apk package

chainguard/linux-vmware-6.12

pkg:apk/chainguard/linux-vmware-6.12

Vulnerabilities (271)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-31787	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692	Med	5.5	< 6.12.85-r2	6.12.85-r2	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31688	Hig	7.8	< 6.12.85-r2	6.12.85-r2	Apr 27, 2026	In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store an
CVE-2026-31647	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are ca
CVE-2026-31629	Hig	8.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but
CVE-2026-31627	Hig	7.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before
CVE-2026-31626	Hig	7.1	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) v
CVE-2026-31625	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the
CVE-2026-31624	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size onl
CVE-2026-31623	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622	Hig	8.8	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615	Med	5.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31614	Hig	7.1	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) =
CVE-2026-31612	Hig	7.5	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of t
CVE-2026-31611	Hig	8.6	< 6.12.85-r0	6.12.85-r0	Apr 24, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix

CVE-2026-31787HigApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786HigApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692MedApr 30, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31688HigApr 27, 2026
affected < 6.12.85-r2fixed 6.12.85-r2
In the Linux kernel, the following vulnerability has been resolved: driver core: enforce device_lock for driver_match_device() Currently, driver_match_device() is called from three sites. One site (__device_attach_driver) holds device_lock(dev), but the other two (bind_store an
CVE-2026-31647MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpf_vc_xn struct. The conversion is safe because complete/_all() are ca
CVE-2026-31629HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but
CVE-2026-31627HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before
CVE-2026-31626HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using uninitialized data. Smatch warns that only 6 bytes are copied to this 8-byte (u64) v
CVE-2026-31625MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: HID: alps: fix NULL pointer dereference in alps_raw_event() Commit ecfa6f34492c ("HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the
CVE-2026-31624MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size onl
CVE-2026-31623MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-
CVE-2026-31622HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of casca
CVE-2026-31619MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: fireworks: bound device-supplied status before string array lookup The status field in an EFW response is a 32-bit value supplied by the firewire device. efr_status_names[] has 17 entries so a status val
CVE-2026-31618MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide by zero error"), we also need to prevent that same crash from happening in the
CVE-2026-31617MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->nd
CVE-2026-31616MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unboun
CVE-2026-31615MedApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of valida
CVE-2026-31614HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) =
CVE-2026-31612HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2_get_ea() smb2_get_ea() reads ea_req->EaNameLength from the client request and passes it directly to strncmp() as the comparison length without verifying that the length of t
CVE-2026-31611HigApr 24, 2026
affected < 6.12.85-r0fixed 6.12.85-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix

Page 2 of 14