Action not permitted
Modal body text goes here.
Modal Title
Modal Body
alsa-2026:6632
Vulnerability from osv_almalinux
Published
2026-04-06 00:00
Modified
2026-04-10 16:35
Summary
Moderate: kernel security update
Details
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
- kernel: Linux kernel (net/mlx5): Use-after-free in ECVF vports unload leads to denial of service (CVE-2025-38109)
- kernel: Linux kernel: Local denial of service and memory leak in DAMON sysfs via setup failure (CVE-2026-23144)
- kernel: Linux kernel: Use-after-free in bonding module can cause system crash or arbitrary code execution (CVE-2026-23171)
- kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (CVE-2026-23193)
- kernel: macvlan: fix error recovery in macvlan_common_newlink() (CVE-2026-23209)
- kernel: net/sched: cls_u32: use skb_header_pointer_careful() (CVE-2026-23204)
- kernel: ALSA: aloop: Fix racy access at PCM trigger (CVE-2026-23191)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-abi-stablelists"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-124.49.1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "kernel-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.12.0-124.49.1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The kernel packages contain the Linux kernel, the core of any Linux operating system. \n\nSecurity Fix(es): \n\n * kernel: Linux kernel (net/mlx5): Use-after-free in ECVF vports unload leads to denial of service (CVE-2025-38109)\n * kernel: Linux kernel: Local denial of service and memory leak in DAMON sysfs via setup failure (CVE-2026-23144)\n * kernel: Linux kernel: Use-after-free in bonding module can cause system crash or arbitrary code execution (CVE-2026-23171)\n * kernel: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() (CVE-2026-23193)\n * kernel: macvlan: fix error recovery in macvlan_common_newlink() (CVE-2026-23209)\n * kernel: net/sched: cls_u32: use skb_header_pointer_careful() (CVE-2026-23204)\n * kernel: ALSA: aloop: Fix racy access at PCM trigger (CVE-2026-23191)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:6632",
"modified": "2026-04-10T16:35:05Z",
"published": "2026-04-06T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:6632"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2025-38109"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23144"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23171"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23191"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23193"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23204"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-23209"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2376101"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439872"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439886"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439887"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439900"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439931"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2439947"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-6632.html"
}
],
"related": [
"CVE-2025-38109",
"CVE-2026-23144",
"CVE-2026-23171",
"CVE-2026-23193",
"CVE-2026-23209",
"CVE-2026-23204",
"CVE-2026-23191"
],
"summary": "Moderate: kernel security update"
}
CVE-2025-38109 (GCVE-0-2025-38109)
Vulnerability from cvelistv5 – Published: 2025-07-03 08:35 – Updated: 2026-05-11 21:21
VLAI
EPSS
Title
net/mlx5: Fix ECVF vports unload on shutdown flow
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix ECVF vports unload on shutdown flow
Fix shutdown flow UAF when a virtual function is created on the embedded
chip (ECVF) of a BlueField device. In such case the vport acl ingress
table is not properly destroyed.
ECVF functionality is independent of ecpf_vport_exists capability and
thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not
test it when enabling/disabling ECVF vports.
kernel log:
[] refcount_t: underflow; use-after-free.
