apk package

chainguard/linux-qemu-rc

pkg:apk/chainguard/linux-qemu-rc

Vulnerabilities (118)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-43500	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 11, 2026	In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before
CVE-2026-31719	Hig	7.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: krb5enc - fix async decrypt skipping hash verification krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher comple
CVE-2026-31718	Cri	9.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve
CVE-2026-31717	Hig	8.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any aut
CVE-2026-31716	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec
CVE-2026-31715	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the p
CVE-2026-31714	Med	5.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid memory leak in f2fs_rename() syzbot reported a f2fs bug as below: BUG: memory leak unreferenced object 0xffff888127f70830 (size 16): comm "syz.0.23", pid 6144, jiffies 4294943712 hex dum
CVE-2026-31713	Med	5.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. The reason is that while a
CVE-2026-31712	Hig	8.3	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller
CVE-2026-31711	Hig	7.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: smb: server: fix active_num_conn leak on transport allocation failure Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. Th
CVE-2026-31709	Hig	8.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
CVE-2026-31708	Hig	8.1	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_
CVE-2026-31707	Hig	7.1	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate response sizes in ipc_validate_msg() ipc_validate_msg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response t
CVE-2026-31706	Hig	8.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base
CVE-2026-31705	Cri	9.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the val
CVE-2026-31704	Med	5.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated
CVE-2026-31703	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do?
CVE-2026-31702	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f
CVE-2026-31701	Med	5.5	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback,
CVE-2026-31700	Hig	7.8	< 7.1_rc3-r0	7.1_rc3-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel valid

CVE-2026-43500HigMay 11, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before
CVE-2026-31719HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: crypto: krb5enc - fix async decrypt skipping hash verification krb5enc_dispatch_decrypt() sets req->base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher comple
CVE-2026-31718CriMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger When a durable file handle survives session disconnect (TCP close without SMB2_LOGOFF), session_fd_check() sets fp->conn = NULL to preserve
CVE-2026-31717HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any aut
CVE-2026-31716HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate rec->used in journal-replay file record check check_file_record() validates rec->total against the record size but never validates rec->used. The do_action() journal-replay handlers read rec
CVE-2026-31715HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the p
CVE-2026-31714MedMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid memory leak in f2fs_rename() syzbot reported a f2fs bug as below: BUG: memory leak unreferenced object 0xffff888127f70830 (size 16): comm "syz.0.23", pid 6144, jiffies 4294943712 hex dum
CVE-2026-31713MedMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason (error, crash) while processing FUSE_INIT, the filesystem creation will hang. The reason is that while a
CVE-2026-31712HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require minimum ACE size in smb_check_perm_dacl() Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller
CVE-2026-31711HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: smb: server: fix active_num_conn leak on transport allocation failure Commit 77ffbcac4e56 ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. Th
CVE-2026-31709HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
CVE-2026-31708HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_
CVE-2026-31707HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate response sizes in ipc_validate_msg() ipc_validate_msg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response t
CVE-2026-31706HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base
CVE-2026-31705CriMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the val
CVE-2026-31704MedMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated
CVE-2026-31703HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do?
CVE-2026-31702HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f
CVE-2026-31701MedMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback,
CVE-2026-31700HigMay 1, 2026
affected < 7.1_rc3-r0fixed 7.1_rc3-r0
In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel valid

Page 1 of 6