Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2026:26428
Vulnerability from osv_almalinux
Published
2026-06-16 00:00
Modified
2026-06-17 09:31
Summary
Important: kernel-rt security update
Details
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- kernel: mptcp: fix slab-use-after-free in __inet_lookup_established (CVE-2026-31669)
- kernel: xen/privcmd: fix double free via VMA splitting (CVE-2026-31787)
- kernel: Buffer overflow in drivers/xen/sys-hypervisor.c (CVE-2026-31786)
- kernel: wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
- kernel: netfilter: flowtable: strictly check for maximum number of actions (CVE-2026-43329)
- kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (CVE-2026-46056)
- kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result (CVE-2026-46152)
- kernel: wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-debug-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "kernel-rt-modules-extra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.18.0-553.134.1.rt7.475.el8_10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. \n\nSecurity Fix(es): \n\n * kernel: mptcp: fix slab-use-after-free in __inet_lookup_established (CVE-2026-31669)\n * kernel: xen/privcmd: fix double free via VMA splitting (CVE-2026-31787)\n * kernel: Buffer overflow in drivers/xen/sys-hypervisor.c (CVE-2026-31786)\n * kernel: wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)\n * kernel: netfilter: flowtable: strictly check for maximum number of actions (CVE-2026-43329)\n * kernel: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (CVE-2026-46056)\n * kernel: wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result (CVE-2026-46152)\n * kernel: wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:26428",
"modified": "2026-06-17T09:31:52Z",
"published": "2026-06-16T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:26428"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-31669"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-31786"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-31787"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-43110"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-43329"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46056"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46125"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-46152"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2461503"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2464092"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2464096"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2467014"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2468124"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2482181"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2482563"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2482608"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-26428.html"
}
],
"related": [
"CVE-2026-31669",
"CVE-2026-31787",
"CVE-2026-31786",
"CVE-2026-43110",
"CVE-2026-43329",
"CVE-2026-46056",
"CVE-2026-46152",
"CVE-2026-46125"
],
"summary": "Important: kernel-rt security update"
}
CVE-2026-31669 (GCVE-0-2026-31669)
Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-05-11 22:13
VLAI
EPSS
Title
mptcp: fix slab-use-after-free in __inet_lookup_established
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability
during RCU read-side critical sections. Both tcp_prot and
tcpv6_prot have their slab caches created with this flag
via proto_register().
However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into
tcpv6_prot_override during inet_init() (fs_initcall, level 5),
before inet6_init() (module_init/device_initcall, level 6) has
called proto_register(&tcpv6_prot). At that point,
tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab
remains NULL permanently.
This causes MPTCP v6 subflow child sockets to be allocated via
kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab
cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so
when these sockets are freed without SOCK_RCU_FREE (which is
cleared for child sockets by design), the memory can be
immediately reused. Concurrent ehash lookups under
rcu_read_lock can then access freed memory, triggering a
slab-use-after-free in __inet_lookup_established.
Fix this by splitting the IPv6-specific initialization out of
mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called
from mptcp_proto_v6_init() before protocol registration. This
ensures tcpv6_prot_override.slab correctly inherits the
SLAB_TYPESAFE_BY_RCU slab cache.