[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28
refcount_warn_saturate+0x124/0x220
----------------
[] Call trace:
[] refcount_warn_saturate+0x124/0x220
[] tree_put_node+0x164/0x1e0 [mlx5_core]
[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]
[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]
[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]
[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]
[] esw_vport_cleanup+0x64/0x90 [mlx5_core]
[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]
[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]
[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]
[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]
[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]
[] mlx5_unload+0x40/0xc4 [mlx5_core]
[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]
[] mlx5_unload_one+0x3c/0x60 [mlx5_core]
[] shutdown+0x7c/0xa4 [mlx5_core]
[] pci_device_shutdown+0x3c/0xa0
[] device_shutdown+0x170/0x340
[] __do_sys_reboot+0x1f4/0x2a0
[] __arm64_sys_reboot+0x2c/0x40
[] invoke_syscall+0x78/0x100
[] el0_svc_common.constprop.0+0x54/0x184
[] do_el0_svc+0x30/0xac
[] el0_svc+0x48/0x160
[] el0t_64_sync_handler+0xa4/0x12c
[] el0t_64_sync+0x1a4/0x1a8
[] --[ end trace 9c4601d68c70030e ]---
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 5953ae44dfe5dbad374318875be834c3b7b71ee6
(git)
Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < da15ca0553325acf68039015f2f4db750c8e2b96 (git) Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 24db585d369f949f698e03d7d8017e5ae19d0497 (git) Affected: a7719b29a82199b90ebbf355d3332e0fbfbf6045 , < 687560d8a9a2d654829ad0da1ec24242f1de711d (git) |
|
| Linux | Linux |
Affected:
6.5
Unaffected: 0 , < 6.5 (semver) Unaffected: 6.6.94 , ≤ 6.6.* (semver) Unaffected: 6.12.34 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5953ae44dfe5dbad374318875be834c3b7b71ee6",
"status": "affected",
"version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
"versionType": "git"
},
{
"lessThan": "da15ca0553325acf68039015f2f4db750c8e2b96",
"status": "affected",
"version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
"versionType": "git"
},
{
"lessThan": "24db585d369f949f698e03d7d8017e5ae19d0497",
"status": "affected",
"version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
"versionType": "git"
},
{
"lessThan": "687560d8a9a2d654829ad0da1ec24242f1de711d",
"status": "affected",
"version": "a7719b29a82199b90ebbf355d3332e0fbfbf6045",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/eswitch.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix ECVF vports unload on shutdown flow\n\nFix shutdown flow UAF when a virtual function is created on the embedded\nchip (ECVF) of a BlueField device. In such case the vport acl ingress\ntable is not properly destroyed.\n\nECVF functionality is independent of ecpf_vport_exists capability and\nthus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not\ntest it when enabling/disabling ECVF vports.\n\nkernel log:\n[] refcount_t: underflow; use-after-free.\n[] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28\n refcount_warn_saturate+0x124/0x220\n----------------\n[] Call trace:\n[] refcount_warn_saturate+0x124/0x220\n[] tree_put_node+0x164/0x1e0 [mlx5_core]\n[] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core]\n[] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core]\n[] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core]\n[] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core]\n[] esw_vport_cleanup+0x64/0x90 [mlx5_core]\n[] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core]\n[] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core]\n[] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core]\n[] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core]\n[] mlx5_sriov_detach+0x40/0x50 [mlx5_core]\n[] mlx5_unload+0x40/0xc4 [mlx5_core]\n[] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core]\n[] mlx5_unload_one+0x3c/0x60 [mlx5_core]\n[] shutdown+0x7c/0xa4 [mlx5_core]\n[] pci_device_shutdown+0x3c/0xa0\n[] device_shutdown+0x170/0x340\n[] __do_sys_reboot+0x1f4/0x2a0\n[] __arm64_sys_reboot+0x2c/0x40\n[] invoke_syscall+0x78/0x100\n[] el0_svc_common.constprop.0+0x54/0x184\n[] do_el0_svc+0x30/0xac\n[] el0_svc+0x48/0x160\n[] el0t_64_sync_handler+0xa4/0x12c\n[] el0t_64_sync+0x1a4/0x1a8\n[] --[ end trace 9c4601d68c70030e ]---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:21:26.013Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5953ae44dfe5dbad374318875be834c3b7b71ee6"
