Vulnerability-Lookup

RHSA-2026:14869

Vulnerability from csaf_redhat - Published: 2026-05-07 17:26 - Updated: 2026-05-07 21:42

Summary

Red Hat Security Advisory: kernel-rt security update

Severity

Important

Notes

Topic: An update for kernel-rt is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): * kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885) * kernel: sctp: avoid NULL dereference when chunk data buffer is missing (CVE-2025-40240) * kernel: ALSA: aloop: Fix racy access at PCM trigger (CVE-2026-23191) * kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2018-16885

A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing invalid memory address.

7.1 (High)


                        
                          CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-125 - Out-of-bounds Read

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. https://access.redhat.com/errata/RHSA-2026:14869

CVE-2025-40240

In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 - NULL Pointer Dereference

Workaround To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.

CVE-2026-23191

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix racy access at PCM trigger The PCM trigger callback of aloop driver tries to check the PCM state and stop the stream of the tied substream in the corresponding cable. Since both check and stop operations are performed outside the cable lock, this may result in UAF when a program attempts to trigger frequently while opening/closing the tied stream, as spotted by fuzzers. For addressing the UAF, this patch changes two things: - It covers the most of code in loopback_check_format() with cable->lock spinlock, and add the proper NULL checks. This avoids already some racy accesses. - In addition, now we try to check the state of the capture PCM stream that may be stopped in this function, which was the major pain point leading to UAF.

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVE-2026-31402

A flaw was found in the Linux kernel's NFSv4.0 server (nfsd). A remote, unauthenticated attacker can exploit this heap overflow vulnerability in the NFSv4.0 LOCK replay cache. By using two cooperating NFSv4.0 clients, where one sets a lock with a large owner string and another requests a conflicting lock, the attacker can trigger a slab-out-of-bounds write. This corruption of adjacent heap memory could lead to arbitrary code execution or a denial of service.

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787 - Out-of-bounds Write

Workaround Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:14869	self
	https://access.redhat.com/security/updates/classi…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1661503	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2418832	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2439947	external
	https://bugzilla.redhat.com/show_bug.cgi?id=2454844	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2018-16885	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1661503	external
	https://www.cve.org/CVERecord?id=CVE-2018-16885	external
	https://nvd.nist.gov/vuln/detail/CVE-2018-16885	external
	https://access.redhat.com/security/cve/CVE-2025-40240	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2418832	external
	https://www.cve.org/CVERecord?id=CVE-2025-40240	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-40240	external
	https://lore.kernel.org/linux-cve-announce/202512…	external
	https://access.redhat.com/security/cve/CVE-2026-23191	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2439947	external
	https://www.cve.org/CVERecord?id=CVE-2026-23191	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-23191	external
	https://lore.kernel.org/linux-cve-announce/202602…	external
	https://access.redhat.com/security/cve/CVE-2026-31402	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2454844	external
	https://www.cve.org/CVERecord?id=CVE-2026-31402	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-31402	external
	https://lore.kernel.org/linux-cve-announce/202604…	external