Severity
9.8 (Critical)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/f6e1f25fa5e733570… | |
| https://git.kernel.org/stable/c/fb1f54b7d16f393b8… | |
| https://git.kernel.org/stable/c/3fd6547f5b8ac9968… | |
| https://git.kernel.org/stable/c/eb9c6aeb512f877cf… | |
| https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9… | |
| https://git.kernel.org/stable/c/b313e9037d98c1393… | |
| https://git.kernel.org/stable/c/9b55b253907e74312… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b19bc2945b40b9fd38e835700907ffe8534ef0de , < f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47
(git)
Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < fb1f54b7d16f393b8b65d328410f78b4beea8fcc (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 3fd6547f5b8ac99687be6d937a0321efda760597 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < eb9c6aeb512f877cf397deb1e4526f646c70e4a7 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 15fa9ead4d5e6b6b9c794e84144146c917f2cb62 (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < b313e9037d98c13938740e5ebda7852929366dff (git) Affected: b19bc2945b40b9fd38e835700907ffe8534ef0de , < 9b55b253907e7431210483519c5ad711a37dafa1 (git) |
|
| Linux | Linux |
Affected:
5.12
Unaffected: 0 , < 5.12 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.169 , ≤ 6.1.* (semver) Unaffected: 6.6.135 , ≤ 6.6.* (semver) Unaffected: 6.12.82 , ≤ 6.12.* (semver) Unaffected: 6.18.23 , ≤ 6.18.* (semver) Unaffected: 6.19.13 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "fb1f54b7d16f393b8b65d328410f78b4beea8fcc",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "3fd6547f5b8ac99687be6d937a0321efda760597",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "eb9c6aeb512f877cf397deb1e4526f646c70e4a7",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "15fa9ead4d5e6b6b9c794e84144146c917f2cb62",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "b313e9037d98c13938740e5ebda7852929366dff",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
},
{
"lessThan": "9b55b253907e7431210483519c5ad711a37dafa1",
"status": "affected",
"version": "b19bc2945b40b9fd38e835700907ffe8534ef0de",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/protocol.c",
"net/mptcp/protocol.h",
"net/mptcp/subflow.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.169",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.135",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.82",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.169",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.135",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.82",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.13",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix slab-use-after-free in __inet_lookup_established\n\nThe ehash table lookups are lockless and rely on\nSLAB_TYPESAFE_BY_RCU to guarantee socket memory stability\nduring RCU read-side critical sections. Both tcp_prot and\ntcpv6_prot have their slab caches created with this flag\nvia proto_register().\n\nHowever, MPTCP\u0027s mptcp_subflow_init() copies tcpv6_prot into\ntcpv6_prot_override during inet_init() (fs_initcall, level 5),\nbefore inet6_init() (module_init/device_initcall, level 6) has\ncalled proto_register(\u0026tcpv6_prot). At that point,\ntcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab\nremains NULL permanently.\n\nThis causes MPTCP v6 subflow child sockets to be allocated via\nkmalloc (falling into kmalloc-4k) instead of the TCPv6 slab\ncache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so\nwhen these sockets are freed without SOCK_RCU_FREE (which is\ncleared for child sockets by design), the memory can be\nimmediately reused. Concurrent ehash lookups under\nrcu_read_lock can then access freed memory, triggering a\nslab-use-after-free in __inet_lookup_established.\n\nFix this by splitting the IPv6-specific initialization out of\nmptcp_subflow_init() into a new mptcp_subflow_v6_init(), called\nfrom mptcp_proto_v6_init() before protocol registration. This\nensures tcpv6_prot_override.slab correctly inherits the\nSLAB_TYPESAFE_BY_RCU slab cache."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:13:21.124Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f6e1f25fa5e733570f6d6fe37a4dfed2a0deba47"
},
{
"url": "https://git.kernel.org/stable/c/fb1f54b7d16f393b8b65d328410f78b4beea8fcc"
},
{
"url": "https://git.kernel.org/stable/c/3fd6547f5b8ac99687be6d937a0321efda760597"
},
{
"url": "https://git.kernel.org/stable/c/eb9c6aeb512f877cf397deb1e4526f646c70e4a7"
},
{
"url": "https://git.kernel.org/stable/c/15fa9ead4d5e6b6b9c794e84144146c917f2cb62"
},
{
"url": "https://git.kernel.org/stable/c/b313e9037d98c13938740e5ebda7852929366dff"
},
{
"url": "https://git.kernel.org/stable/c/9b55b253907e7431210483519c5ad711a37dafa1"
}
],
"title": "mptcp: fix slab-use-after-free in __inet_lookup_established",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31669",
"datePublished": "2026-04-24T14:45:17.295Z",
"dateReserved": "2026-03-09T15:48:24.130Z",
"dateUpdated": "2026-05-11T22:13:21.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31786 (GCVE-0-2026-31786)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI
EPSS
Title
Buffer overflow in drivers/xen/sys-hypervisor.c
Summary
In the Linux kernel, the following vulnerability has been resolved:
Buffer overflow in drivers/xen/sys-hypervisor.c
The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is
neither NUL terminated nor a string.
The first causes a buffer overflow as sprintf in buildid_show will
read and copy till it finds a NUL.
00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|
00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|
00000017
So use a memcpy instead of sprintf to have the correct value:
00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|
00000010 b9 a8 01 42 |...B|
00000014
(the above have a hack to embed a zero inside and check it's
returned correctly).