},
{
"url": "https://git.kernel.org/stable/c/da15ca0553325acf68039015f2f4db750c8e2b96"
},
{
"url": "https://git.kernel.org/stable/c/24db585d369f949f698e03d7d8017e5ae19d0497"
},
{
"url": "https://git.kernel.org/stable/c/687560d8a9a2d654829ad0da1ec24242f1de711d"
}
],
"title": "net/mlx5: Fix ECVF vports unload on shutdown flow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38109",
"datePublished": "2025-07-03T08:35:19.240Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2026-05-11T21:21:26.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23144 (GCVE-0-2026-23144)
Vulnerability from cvelistv5 – Published: 2026-02-14 15:36 – Updated: 2026-05-11 22:00
VLAI
EPSS
Title
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
c951cd3b89010c7a4751b9d4ea074007e44851e6 , < db7dfe78fc81bdd2b532d77f340fe453f2360426
(git)
Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 43964644348f6b1add3055c4a6cae8f77d892a6e (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 5651c0c391c0029541794f9c4c9597faecfd401f (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 78b4eb99751ebd37ceade78810bf94de80f7fb3a (git) Affected: c951cd3b89010c7a4751b9d4ea074007e44851e6 , < 9814cc832b88bd040fc2a1817c2b5469d0f7e862 (git) |
|
| Linux | Linux |
Affected:
5.18
Unaffected: 0 , < 5.18 (semver) Unaffected: 6.1.162 , ≤ 6.1.* (semver) Unaffected: 6.6.122 , ≤ 6.6.* (semver) Unaffected: 6.12.67 , ≤ 6.12.* (semver) Unaffected: 6.18.7 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "db7dfe78fc81bdd2b532d77f340fe453f2360426",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "43964644348f6b1add3055c4a6cae8f77d892a6e",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "5651c0c391c0029541794f9c4c9597faecfd401f",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "78b4eb99751ebd37ceade78810bf94de80f7fb3a",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
},
{
"lessThan": "9814cc832b88bd040fc2a1817c2b5469d0f7e862",
"status": "affected",
"version": "c951cd3b89010c7a4751b9d4ea074007e44851e6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/damon/sysfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.67",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.67",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.7",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/sysfs: cleanup attrs subdirs on context dir setup failure\n\nWhen a context DAMON sysfs directory setup is failed after setup of attrs/\ndirectory, subdirectories of attrs/ directory are not cleaned up. As a\nresult, DAMON sysfs interface is nearly broken until the system reboots,\nand the memory for the unremoved directory is leaked.\n\nCleanup the directories under such failures."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:00:59.074Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/db7dfe78fc81bdd2b532d77f340fe453f2360426"
},
{
"url": "https://git.kernel.org/stable/c/43964644348f6b1add3055c4a6cae8f77d892a6e"
},
{
"url": "https://git.kernel.org/stable/c/5651c0c391c0029541794f9c4c9597faecfd401f"
},
{
"url": "https://git.kernel.org/stable/c/78b4eb99751ebd37ceade78810bf94de80f7fb3a"
},
{
"url": "https://git.kernel.org/stable/c/9814cc832b88bd040fc2a1817c2b5469d0f7e862"
}
],
"title": "mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23144",
"datePublished": "2026-02-14T15:36:09.518Z",
"dateReserved": "2026-01-13T15:37:45.974Z",
"dateUpdated": "2026-05-11T22:00:59.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23171 (GCVE-0-2026-23171)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-05-17 15:21
VLAI
EPSS
Title
bonding: fix use-after-free due to enslave fail after slave array update
Summary
In the Linux kernel, the following vulnerability has been resolved:
bonding: fix use-after-free due to enslave fail after slave array update
Fix a use-after-free which happens due to enslave failure after the new
slave has been added to the array. Since the new slave can be used for Tx
immediately, we can use it after it has been freed by the enslave error
cleanup path which frees the allocated slave memory. Slave update array is
supposed to be called last when further enslave failures are not expected.
Move it after xdp setup to avoid any problems.