Acknowledgments

Red Hat Paolo Abeni

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for kernel-rt is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* kernel: out-of-bound read in memcpy_fromiovecend() (CVE-2018-16885)\n\n* kernel: sctp: avoid NULL dereference when chunk data buffer is missing (CVE-2025-40240)\n\n* kernel: ALSA: aloop: Fix racy access at PCM trigger (CVE-2026-23191)\n\n* kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:14869",
        "url": "https://access.redhat.com/errata/RHSA-2026:14869"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1661503",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1661503"
      },
      {
        "category": "external",
        "summary": "2418832",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418832"
      },
      {
        "category": "external",
        "summary": "2439947",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439947"
      },
      {
        "category": "external",
        "summary": "2454844",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454844"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_14869.json"
      }
    ],
    "title": "Red Hat Security Advisory: kernel-rt security update",
    "tracking": {
      "current_release_date": "2026-05-07T21:42:30+00:00",
      "generator": {
        "date": "2026-05-07T21:42:30+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.9"
        }
      },
      "id": "RHSA-2026:14869",
      "initial_release_date": "2026-05-07T17:26:50+00:00",
      "revision_history": [
        {
          "date": "2026-05-07T17:26:50+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-07T17:26:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-07T21:42:30+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
                "product": {
                  "name": "Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
                  "product_id": "7Server-RT-ELS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_extras_rt_els:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
                "product": {
                  "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
                  "product_id": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt@3.10.0-1160.149.1.rt56.1301.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-debug@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-debug-devel@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-devel@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-trace@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-trace-devel@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-debug-debuginfo@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-debuginfo@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-debuginfo-common-x86_64@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                "product": {
                  "name": "kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_id": "kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-trace-debuginfo@3.10.0-1160.149.1.rt56.1301.el7?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
                "product": {
                  "name": "kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
                  "product_id": "kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt-doc@3.10.0-1160.149.1.rt56.1301.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src"
        },
        "product_reference": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch"
        },
        "product_reference": "kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64 as a component of Red Hat Enterprise Linux for Real Time (v. 7 ELS)",
          "product_id": "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        },
        "product_reference": "kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
        "relates_to_product_reference": "7Server-RT-ELS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Paolo Abeni"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2018-16885",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "discovery_date": "2018-08-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1661503"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing invalid memory address.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kernel: out-of-bound read in memcpy_fromiovecend()",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important flaw in the Linux kernel that allows a local unprivileged user to trigger an out-of-bounds read. Successful exploitation could lead to a system halt, or potentially disclose kernel memory to userspace, but the high attack complexity makes it difficult to reliably achieve. Exploit code for this vulnerability is available.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
          "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-16885"
        },
        {
          "category": "external",
          "summary": "RHBZ#1661503",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1661503"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-16885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-16885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-16885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16885"
        }
      ],
      "release_date": "2018-12-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-07T17:26:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe system must be rebooted for this update to take effect.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14869"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "kernel: out-of-bound read in memcpy_fromiovecend()"
    },
    {