This is XSA-485 / CVE-2026-31786
Severity
7.8 (High)
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/e3af585e1728c9176… | |
| https://git.kernel.org/stable/c/8288d031a01dbacfd… | |
| https://git.kernel.org/stable/c/f458ba102da97fafc… | |
| https://git.kernel.org/stable/c/4b4defd2fce3f966c… | |
| https://git.kernel.org/stable/c/5c5ff7c7bd15bb536… | |
| https://git.kernel.org/stable/c/d5f59216650c51e5e… | |
| https://git.kernel.org/stable/c/52cecff98bda2c51e… | |
| https://git.kernel.org/stable/c/27fdbab4221b375de… | |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| http://xenbits.xen.org/xsa/advisory-485.html |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
84b7625728ea311ea35bdaa0eded53c1c56baeaa , < e3af585e1728c917682b6a3de9a69b41fb9194d4
(git)
Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 8288d031a01dbacfde3fc643f7be3d23504de64d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < f458ba102da97fafca106327086fc95f3fc764cb (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 4b4defd2fce3f966c25adabf46644a85558f1169 (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < d5f59216650c51e5e3fcb7517c825bc8047f60ef (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 52cecff98bda2c51eed1c6ce9d21c5d6268fb19d (git) Affected: 84b7625728ea311ea35bdaa0eded53c1c56baeaa , < 27fdbab4221b375de54bf91919798d88520c6e28 (git) |
|
| Linux | Linux |
Affected:
4.13
Unaffected: 0 , < 4.13 (semver) Unaffected: 5.10.254 , ≤ 5.10.* (semver) Unaffected: 5.15.204 , ≤ 5.15.* (semver) Unaffected: 6.1.170 , ≤ 6.1.* (semver) Unaffected: 6.6.137 , ≤ 6.6.* (semver) Unaffected: 6.12.85 , ≤ 6.12.* (semver) Unaffected: 6.18.26 , ≤ 6.18.* (semver) Unaffected: 7.0.3 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:32.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/12"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-485.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e3af585e1728c917682b6a3de9a69b41fb9194d4",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "8288d031a01dbacfde3fc643f7be3d23504de64d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "f458ba102da97fafca106327086fc95f3fc764cb",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "4b4defd2fce3f966c25adabf46644a85558f1169",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "d5f59216650c51e5e3fcb7517c825bc8047f60ef",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "52cecff98bda2c51eed1c6ce9d21c5d6268fb19d",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
},
{
"lessThan": "27fdbab4221b375de54bf91919798d88520c6e28",
"status": "affected",
"version": "84b7625728ea311ea35bdaa0eded53c1c56baeaa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/sys-hypervisor.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBuffer overflow in drivers/xen/sys-hypervisor.c\n\nThe build id returned by HYPERVISOR_xen_version(XENVER_build_id) is\nneither NUL terminated nor a string.\n\nThe first causes a buffer overflow as sprintf in buildid_show will\nread and copy till it finds a NUL.\n\n00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P|\n00000010 b9 a8 01 42 6f 2e 32 |...Bo.2|\n00000017\n\nSo use a memcpy instead of sprintf to have the correct value:\n\n00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P|\n00000010 b9 a8 01 42 |...B|\n00000014\n\n(the above have a hack to embed a zero inside and check it\u0027s\nreturned correctly).\n\nThis is XSA-485 / CVE-2026-31786"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:38.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e3af585e1728c917682b6a3de9a69b41fb9194d4"
},
{
"url": "https://git.kernel.org/stable/c/8288d031a01dbacfde3fc643f7be3d23504de64d"
},
{
"url": "https://git.kernel.org/stable/c/f458ba102da97fafca106327086fc95f3fc764cb"
},
{
"url": "https://git.kernel.org/stable/c/4b4defd2fce3f966c25adabf46644a85558f1169"
},
{
"url": "https://git.kernel.org/stable/c/5c5ff7c7bd15bb536f44b10b3fb5b8408f344d0a"
},
{
"url": "https://git.kernel.org/stable/c/d5f59216650c51e5e3fcb7517c825bc8047f60ef"
},
{
"url": "https://git.kernel.org/stable/c/52cecff98bda2c51eed1c6ce9d21c5d6268fb19d"
},
{
"url": "https://git.kernel.org/stable/c/27fdbab4221b375de54bf91919798d88520c6e28"
}
],
"title": "Buffer overflow in drivers/xen/sys-hypervisor.c",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31786",
"datePublished": "2026-04-30T10:31:28.293Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:38.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31787 (GCVE-0-2026-31787)
Vulnerability from cvelistv5 – Published: 2026-04-30 10:31 – Updated: 2026-06-14 17:44
VLAI
EPSS
Title
xen/privcmd: fix double free via VMA splitting
Summary
In the Linux kernel, the following vulnerability has been resolved:
xen/privcmd: fix double free via VMA splitting
privcmd_vm_ops defines .close (privcmd_close), but neither .may_split
nor .open. When userspace does a partial munmap() on a privcmd mapping,
the kernel splits the VMA via __split_vma(). Since may_split is NULL,
the split is allowed. vm_area_dup() copies vm_private_data (a pages
array allocated in alloc_empty_pages()) into the new VMA without any
fixup, because there is no .open callback.