It is very easy to reproduce the problem with a simple xdp_pass prog:
ip l add bond1 type bond mode balance-xor
ip l set bond1 up
ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass
ip l add dumdum type dummy
Then run in parallel:
while :; do ip l set dumdum master bond1 1>/dev/null 2>&1; done;
mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn"
The crash happens almost immediately:
[ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI
[ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]
[ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)
[ 605.602979] Tainted: [B]=BAD_PAGE
[ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210
[ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89
[ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213
[ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000
[ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be
[ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c
[ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000
[ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84
[ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000
[ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0
[ 605.603373] Call Trace:
[ 605.603392] <TASK>
[ 605.603410] __dev_queue_xmit+0x448/0x32a0
[ 605.603434] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603461] ? __pfx_vprintk_emit+0x10/0x10
[ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10
[ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603546] ? _printk+0xcb/0x100
[ 605.603566] ? __pfx__printk+0x10/0x10
[ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603627] ? add_taint+0x5e/0x70
[ 605.603648] ? add_taint+0x2a/0x70
[ 605.603670] ? end_report.cold+0x51/0x75
[ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]
[ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 172dcb67dd35b162357df229d7806acc724cd469
(git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 2889d92c5f728351c9930c7996d22fe6e906e785 (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d (git) Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < e9acda52fd2ee0cdca332f996da7a95c5fd25294 (git) |
|
| Linux | Linux |
Affected:
5.15
Unaffected: 0 , < 5.15 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.90 , ≤ 6.12.* (semver) Unaffected: 6.18.9 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "172dcb67dd35b162357df229d7806acc724cd469",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "2889d92c5f728351c9930c7996d22fe6e906e785",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
},
{
"lessThan": "e9acda52fd2ee0cdca332f996da7a95c5fd25294",
"status": "affected",
"version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/bonding/bond_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.90",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix use-after-free due to enslave fail after slave array update\n\nFix a use-after-free which happens due to enslave failure after the new\nslave has been added to the array. Since the new slave can be used for Tx\nimmediately, we can use it after it has been freed by the enslave error\ncleanup path which frees the allocated slave memory. Slave update array is\nsupposed to be called last when further enslave failures are not expected.\nMove it after xdp setup to avoid any problems.\n\nIt is very easy to reproduce the problem with a simple xdp_pass prog:\n ip l add bond1 type bond mode balance-xor\n ip l set bond1 up\n ip l set dev bond1 xdp object xdp_pass.o sec xdp_pass\n ip l add dumdum type dummy\n\nThen run in parallel:\n while :; do ip l set dumdum master bond1 1\u003e/dev/null 2\u003e\u00261; done;\n mausezahn bond1 -a own -b rand -A rand -B 1.1.1.1 -c 0 -t tcp \"dp=1-1023, flags=syn\"\n\nThe crash happens almost immediately:\n [ 605.602850] Oops: general protection fault, probably for non-canonical address 0xe0e6fc2460000137: 0000 [#1] SMP KASAN NOPTI\n [ 605.602916] KASAN: maybe wild-memory-access in range [0x07380123000009b8-0x07380123000009bf]\n [ 605.602946] CPU: 0 UID: 0 PID: 2445 Comm: mausezahn Kdump: loaded Tainted: G B 6.19.0-rc6+ #21 PREEMPT(voluntary)\n [ 605.602979] Tainted: [B]=BAD_PAGE\n [ 605.602998] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n [ 605.603032] RIP: 0010:netdev_core_pick_tx+0xcd/0x210\n [ 605.603063] Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 3e 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 6b 08 49 8d 7d 30 48 89 fa 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 25 01 00 00 49 8b 45 30 4c 89 e2 48 89 ee 48 89\n [ 605.603111] RSP: 0018:ffff88817b9af348 EFLAGS: 00010213\n [ 605.603145] RAX: dffffc0000000000 RBX: ffff88817d28b420 RCX: 0000000000000000\n [ 605.603172] RDX: 00e7002460000137 