VYPR

apk package

chainguard/linux-qemu-6.18-bootc-boot-installed

pkg:apk/chainguard/linux-qemu-6.18-bootc-boot-installed

Vulnerabilities (85)

  • CVE-2026-43101HigMay 6, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev

  • CVE-2026-43100MedMay 6, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_

  • CVE-2026-43099HigMay 6, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer

  • CVE-2026-43098MedMay 6, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: nfc: s3fwrn5: allocate rx skb before consuming bytes s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complet

  • CVE-2026-31706HigMay 1, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base

  • CVE-2026-31673HigApr 25, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops

  • CVE-2026-31629HigApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but

  • CVE-2026-31627HigApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before

  • CVE-2026-31626HigApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) v

  • CVE-2026-31625MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the

  • CVE-2026-31624MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size onl

  • CVE-2026-31623MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-

  • CVE-2026-31622HigApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca

  • CVE-2026-31620MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 A malicious USB device with the TASCAM US-144MKII device id can have a configuration containing bInterfaceNumber=1 but no interface 0. USB configur

  • CVE-2026-31619MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val

  • CVE-2026-31618MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the

  • CVE-2026-31617MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd

  • CVE-2026-31616MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun

  • CVE-2026-31615MedApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida

  • CVE-2026-31614HigApr 24, 2026
    affected < 6.18.31-r0fixed 6.18.31-r0

    In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) =

Page 2 of 5