Both VMAs now point to the same pages array. When the unmapped portion
is closed, privcmd_close() calls:
- xen_unmap_domain_gfn_range()
- xen_free_unpopulated_pages()
- kvfree(pages)
The surviving VMA still holds the dangling pointer. When it is later
destroyed, the same sequence runs again, which leads to a double free.
Fix this issue by adding a .may_split callback denying the VMA split.
This is XSA-487 / CVE-2026-31787
Severity
No CVSS data available.
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/dbf862ce9f009128a… | |
| https://git.kernel.org/stable/c/2b985d3a024b9e8c2… | |
| https://git.kernel.org/stable/c/1576ff3869cbd3620… | |
| https://git.kernel.org/stable/c/402d84ad9e89bd4cb… | |
| https://git.kernel.org/stable/c/2894a351fe2ea8684… | |
| https://git.kernel.org/stable/c/446ee446d9ae66f36… | |
| https://git.kernel.org/stable/c/71bf829800758a6e3… | |
| https://git.kernel.org/stable/c/24daca4fc07f3ff8c… | |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| http://xenbits.xen.org/xsa/advisory-487.html |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
d71f513985c22f1050295d1a7e4327cf9fb060da , < dbf862ce9f009128ab86b234d91413a3e450beb4
(git)
Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2b985d3a024b9e8c24e21671b34e855569763808 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 1576ff3869cbd3620717195f971c85b7d7fd62b5 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 402d84ad9e89bd4cbfd07ca8598532b7021daf95 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 2894a351fe2ea8684919d36df3188b9a35e3926f (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 446ee446d9ae66f36e95c3c90bbcc4e56b94cde0 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 71bf829800758a6e3889096e4754ef47ba7fc850 (git) Affected: d71f513985c22f1050295d1a7e4327cf9fb060da , < 24daca4fc07f3ff8cd0e3f629cd982187f48436a (git) |
|
| Linux | Linux |
Affected:
3.8
Unaffected: 0 , < 3.8 (semver) Unaffected: 5.10.254 , ≤ 5.10.* (semver) Unaffected: 5.15.204 , ≤ 5.15.* (semver) Unaffected: 6.1.170 , ≤ 6.1.* (semver) Unaffected: 6.6.137 , ≤ 6.6.* (semver) Unaffected: 6.12.85 , ≤ 6.12.* (semver) Unaffected: 6.18.26 , ≤ 6.18.* (semver) Unaffected: 7.0.3 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-30T10:39:37.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/14"
},
{
"url": "http://xenbits.xen.org/xsa/advisory-487.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbf862ce9f009128ab86b234d91413a3e450beb4",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2b985d3a024b9e8c24e21671b34e855569763808",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "1576ff3869cbd3620717195f971c85b7d7fd62b5",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "402d84ad9e89bd4cbfd07ca8598532b7021daf95",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "2894a351fe2ea8684919d36df3188b9a35e3926f",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "446ee446d9ae66f36e95c3c90bbcc4e56b94cde0",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "71bf829800758a6e3889096e4754ef47ba7fc850",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
},
{
"lessThan": "24daca4fc07f3ff8cd0e3f629cd982187f48436a",
"status": "affected",
"version": "d71f513985c22f1050295d1a7e4327cf9fb060da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/xen/privcmd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.8"
},
{
"lessThan": "3.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.254",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.204",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.170",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.85",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.254",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.204",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.170",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.137",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.85",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.26",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.3",
"versionStartIncluding": "3.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n - xen_unmap_domain_gfn_range()\n - xen_free_unpopulated_pages()\n - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787"
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:44:41.402Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbf862ce9f009128ab86b234d91413a3e450beb4"
},
{
"url": "https://git.kernel.org/stable/c/2b985d3a024b9e8c24e21671b34e855569763808"
},
{
"url": "https://git.kernel.org/stable/c/1576ff3869cbd3620717195f971c85b7d7fd62b5"
},
{
"url": "https://git.kernel.org/stable/c/402d84ad9e89bd4cbfd07ca8598532b7021daf95"
},
{
"url": "https://git.kernel.org/stable/c/2894a351fe2ea8684919d36df3188b9a35e3926f"
},
{
"url": "https://git.kernel.org/stable/c/446ee446d9ae66f36e95c3c90bbcc4e56b94cde0"
},
{
"url": "https://git.kernel.org/stable/c/71bf829800758a6e3889096e4754ef47ba7fc850"
},
{