RSI: 0000000000000008 RDI: 07380123000009be\n [ 605.603199] RBP: ffff88817b541a00 R08: 0000000000000001 R09: fffffbfff3ed8c0c\n [ 605.603226] R10: ffffffff9f6c6067 R11: 0000000000000001 R12: 0000000000000000\n [ 605.603253] R13: 073801230000098e R14: ffff88817d28b448 R15: ffff88817b541a84\n [ 605.603286] FS: 00007f6570ef67c0(0000) GS:ffff888221dfa000(0000) knlGS:0000000000000000\n [ 605.603319] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 605.603343] CR2: 00007f65712fae40 CR3: 000000011371b000 CR4: 0000000000350ef0\n [ 605.603373] Call Trace:\n [ 605.603392] \u003cTASK\u003e\n [ 605.603410] __dev_queue_xmit+0x448/0x32a0\n [ 605.603434] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603461] ? __pfx_vprintk_emit+0x10/0x10\n [ 605.603484] ? __pfx___dev_queue_xmit+0x10/0x10\n [ 605.603507] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603546] ? _printk+0xcb/0x100\n [ 605.603566] ? __pfx__printk+0x10/0x10\n [ 605.603589] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603627] ? add_taint+0x5e/0x70\n [ 605.603648] ? add_taint+0x2a/0x70\n [ 605.603670] ? end_report.cold+0x51/0x75\n [ 605.603693] ? bond_start_xmit+0xbfb/0xc20 [bonding]\n [ 605.603731] bond_start_xmit+0x623/0xc20 [bonding]"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T15:21:17.241Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/172dcb67dd35b162357df229d7806acc724cd469"
},
{
"url": "https://git.kernel.org/stable/c/2889d92c5f728351c9930c7996d22fe6e906e785"
},
{
"url": "https://git.kernel.org/stable/c/bd25b092a06a3e05f7e8bd6da6fa7318777d8c3d"
},
{
"url": "https://git.kernel.org/stable/c/e9acda52fd2ee0cdca332f996da7a95c5fd25294"
}
],
"title": "bonding: fix use-after-free due to enslave fail after slave array update",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23171",
"datePublished": "2026-02-14T16:01:33.489Z",
"dateReserved": "2026-01-13T15:37:45.982Z",
"dateUpdated": "2026-05-17T15:21:17.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23191 (GCVE-0-2026-23191)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI
EPSS
Title
ALSA: aloop: Fix racy access at PCM trigger
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Severity
7.8 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b1c73fc8e697eb73e23603e465e9af2711ed4183 , < bad15420050db1803767e58756114800cce91ea4
(git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 5727ccf9d19ca414cb76d9b647883822e2789c2e (git) Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 826af7fa62e347464b1b4e0ba2fe19a92438084f (git) |
|
| Linux | Linux |
Affected:
2.6.37
Unaffected: 0 , < 2.6.37 (semver) Unaffected: 6.12.70 , ≤ 6.12.* (semver) Unaffected: 6.18.10 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bad15420050db1803767e58756114800cce91ea4",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
},
{
"lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f",
"status": "affected",
"version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/drivers/aloop.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.37"
},
{
"lessThan": "2.6.37",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n cable-\u003elock spinlock, and add the proper NULL checks. This avoids\n already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n that may be stopped in this function, which was the major pain point\n leading to UAF."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:05.240Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
},
{
"url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
},
{
"url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
}
],
"title": "ALSA: aloop: Fix racy access at PCM trigger",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23191",
"datePublished": "2026-02-14T16:27:18.882Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-05-11T22:02:05.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23193 (GCVE-0-2026-23193)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI
EPSS
Title
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
In iscsit_dec_session_usage_count(), the function calls complete() while
holding the sess->session_usage_lock. Similar to the connection usage count
logic, the waiter signaled by complete() (e.g., in the session release
path) may wake up and free the iscsit_session structure immediately.
This creates a race condition where the current thread may attempt to
execute spin_unlock_bh() on a session structure that has already been
deallocated, resulting in a KASAN slab-use-after-free.
To resolve this, release the session_usage_lock before calling complete()
to ensure all dereferences of the sess pointer are finished before the
waiter is allowed to proceed with deallocation.