      "cve": "CVE-2025-40240",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "discovery_date": "2025-12-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2418832"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kernel: sctp: avoid NULL dereference when chunk data buffer is missing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "A missing data buffer (frag_list) in SCTP chunk processing could trigger a NULL pointer dereference when handling GSO packets.\nA remote attacker sending a malformed SCTP packet could cause a kernel crash (DoS).\nThe system is vulnerable only if CONFIG_IP_SCTP enabled in Kernel configuration (and for the Red Hat Enterprise Linux it is always disabled in older versions and enabled as module in latest versions only). However even if module exists in Red Hat Enterprise Linux, still admin need to specially enable it usage (make some SCTP listening port available) before exploitation would be possible.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
          "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-40240"
        },
        {
          "category": "external",
          "summary": "RHBZ#2418832",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418832"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-40240",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-40240"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-40240",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40240"
        },
        {
          "category": "external",
          "summary": "https://lore.kernel.org/linux-cve-announce/2025120403-CVE-2025-40240-745a@gregkh/T",
          "url": "https://lore.kernel.org/linux-cve-announce/2025120403-CVE-2025-40240-745a@gregkh/T"
        }
      ],
      "release_date": "2025-12-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-07T17:26:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe system must be rebooted for this update to take effect.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14869"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, prevent module sctp from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kernel: sctp: avoid NULL dereference when chunk data buffer is missing"
    },
    {
      "cve": "CVE-2026-23191",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2026-02-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2439947"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n  cable-\u003elock spinlock, and add the proper NULL checks.  This avoids\n  already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n  that may be stopped in this function, which was the major pain point\n  leading to UAF.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kernel: ALSA: aloop: Fix racy access at PCM trigger",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
          "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-23191"
        },
        {
          "category": "external",
          "summary": "RHBZ#2439947",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439947"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-23191",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-23191",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23191"
        },
        {
          "category": "external",
          "summary": "https://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23191-f990@gregkh/T",
          "url": "https://lore.kernel.org/linux-cve-announce/2026021433-CVE-2026-23191-f990@gregkh/T"
        }
      ],
      "release_date": "2026-02-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-07T17:26:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe system must be rebooted for this update to take effect.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14869"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "kernel: ALSA: aloop: Fix racy access at PCM trigger"
    },
    {
      "cve": "CVE-2026-31402",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2026-04-03T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2454844"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Linux kernel\u0027s NFSv4.0 server (nfsd). A remote, unauthenticated attacker can exploit this heap overflow vulnerability in the NFSv4.0 LOCK replay cache. By using two cooperating NFSv4.0 clients, where one sets a lock with a large owner string and another requests a conflicting lock, the attacker can trigger a slab-out-of-bounds write. This corruption of adjacent heap memory could lead to arbitrary code execution or a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Important flaw in the Linux kernel\u0027s NFSv4.0 server (nfsd) allows a heap overflow. In this flaw a local attacker can trigger this by orchestrating two NFSv4.0 clients to create a conflicting lock with an oversized owner string.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
          "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
          "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
          "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-31402"
        },
        {
          "category": "external",
          "summary": "RHBZ#2454844",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454844"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-31402",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-31402",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31402"
        },
        {
          "category": "external",
          "summary": "https://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31402-3e6a@gregkh/T",
          "url": "https://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31402-3e6a@gregkh/T"
        }
      ],
      "release_date": "2026-04-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-07T17:26:50+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nThe system must be rebooted for this update to take effect.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:14869"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.src",
            "7Server-RT-ELS:kernel-rt-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debug-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-debuginfo-common-x86_64-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-doc-0:3.10.0-1160.149.1.rt56.1301.el7.noarch",
            "7Server-RT-ELS:kernel-rt-trace-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-debuginfo-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64",
            "7Server-RT-ELS:kernel-rt-trace-devel-0:3.10.0-1160.149.1.rt56.1301.el7.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache"
    }
  ]
}