"url": "https://git.kernel.org/stable/c/24daca4fc07f3ff8cd0e3f629cd982187f48436a"
}
],
"title": "xen/privcmd: fix double free via VMA splitting",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31787",
"datePublished": "2026-04-30T10:31:28.992Z",
"dateReserved": "2026-03-09T15:48:24.141Z",
"dateUpdated": "2026-06-14T17:44:41.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43110 (GCVE-0-2026-43110)
Vulnerability from cvelistv5 – Published: 2026-05-06 07:40 – Updated: 2026-06-01 16:14
VLAI
EPSS
Title
wifi: brcmfmac: validate bsscfg indices in IF events
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: validate bsscfg indices in IF events
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
[add missing wifi prefix]
Severity
8.8 (High)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/b329fbcf075949a03… | |
| https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5e… | |
| https://git.kernel.org/stable/c/9c81bcc2c695e0082… | |
| https://git.kernel.org/stable/c/3ec7437e9d1137410… | |
| https://git.kernel.org/stable/c/9fca68c2512a362ca… | |
| https://git.kernel.org/stable/c/1ae1e1caa428844e4… | |
| https://git.kernel.org/stable/c/b427c2b05222db36d… | |
| https://git.kernel.org/stable/c/304950a467d83678b… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
2880b86859967af710c72f7d34fb421a86a71e22 , < b329fbcf075949a038045d8e9b86ae3d5bbd8a54
(git)
Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9c81bcc2c695e0082012a2a3d36a0eefaa51579c (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 3ec7437e9d11374105c2c4e47ae671537729d7e6 (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 9fca68c2512a362cad258e4df12a307bb2ee4b8e (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 1ae1e1caa428844e481231f6dbe9b4f475f1d52d (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < b427c2b05222db36d32ee141609de6128e9091bb (git) Affected: 2880b86859967af710c72f7d34fb421a86a71e22 , < 304950a467d83678bd0b0f46331882e2ac23b12d (git) |
|
| Linux | Linux |
Affected:
3.9
Unaffected: 0 , < 3.9 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.136 , ≤ 6.6.* (semver) Unaffected: 6.12.83 , ≤ 6.12.* (semver) Unaffected: 6.18.24 , ≤ 6.18.* (semver) Unaffected: 6.19.14 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b329fbcf075949a038045d8e9b86ae3d5bbd8a54",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9c81bcc2c695e0082012a2a3d36a0eefaa51579c",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "3ec7437e9d11374105c2c4e47ae671537729d7e6",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "9fca68c2512a362cad258e4df12a307bb2ee4b8e",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "1ae1e1caa428844e481231f6dbe9b4f475f1d52d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "b427c2b05222db36d32ee141609de6128e9091bb",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
},
{
"lessThan": "304950a467d83678bd0b0f46331882e2ac23b12d",
"status": "affected",
"version": "2880b86859967af710c72f7d34fb421a86a71e22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: validate bsscfg indices in IF events\n\nbrcmf_fweh_handle_if_event() validates the firmware-provided interface\nindex before it touches drvr-\u003eiflist[], but it still uses the raw\nbsscfgidx field as an array index without a matching range check.\n\nReject IF events whose bsscfg index does not fit in drvr-\u003eiflist[]\nbefore indexing the interface array.\n\n[add missing wifi prefix]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T16:14:59.388Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b329fbcf075949a038045d8e9b86ae3d5bbd8a54"
},
{
"url": "https://git.kernel.org/stable/c/2ae3ccb78c0a9ef5ee3d80d02ab319ac1d5af734"
},
{
"url": "https://git.kernel.org/stable/c/9c81bcc2c695e0082012a2a3d36a0eefaa51579c"
},
{
"url": "https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6"
},
{
"url": "https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e"
},
{
"url": "https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d"
},
{
"url": "https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb"
},
{
"url": "https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d"
}
],
"title": "wifi: brcmfmac: validate bsscfg indices in IF events",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43110",
"datePublished": "2026-05-06T07:40:37.250Z",
"dateReserved": "2026-05-01T14:12:55.986Z",
"dateUpdated": "2026-06-01T16:14:59.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43329 (GCVE-0-2026-43329)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-11 22:22
VLAI
EPSS
Title
netfilter: flowtable: strictly check for maximum number of actions
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: flowtable: strictly check for maximum number of actions
The maximum number of flowtable hardware offload actions in IPv6 is:
* ethernet mangling (4 payload actions, 2 for each ethernet address)
* SNAT (4 payload actions)
* DNAT (4 payload actions)
* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)
for QinQ.