Severity
8.8 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/2b64015550a13bcc7… | |
| https://git.kernel.org/stable/c/fd8b0900173307039… | |
| https://git.kernel.org/stable/c/d8dbdc146e9e9a976… | |
| https://git.kernel.org/stable/c/11ebafffce31efc6a… | |
| https://git.kernel.org/stable/c/41b86a9ec037bd343… | |
| https://git.kernel.org/stable/c/4530f4e4d0e6a2071… | |
| https://git.kernel.org/stable/c/84dc6037390b8607c… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
e48354ce078c079996f89d715dfa44814b4eba01 , < 2b64015550a13bcc72910be0565548d9a754d46d
(git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < fd8b0900173307039d3a84644c2fee041a7ed4fb (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < d8dbdc146e9e9a976931b78715be2e91299049f9 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 11ebafffce31efc6abeb28c509017976fc49f1ca (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 41b86a9ec037bd3435d68dd3692f0891a207e7e7 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 4530f4e4d0e6a207110b0ffed0c911bca43531a4 (git) Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 84dc6037390b8607c5551047d3970336cb51ba9a (git) |
|
| Linux | Linux |
Affected:
3.1
Unaffected: 0 , < 3.1 (semver) Unaffected: 5.10.250 , ≤ 5.10.* (semver) Unaffected: 5.15.200 , ≤ 5.15.* (semver) Unaffected: 6.1.163 , ≤ 6.1.* (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.70 , ≤ 6.12.* (semver) Unaffected: 6.18.10 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2b64015550a13bcc72910be0565548d9a754d46d",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "fd8b0900173307039d3a84644c2fee041a7ed4fb",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "d8dbdc146e9e9a976931b78715be2e91299049f9",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "11ebafffce31efc6abeb28c509017976fc49f1ca",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "41b86a9ec037bd3435d68dd3692f0891a207e7e7",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "4530f4e4d0e6a207110b0ffed0c911bca43531a4",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
},
{
"lessThan": "84dc6037390b8607c5551047d3970336cb51ba9a",
"status": "affected",
"version": "e48354ce078c079996f89d715dfa44814b4eba01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/target/iscsi/iscsi_target_util.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()\n\nIn iscsit_dec_session_usage_count(), the function calls complete() while\nholding the sess-\u003esession_usage_lock. Similar to the connection usage count\nlogic, the waiter signaled by complete() (e.g., in the session release\npath) may wake up and free the iscsit_session structure immediately.\n\nThis creates a race condition where the current thread may attempt to\nexecute spin_unlock_bh() on a session structure that has already been\ndeallocated, resulting in a KASAN slab-use-after-free.\n\nTo resolve this, release the session_usage_lock before calling complete()\nto ensure all dereferences of the sess pointer are finished before the\nwaiter is allowed to proceed with deallocation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:07.544Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2b64015550a13bcc72910be0565548d9a754d46d"
},
{
"url": "https://git.kernel.org/stable/c/fd8b0900173307039d3a84644c2fee041a7ed4fb"
},
{
"url": "https://git.kernel.org/stable/c/d8dbdc146e9e9a976931b78715be2e91299049f9"
},
{
"url": "https://git.kernel.org/stable/c/11ebafffce31efc6abeb28c509017976fc49f1ca"
},
{
"url": "https://git.kernel.org/stable/c/41b86a9ec037bd3435d68dd3692f0891a207e7e7"
},
{
"url": "https://git.kernel.org/stable/c/4530f4e4d0e6a207110b0ffed0c911bca43531a4"
},
{
"url": "https://git.kernel.org/stable/c/84dc6037390b8607c5551047d3970336cb51ba9a"
}
],
"title": "scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23193",
"datePublished": "2026-02-14T16:27:20.251Z",
"dateReserved": "2026-01-13T15:37:45.985Z",
"dateUpdated": "2026-05-11T22:02:07.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23204 (GCVE-0-2026-23204)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI
EPSS
Title
net/sched: cls_u32: use skb_header_pointer_careful()
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: cls_u32: use skb_header_pointer_careful()
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Severity
7.1 (High)
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cfa745830e45ecb75c061aa34330ee0cac941cc7