CVE-2026-23191 (GCVE-0-2026-23191)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:27 – Updated: 2026-04-03 13:32

Title

ALSA: aloop: Fix racy access at PCM trigger

Summary

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bad15420050db1803…
	https://git.kernel.org/stable/c/5727ccf9d19ca414c…
	https://git.kernel.org/stable/c/826af7fa62e347464…

Impacted products

Vendor

Product

Version

Linux

Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < bad15420050db1803767e58756114800cce91ea4 (git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 5727ccf9d19ca414cb76d9b647883822e2789c2e (git)
Affected: b1c73fc8e697eb73e23603e465e9af2711ed4183 , < 826af7fa62e347464b1b4e0ba2fe19a92438084f (git)

Linux

Affected: 2.6.37
Unaffected: 0 , < 2.6.37 (semver)
Unaffected: 6.12.70 , ≤ 6.12.* (semver)
Unaffected: 6.18.10 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/drivers/aloop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bad15420050db1803767e58756114800cce91ea4",
              "status": "affected",
              "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
              "versionType": "git"
            },
            {
              "lessThan": "5727ccf9d19ca414cb76d9b647883822e2789c2e",
              "status": "affected",
              "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
              "versionType": "git"
            },
            {
              "lessThan": "826af7fa62e347464b1b4e0ba2fe19a92438084f",
              "status": "affected",
              "version": "b1c73fc8e697eb73e23603e465e9af2711ed4183",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/drivers/aloop.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.37"
            },
            {
              "lessThan": "2.6.37",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.70",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.70",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.10",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "2.6.37",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: aloop: Fix racy access at PCM trigger\n\nThe PCM trigger callback of aloop driver tries to check the PCM state\nand stop the stream of the tied substream in the corresponding cable.\nSince both check and stop operations are performed outside the cable\nlock, this may result in UAF when a program attempts to trigger\nfrequently while opening/closing the tied stream, as spotted by\nfuzzers.\n\nFor addressing the UAF, this patch changes two things:\n- It covers the most of code in loopback_check_format() with\n  cable-\u003elock spinlock, and add the proper NULL checks.  This avoids\n  already some racy accesses.\n- In addition, now we try to check the state of the capture PCM stream\n  that may be stopped in this function, which was the major pain point\n  leading to UAF."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T13:32:23.475Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bad15420050db1803767e58756114800cce91ea4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5727ccf9d19ca414cb76d9b647883822e2789c2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/826af7fa62e347464b1b4e0ba2fe19a92438084f"
        }
      ],
      "title": "ALSA: aloop: Fix racy access at PCM trigger",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23191",
    "datePublished": "2026-02-14T16:27:18.882Z",
    "dateReserved": "2026-01-13T15:37:45.985Z",
    "dateUpdated": "2026-04-03T13:32:23.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40240 (GCVE-0-2025-40240)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

sctp: avoid NULL dereference when chunk data buffer is missing

Summary

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/61cda2777b07d2745…
	https://git.kernel.org/stable/c/08165c29659707576…
	https://git.kernel.org/stable/c/03e80a4b04ef1fb2c…
	https://git.kernel.org/stable/c/4f6da435fb5d8a21c…
	https://git.kernel.org/stable/c/cb9055ba30306ede4…
	https://git.kernel.org/stable/c/7a832b0f99be19df6…
	https://git.kernel.org/stable/c/89b465b54227c245d…
	https://git.kernel.org/stable/c/441f0647f7673e0e6…

Impacted products

Vendor

Product

Version

Linux

Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/inqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "08165c296597075763130919f2aae59b5822f016",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/inqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:29.715Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
        },
        {
          "url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
        }
      ],
      "title": "sctp: avoid NULL dereference when chunk data buffer is missing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40240",
    "datePublished": "2025-12-04T15:31:29.715Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T15:31:29.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-31402 (GCVE-0-2026-31402)

Vulnerability from cvelistv5 – Published: 2026-04-03 15:16 – Updated: 2026-04-27 14:02

