apk package

chainguard/linux-aws-6.12

pkg:apk/chainguard/linux-aws-6.12

Vulnerabilities (282)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-31715	Hig	7.8	< 6.12.85-r2	6.12.85-r2	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the p
CVE-2026-31709	Hig	8.8	< 6.12.85-r2	6.12.85-r2	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
CVE-2026-31787	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692	Med	5.5	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31688	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 27, 2026	In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store an
CVE-2026-31647	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are ca
CVE-2026-31629	Hig	8.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but
CVE-2026-31627	Hig	7.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before
CVE-2026-31626	Hig	7.1	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) v
CVE-2026-31625	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the
CVE-2026-31624	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size onl
CVE-2026-31623	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622	Hig	8.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31607	Cri	9.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU.

CVE-2026-31715HigMay 1, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the p
CVE-2026-31709HigMay 1, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
CVE-2026-31787HigApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786HigApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692MedApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31688HigApr 27, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store an
CVE-2026-31647MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are ca
CVE-2026-31629HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but
CVE-2026-31627HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before
CVE-2026-31626HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) v
CVE-2026-31625MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the
CVE-2026-31624MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size onl
CVE-2026-31623MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31607CriApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU.

Page 2 of 15