a7856397c0469d83a4289adf7c54863",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "6044392d9cace3a3672b02c8bc7d38b502e51734",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "0d00b9015069712944934bab09eaa6c542143049",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "7c93f353eab4ea911e394630f07d72e040a729d8",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
},
{
"lessThan": "d6c19b31a3c1d519fabdcf0aa239e6b6109b9473",
"status": "affected",
"version": "46126db9c86110e5fc1e369b9bb89735ddefdae4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/flow_dissector.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nflow_dissector: do not dissect PPPoE PFC frames\n\nRFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT\nRECOMMENDED for PPPoE. In practice, pppd does not support negotiating\nPFC for PPPoE sessions, and the flow dissector driver has assumed an\nuncompressed frame until the blamed commit.\n\nDuring the review process of that commit [1], support for PFC is\nsuggested. However, having a compressed (1-byte) protocol field means\nthe subsequent PPP payload is shifted by one byte, causing 4-byte\nmisalignment for the network header and an unaligned access exception\non some architectures.\n\nThe exception can be reproduced by sending a PPPoE PFC frame to an\nethernet interface of a MIPS board, with RPS enabled, even if no PPPoE\nsession is active on that interface:\n\n$ 0 : 00000000 80c40000 00000000 85144817\n$ 4 : 00000008 00000100 80a75758 81dc9bb8\n$ 8 : 00000010 8087ae2c 0000003d 00000000\n$12 : 000000e0 00000039 00000000 00000000\n$16 : 85043240 80a75758 81dc9bb8 00006488\n$20 : 0000002f 00000007 85144810 80a70000\n$24 : 81d1bda0 00000000\n$28 : 81dc8000 81dc9aa8 00000000 805ead08\nHi : 00009d51\nLo : 2163358a\nepc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50\nra : 805ead08 __skb_get_hash_net+0x74/0x12c\nStatus: 11000403 KERNEL EXL IE\nCause : 40800010 (ExcCode 04)\nBadVA : 85144817\nPrId : 0001992f (MIPS 1004Kc)\nCall Trace:\n[\u003c805e91f0\u003e] __skb_flow_dissect+0x1b0/0x1b50\n[\u003c805ead08\u003e] __skb_get_hash_net+0x74/0x12c\n[\u003c805ef330\u003e] get_rps_cpu+0x1b8/0x3fc\n[\u003c805fca70\u003e] netif_receive_skb_list_internal+0x324/0x364\n[\u003c805fd120\u003e] napi_complete_done+0x68/0x2a4\n[\u003c8058de5c\u003e] mtk_napi_rx+0x228/0xfec\n[\u003c805fd398\u003e] __napi_poll+0x3c/0x1c4\n[\u003c805fd754\u003e] napi_threaded_poll_loop+0x234/0x29c\n[\u003c805fd848\u003e] napi_threaded_poll+0x8c/0xb0\n[\u003c80053544\u003e] kthread+0x104/0x12c\n[\u003c80002bd8\u003e] ret_from_kernel_thread+0x14/0x1c\n\nCode: 02d51821 1060045b 00000000 \u003c8c640000\u003e 3084000f 2c820005 144001a2 00042080 8e220000\n\nTo reduce the attack surface and maintain performance, do not process\nPPPoE PFC frames.\n\n[1] https://lore.kernel.org/r/20220630231016.GA392@debian.home"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:46:33.936Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7c811ca372d53c2be7d01a1614e71fae1054836"
},
{
"url": "https://git.kernel.org/stable/c/abc5bc84e0f2edc7ea2d437afa6ef3fe1fc43200"
},
{
"url": "https://git.kernel.org/stable/c/18ae9eacfc95cc715c0606b2c86e8aa8a86cf3e3"
},
{
"url": "https://git.kernel.org/stable/c/db104b0d8a7856397c0469d83a4289adf7c54863"
},
{
"url": "https://git.kernel.org/stable/c/6044392d9cace3a3672b02c8bc7d38b502e51734"
},
{
"url": "https://git.kernel.org/stable/c/0d00b9015069712944934bab09eaa6c542143049"
},
{
"url": "https://git.kernel.org/stable/c/7c93f353eab4ea911e394630f07d72e040a729d8"
},
{
"url": "https://git.kernel.org/stable/c/d6c19b31a3c1d519fabdcf0aa239e6b6109b9473"
}
],
"title": "flow_dissector: do not dissect PPPoE PFC frames",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46306",
"datePublished": "2026-06-08T15:46:33.936Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-08T15:46:33.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}