(git)
Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 13336a6239b9d7c6e61483017bb8bdfe3ceb10a5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < e41a23e61259f5526af875c3b86b3d42a9bae0e5 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < 8a672f177ebe19c93d795fbe967846084fbc7943 (git) Affected: fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d , < cabd1a976375780dabab888784e356f574bbaed8 (git) |
|
| Linux | Linux |
Affected:
2.6.35
Unaffected: 0 , < 2.6.35 (semver) Unaffected: 6.1.167 , ≤ 6.1.* (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.70 , ≤ 6.12.* (semver) Unaffected: 6.18.10 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cfa745830e45ecb75c061aa34330ee0cac941cc7",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "13336a6239b9d7c6e61483017bb8bdfe3ceb10a5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "e41a23e61259f5526af875c3b86b3d42a9bae0e5",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "8a672f177ebe19c93d795fbe967846084fbc7943",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
},
{
"lessThan": "cabd1a976375780dabab888784e356f574bbaed8",
"status": "affected",
"version": "fbc2e7d9cf49e0bf89b9e91fd60a06851a855c5d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/cls_u32.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_u32: use skb_header_pointer_careful()\n\nskb_header_pointer() does not fully validate negative @offset values.\n\nUse skb_header_pointer_careful() instead.\n\nGangMin Kim provided a report and a repro fooling u32_classify():\n\nBUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0\nnet/sched/cls_u32.c:221"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:20.203Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cfa745830e45ecb75c061aa34330ee0cac941cc7"
},
{
"url": "https://git.kernel.org/stable/c/13336a6239b9d7c6e61483017bb8bdfe3ceb10a5"
},
{
"url": "https://git.kernel.org/stable/c/e41a23e61259f5526af875c3b86b3d42a9bae0e5"
},
{
"url": "https://git.kernel.org/stable/c/8a672f177ebe19c93d795fbe967846084fbc7943"
},
{
"url": "https://git.kernel.org/stable/c/cabd1a976375780dabab888784e356f574bbaed8"
}
],
"title": "net/sched: cls_u32: use skb_header_pointer_careful()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23204",
"datePublished": "2026-02-14T16:27:27.708Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-11T22:02:20.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23209 (GCVE-0-2026-23209)
Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-05-11 22:02
VLAI
EPSS
Title
macvlan: fix error recovery in macvlan_common_newlink()
Summary
In the Linux kernel, the following vulnerability has been resolved:
macvlan: fix error recovery in macvlan_common_newlink()
valis provided a nice repro to crash the kernel:
ip link add p1 type veth peer p2
ip link set address 00:00:00:00:00:20 dev p1
ip link set up dev p1
ip link set up dev p2
ip link add mv0 link p2 type macvlan mode source
ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20
ping -c1 -I p1 1.2.3.4
He also gave a very detailed analysis:
<quote valis>
The issue is triggered when a new macvlan link is created with
MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or
MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan
port and register_netdevice() called from macvlan_common_newlink()
fails (e.g. because of the invalid link name).
In this case macvlan_hash_add_source is called from
macvlan_change_sources() / macvlan_common_newlink():
This adds a reference to vlan to the port's vlan_source_hash using
macvlan_source_entry.
vlan is a pointer to the priv data of the link that is being created.
When register_netdevice() fails, the error is returned from
macvlan_newlink() to rtnl_newlink_create():
if (ops->newlink)
err = ops->newlink(dev, ¶ms, extack);
else
err = register_netdevice(dev);
if (err < 0) {
free_netdev(dev);
goto out;
}
and free_netdev() is called, causing a kvfree() on the struct
net_device that is still referenced in the source entry attached to
the lower device's macvlan port.
Now all packets sent on the macvlan port with a matching source mac
address will trigger a use-after-free in macvlan_forward_source().
</quote valis>
With all that, my fix is to make sure we call macvlan_flush_sources()
regardless of @create value whenever "goto destroy_macvlan_port;"
path is taken.
Many thanks to valis for following up on this issue.