* Redirect (1 action)
Which makes 17, while the maximum is 16. But act_ct supports for tunnels
actions too. Note that payload action operates at 32-bit word level, so
mangling an IPv6 address takes 4 payload actions.
Update flow_action_entry_next() calls to check for the maximum number of
supported actions.
While at it, rise the maximum number of actions per flow from 16 to 24
so this works fine with IPv6 setups.
Severity
7.8 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/ead66c77303f760f6… | |
| https://git.kernel.org/stable/c/fe9018d3e94329f19… | |
| https://git.kernel.org/stable/c/5382bb03e9c33b089… | |
| https://git.kernel.org/stable/c/57c78bd2e2dd08897… | |
| https://git.kernel.org/stable/c/504c9456699dcf4d1… | |
| https://git.kernel.org/stable/c/879959a7a2be814dd… | |
| https://git.kernel.org/stable/c/76522fcdbc3a02b56… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c29f74e0df7a02b8303bcdce93a7c0132d62577a , < ead66c77303f760f6c30be96e2e20d5a77cef614
(git)
Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < fe9018d3e94329f1951b00805a8640bc06f56ead (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 5382bb03e9c33b089d60788478b922a2dca284cc (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 57c78bd2e2dd08897acd35b2bf8bcef322e36f5e (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 504c9456699dcf4d15195ef34a0fa94a80bfc877 (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 879959a7a2be814dd57568655eafa3d8f4d0309e (git) Affected: c29f74e0df7a02b8303bcdce93a7c0132d62577a , < 76522fcdbc3a02b568f5d957f7e66fc194abb893 (git) |
|
| Linux | Linux |
Affected:
5.5
Unaffected: 0 , < 5.5 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_flow_table_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ead66c77303f760f6c30be96e2e20d5a77cef614",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "fe9018d3e94329f1951b00805a8640bc06f56ead",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "5382bb03e9c33b089d60788478b922a2dca284cc",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "57c78bd2e2dd08897acd35b2bf8bcef322e36f5e",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "504c9456699dcf4d15195ef34a0fa94a80bfc877",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "879959a7a2be814dd57568655eafa3d8f4d0309e",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
},
{
"lessThan": "76522fcdbc3a02b568f5d957f7e66fc194abb893",
"status": "affected",
"version": "c29f74e0df7a02b8303bcdce93a7c0132d62577a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_flow_table_offload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: strictly check for maximum number of actions\n\nThe maximum number of flowtable hardware offload actions in IPv6 is:\n\n* ethernet mangling (4 payload actions, 2 for each ethernet address)\n* SNAT (4 payload actions)\n* DNAT (4 payload actions)\n* Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)\n for QinQ.\n* Redirect (1 action)\n\nWhich makes 17, while the maximum is 16. But act_ct supports for tunnels\nactions too. Note that payload action operates at 32-bit word level, so\nmangling an IPv6 address takes 4 payload actions.\n\nUpdate flow_action_entry_next() calls to check for the maximum number of\nsupported actions.\n\nWhile at it, rise the maximum number of actions per flow from 16 to 24\nso this works fine with IPv6 setups."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:27.808Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614"
},
{
"url": "https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead"
},
{
"url": "https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc"
},
{
"url": "https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e"
},
{
"url": "https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877"
},
{
"url": "https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e"
},
{
"url": "https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893"
}
],
"title": "netfilter: flowtable: strictly check for maximum number of actions",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43329",
"datePublished": "2026-05-08T13:31:17.479Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-05-11T22:22:27.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46056 (GCVE-0-2026-46056)
Vulnerability from cvelistv5 – Published: 2026-05-27 12:57 – Updated: 2026-06-14 17:51
VLAI
EPSS
Title
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
hci_conn lookup and field access must be covered by hdev lock in
hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise
the connection can be freed concurrently.
Extend the hci_dev_lock critical section to cover all conn usage in both
handlers.