Title

nfsd: fix heap overflow in NFSv4.0 LOCK replay cache

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f9fcb4441f6c02bb2…
	https://git.kernel.org/stable/c/c9452c0797c95cf23…
	https://git.kernel.org/stable/c/8afb437ea1f70cacb…
	https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6e…
	https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad…
	https://git.kernel.org/stable/c/ae8498337dfdfda71…
	https://git.kernel.org/stable/c/5133b61aaf437e5f2…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f9fcb4441f6c02bb20c2eb340101e27dfe23607c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c9452c0797c95cf2378170df96cf4f4b3bca7eff (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8afb437ea1f70cacb4bbdf11771fb5c4d720b965 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f0e2a54a31a7f9ad2915db99156114872317388 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ae8498337dfdfda71bdd0b807c9a23a126011d76 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5133b61aaf437e5f25b1b396b14242a6bb0508e2 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 6.1.167 , ≤ 6.1.* (semver)
Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.78 , ≤ 6.12.* (semver)
Unaffected: 6.18.20 , ≤ 6.18.* (semver)
Unaffected: 6.19.10 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4xdr.c",
            "fs/nfsd/state.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f9fcb4441f6c02bb20c2eb340101e27dfe23607c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c9452c0797c95cf2378170df96cf4f4b3bca7eff",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8afb437ea1f70cacb4bbdf11771fb5c4d720b965",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0f0e2a54a31a7f9ad2915db99156114872317388",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ae8498337dfdfda71bdd0b807c9a23a126011d76",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5133b61aaf437e5f25b1b396b14242a6bb0508e2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4xdr.c",
            "fs/nfsd/state.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.10",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix heap overflow in NFSv4.0 LOCK replay cache\n\nThe NFSv4.0 replay cache uses a fixed 112-byte inline buffer\n(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses.\nThis size was calculated based on OPEN responses and does not account\nfor LOCK denied responses, which include the conflicting lock owner as\na variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT).\n\nWhen a LOCK operation is denied due to a conflict with an existing lock\nthat has a large owner, nfsd4_encode_operation() copies the full encoded\nresponse into the undersized replay buffer via read_bytes_from_xdr_buf()\nwith no bounds check. This results in a slab-out-of-bounds write of up\nto 944 bytes past the end of the buffer, corrupting adjacent heap memory.\n\nThis can be triggered remotely by an unauthenticated attacker with two\ncooperating NFSv4.0 clients: one sets a lock with a large owner string,\nthen the other requests a conflicting lock to provoke the denial.\n\nWe could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full\nopaque, but that would increase the size of every stateowner, when most\nlockowners are not that large.\n\nInstead, fix this by checking the encoded response length against\nNFSD4_REPLAY_ISIZE before copying into the replay buffer. If the\nresponse is too large, set rp_buflen to 0 to skip caching the replay\npayload. The status is still cached, and the client already received the\ncorrect response on the original request."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:02:49.450Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f9fcb4441f6c02bb20c2eb340101e27dfe23607c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9452c0797c95cf2378170df96cf4f4b3bca7eff"
        },
        {
          "url": "https://git.kernel.org/stable/c/8afb437ea1f70cacb4bbdf11771fb5c4d720b965"
        },
        {
          "url": "https://git.kernel.org/stable/c/dad0c3c0a8e5d1d6eb0fc455694ce3e25e6c57d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f0e2a54a31a7f9ad2915db99156114872317388"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae8498337dfdfda71bdd0b807c9a23a126011d76"
        },
        {
          "url": "https://git.kernel.org/stable/c/5133b61aaf437e5f25b1b396b14242a6bb0508e2"
        }
      ],
      "title": "nfsd: fix heap overflow in NFSv4.0 LOCK replay cache",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31402",
    "datePublished": "2026-04-03T15:16:05.724Z",
    "dateReserved": "2026-03-09T15:48:24.086Z",
    "dateUpdated": "2026-04-27T14:02:49.450Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2018-16885 (GCVE-0-2018-16885)

Vulnerability from cvelistv5 – Published: 2019-01-03 16:00 – Updated: 2024-08-05 10:32

Summary

A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125

Assigner

redhat

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/106296	vdb-entryx_refsource_BID
	https://access.redhat.com/errata/RHSA-2019:2043	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:2029	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	The Linux Foundation	kernel	Affected: 3.10.x as shipped with Red Hat Enterprise Linux 7

Date Public ?

2019-01-03 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:32:54.243Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16885"
          },
          {
            "name": "106296",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/106296"
          },
          {
            "name": "RHSA-2019:2043",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2043"
          },
          {
            "name": "RHSA-2019:2029",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2029"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "The Linux Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "3.10.x as shipped with Red Hat Enterprise Linux 7"
            }
          ]
        }
      ],
      "datePublic": "2019-01-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-06T16:06:24.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16885"
        },
        {
          "name": "106296",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/106296"
        },
        {
          "name": "RHSA-2019:2043",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2043"
        },
        {
          "name": "RHSA-2019:2029",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2029"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-16885",
    "datePublished": "2019-01-03T16:00:00.000Z",
    "dateReserved": "2018-09-11T00:00:00.000Z",
    "dateUpdated": "2024-08-05T10:32:54.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:14869

CVE-2026-23191 (GCVE-0-2026-23191)

CVE-2025-40240 (GCVE-0-2025-40240)

CVE-2026-31402 (GCVE-0-2026-31402)

CVE-2018-16885 (GCVE-0-2018-16885)

Tags

Sightings

Nomenclature