Severity
7.8 (High)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/da5c6b8ae47e414be… | |
| https://git.kernel.org/stable/c/5dae6b36a7cb7a4fc… | |
| https://git.kernel.org/stable/c/c43d0e787cbba569e… | |
| https://git.kernel.org/stable/c/11ba9f0dc86513617… | |
| https://git.kernel.org/stable/c/986967a1621427100… | |
| https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7… | |
| https://git.kernel.org/stable/c/f8db6475a83649689… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
aa5fd0fb77486b8a6764ead8627baa14790e4280 , < da5c6b8ae47e414be47e5e04def15b25d5c962dc
(git)
Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < c43d0e787cbba569ec9d11579ed370b50fab6c9c (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 11ba9f0dc865136174cb98834280fb21bbc950c7 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < 986967a162142710076782d5b93daab93a892980 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66 (git) Affected: aa5fd0fb77486b8a6764ead8627baa14790e4280 , < f8db6475a83649689c087a8f52486fcc53e627e9 (git) |
|
| Linux | Linux |
Affected:
4.9
Unaffected: 0 , < 4.9 (semver) Unaffected: 5.10.250 , ≤ 5.10.* (semver) Unaffected: 5.15.200 , ≤ 5.15.* (semver) Unaffected: 6.1.163 , ≤ 6.1.* (semver) Unaffected: 6.6.124 , ≤ 6.6.* (semver) Unaffected: 6.12.70 , ≤ 6.12.* (semver) Unaffected: 6.18.10 , ≤ 6.18.* (semver) Unaffected: 6.19 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "da5c6b8ae47e414be47e5e04def15b25d5c962dc",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "c43d0e787cbba569ec9d11579ed370b50fab6c9c",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "11ba9f0dc865136174cb98834280fb21bbc950c7",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "986967a162142710076782d5b93daab93a892980",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
},
{
"lessThan": "f8db6475a83649689c087a8f52486fcc53e627e9",
"status": "affected",
"version": "aa5fd0fb77486b8a6764ead8627baa14790e4280",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/macvlan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.9"
},
{
"lessThan": "4.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.250",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.200",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.124",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.70",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.250",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.200",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.163",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.124",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.70",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.10",
"versionStartIncluding": "4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19",
"versionStartIncluding": "4.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmacvlan: fix error recovery in macvlan_common_newlink()\n\nvalis provided a nice repro to crash the kernel:\n\nip link add p1 type veth peer p2\nip link set address 00:00:00:00:00:20 dev p1\nip link set up dev p1\nip link set up dev p2\n\nip link add mv0 link p2 type macvlan mode source\nip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20\n\nping -c1 -I p1 1.2.3.4\n\nHe also gave a very detailed analysis:\n\n\u003cquote valis\u003e\n\nThe issue is triggered when a new macvlan link is created with\nMACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or\nMACVLAN_MACADDR_SET) parameter, lower device already has a macvlan\nport and register_netdevice() called from macvlan_common_newlink()\nfails (e.g. because of the invalid link name).\n\nIn this case macvlan_hash_add_source is called from\nmacvlan_change_sources() / macvlan_common_newlink():\n\nThis adds a reference to vlan to the port\u0027s vlan_source_hash using\nmacvlan_source_entry.\n\nvlan is a pointer to the priv data of the link that is being created.\n\nWhen register_netdevice() fails, the error is returned from\nmacvlan_newlink() to rtnl_newlink_create():\n\n if (ops-\u003enewlink)\n err = ops-\u003enewlink(dev, \u0026params, extack);\n else\n err = register_netdevice(dev);\n if (err \u003c 0) {\n free_netdev(dev);\n goto out;\n }\n\nand free_netdev() is called, causing a kvfree() on the struct\nnet_device that is still referenced in the source entry attached to\nthe lower device\u0027s macvlan port.\n\nNow all packets sent on the macvlan port with a matching source mac\naddress will trigger a use-after-free in macvlan_forward_source().\n\n\u003c/quote valis\u003e\n\nWith all that, my fix is to make sure we call macvlan_flush_sources()\nregardless of @create value whenever \"goto destroy_macvlan_port;\"\npath is taken.\n\nMany thanks to valis for following up on this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:02:25.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/da5c6b8ae47e414be47e5e04def15b25d5c962dc"
},
{
"url": "https://git.kernel.org/stable/c/5dae6b36a7cb7a4fcf4121b95e9ca7f96f816c8a"
},
{
"url": "https://git.kernel.org/stable/c/c43d0e787cbba569ec9d11579ed370b50fab6c9c"
},
{
"url": "https://git.kernel.org/stable/c/11ba9f0dc865136174cb98834280fb21bbc950c7"
},
{
"url": "https://git.kernel.org/stable/c/986967a162142710076782d5b93daab93a892980"
},
{
"url": "https://git.kernel.org/stable/c/cdedcd5aa3f3cb8b7ae0f87ab3a936d0bd583d66"
},
{
"url": "https://git.kernel.org/stable/c/f8db6475a83649689c087a8f52486fcc53e627e9"
}
],
"title": "macvlan: fix error recovery in macvlan_common_newlink()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23209",
"datePublished": "2026-02-14T16:27:31.175Z",
"dateReserved": "2026-01-13T15:37:45.986Z",
"dateUpdated": "2026-05-11T22:02:25.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…