Keep the existing keypress notification behavior unchanged by routing
the early exits through a common unlock path.
Severity
8.8 (High)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/b6ae482f88654db40… | |
| https://git.kernel.org/stable/c/204028af77a265e31… | |
| https://git.kernel.org/stable/c/01a6431766c35dfed… | |
| https://git.kernel.org/stable/c/e08d75753db17aa94… | |
| https://git.kernel.org/stable/c/8c6443bb9257b7809… | |
| https://git.kernel.org/stable/c/85fa3512048793076… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
92a25256f142d55e25f9959441cea6ddeabae57e , < b6ae482f88654db407c8c17619d4b62959b903ef
(git)
Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 204028af77a265e31ceb4ba7f643349a3cca72b2 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 01a6431766c35dfedb86e0cb5d3fc80c6d604a47 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < e08d75753db17aa943d7622f09d9c217b5bfd3b8 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 8c6443bb9257b780986fb67ec08565bf48ecb8d7 (git) Affected: 92a25256f142d55e25f9959441cea6ddeabae57e , < 85fa3512048793076eef658f66489112dcc91993 (git) |
|
| Linux | Linux |
Affected:
3.7
Unaffected: 0 , < 3.7 (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.86 , ≤ 6.12.* (semver) Unaffected: 6.18.27 , ≤ 6.18.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b6ae482f88654db407c8c17619d4b62959b903ef",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "204028af77a265e31ceb4ba7f643349a3cca72b2",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "01a6431766c35dfedb86e0cb5d3fc80c6d604a47",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "e08d75753db17aa943d7622f09d9c217b5bfd3b8",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "8c6443bb9257b780986fb67ec08565bf48ecb8d7",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
},
{
"lessThan": "85fa3512048793076eef658f66489112dcc91993",
"status": "affected",
"version": "92a25256f142d55e25f9959441cea6ddeabae57e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_event.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.86",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.27",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.86",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.27",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.4",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: fix potential UAF in SSP passkey handlers\n\nhci_conn lookup and field access must be covered by hdev lock in\nhci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise\nthe connection can be freed concurrently.\n\nExtend the hci_dev_lock critical section to cover all conn usage in both\nhandlers.\n\nKeep the existing keypress notification behavior unchanged by routing\nthe early exits through a common unlock path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:51:08.884Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b6ae482f88654db407c8c17619d4b62959b903ef"
},
{
"url": "https://git.kernel.org/stable/c/204028af77a265e31ceb4ba7f643349a3cca72b2"
},
{
"url": "https://git.kernel.org/stable/c/01a6431766c35dfedb86e0cb5d3fc80c6d604a47"
},
{
"url": "https://git.kernel.org/stable/c/e08d75753db17aa943d7622f09d9c217b5bfd3b8"
},
{
"url": "https://git.kernel.org/stable/c/8c6443bb9257b780986fb67ec08565bf48ecb8d7"
},
{
"url": "https://git.kernel.org/stable/c/85fa3512048793076eef658f66489112dcc91993"
}
],
"title": "Bluetooth: hci_event: fix potential UAF in SSP passkey handlers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46056",
"datePublished": "2026-05-27T12:57:15.150Z",
"dateReserved": "2026-05-13T15:03:33.094Z",
"dateUpdated": "2026-06-14T17:51:08.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46125 (GCVE-0-2026-46125)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:35 – Updated: 2026-06-14 17:56
VLAI
EPSS
Title
wifi: mac80211: remove station if connection prep fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: remove station if connection prep fails
If connection preparation fails for MLO connections, then the
interface is completely reset to non-MLD. In this case, we must
not keep the station since it's related to the link of the vif
being removed. Delete an existing station. Any "new_sta" is
already being removed, so that doesn't need changes.
This fixes a use-after-free/double-free in debugfs if that's
enabled, because a vif going from MLD (and to MLD, but that's
not relevant here) recreates its entire debugfs.
Severity
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
81151ce462e533551f3284bfdb8e0f461c9220e6 , < fe75fa1ac9a92990f7fc3d34b17808fd933071b2
(git)
Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < afcbaed89cdc1a001b43270cbf5394bb4804270a (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 9e28654f79f443bca9b29ff3ae7cf18abfba58a0 (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 1c2b72ea89882aeb948340498391e69c58d466f1 (git) Affected: 81151ce462e533551f3284bfdb8e0f461c9220e6 , < 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 (git) |
|
| Linux | Linux |
Affected:
6.0
Unaffected: 0 , < 6.0 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fe75fa1ac9a92990f7fc3d34b17808fd933071b2",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "afcbaed89cdc1a001b43270cbf5394bb4804270a",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "9e28654f79f443bca9b29ff3ae7cf18abfba58a0",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "1c2b72ea89882aeb948340498391e69c58d466f1",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
},
{
"lessThan": "283fc9e44ff5b5ac967439b4951b80bd4299f4e4",
"status": "affected",
"version": "81151ce462e533551f3284bfdb8e0f461c9220e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/mlme.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: remove station if connection prep fails\n\nIf connection preparation fails for MLO connections, then the\ninterface is completely reset to non-MLD. In this case, we must\nnot keep the station since it\u0027s related to the link of the vif\nbeing removed. Delete an existing station. Any \"new_sta\" is\nalready being removed, so that doesn\u0027t need changes.\n\nThis fixes a use-after-free/double-free in debugfs if that\u0027s\nenabled, because a vif going from MLD (and to MLD, but that\u0027s\nnot relevant here) recreates its entire debugfs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:56:18.302Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fe75fa1ac9a92990f7fc3d34b17808fd933071b2"
},
{
"url": "https://git.kernel.org/stable/c/afcbaed89cdc1a001b43270cbf5394bb4804270a"
},
{
"url": "https://git.kernel.org/stable/c/9e28654f79f443bca9b29ff3ae7cf18abfba58a0"
},
{
"url": "https://git.kernel.org/stable/c/1c2b72ea89882aeb948340498391e69c58d466f1"
},
{
"url": "https://git.kernel.org/stable/c/283fc9e44ff5b5ac967439b4951b80bd4299f4e4"
}
],
"title": "wifi: mac80211: remove station if connection prep fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46125",
"datePublished": "2026-05-28T09:35:39.809Z",
"dateReserved": "2026-05-13T15:03:33.099Z",
"dateUpdated": "2026-06-14T17:56:18.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46152 (GCVE-0-2026-46152)
Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-06-14 17:58
VLAI
EPSS
Title
wifi: mac80211: drop stray 'static' from fast-RX rx_result
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: drop stray 'static' from fast-RX rx_result
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Severity
8.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
3468e1e0c639032a603450f0830ccabfa76f5806 , < 03584528bfffb195e384698af9148b94e42e3f14
(git)
Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 1739fc31b4de06c5c78ce0741182770fb079091e (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < e131562d6f2b958148c35c98831b007f47f0e3d3 (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 3ef44f96ccc3e06e059dec57842e366f0c4b1893 (git) Affected: 3468e1e0c639032a603450f0830ccabfa76f5806 , < 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba (git) |
|
| Linux | Linux |
Affected:
6.4
Unaffected: 0 , < 6.4 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "03584528bfffb195e384698af9148b94e42e3f14",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "1739fc31b4de06c5c78ce0741182770fb079091e",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "e131562d6f2b958148c35c98831b007f47f0e3d3",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "3ef44f96ccc3e06e059dec57842e366f0c4b1893",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
},
{
"lessThan": "7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba",
"status": "affected",
"version": "3468e1e0c639032a603450f0830ccabfa76f5806",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/rx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result\n\nieee80211_invoke_fast_rx() is documented as safe for parallel RX, but\nits per-invocation rx_result is declared static. Concurrent callers then\nshare one instance and can overwrite each other\u0027s result between\nieee80211_rx_mesh_data() and the switch on res.\n\nThat can make a packet that was queued or consumed by\nieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make\na packet that should continue return as queued.\n\nMake res an automatic variable so each invocation keeps its own result."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T17:58:25.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/03584528bfffb195e384698af9148b94e42e3f14"
},
{
"url": "https://git.kernel.org/stable/c/1739fc31b4de06c5c78ce0741182770fb079091e"
},
{
"url": "https://git.kernel.org/stable/c/e131562d6f2b958148c35c98831b007f47f0e3d3"
},
{
"url": "https://git.kernel.org/stable/c/3ef44f96ccc3e06e059dec57842e366f0c4b1893"
},
{
"url": "https://git.kernel.org/stable/c/7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba"
}
],
"title": "wifi: mac80211: drop stray \u0027static\u0027 from fast-RX rx_result",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46152",
"datePublished": "2026-05-28T09:36:08.211Z",
"dateReserved": "2026-05-13T15:03:33.101Z",
"dateUpdated": "2026-06-14T17:58:25.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…