apk package

chainguard/linux-vmware-6.18

pkg:apk/chainguard/linux-vmware-6.18

Vulnerabilities (204)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-31706	Hig	8.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base
CVE-2026-31705	Cri	9.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the val
CVE-2026-31704	Med	5.5	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated
CVE-2026-31703	Hig	7.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do?
CVE-2026-31702	Hig	7.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f
CVE-2026-31701	Med	5.5	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback,
CVE-2026-31700	Hig	7.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel valid
CVE-2026-31699	Hig	7.1	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an i
CVE-2026-31698	Hig	7.1	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due
CVE-2026-31697	Hig	7.1	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was du
CVE-2026-31696	Hig	7.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <
CVE-2026-31694	Hig	7.8	< 6.18.31-r0	6.18.31-r0	May 1, 2026	In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existi
CVE-2026-31787	Hig	7.8	< 6.18.31-r0	6.18.31-r0	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786	Hig	7.8	< 6.18.31-r0	6.18.31-r0	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692	Med	5.5	< 6.18.31-r0	6.18.31-r0	Apr 30, 2026	In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31686	Hig	7.8	< 6.18.31-r0	6.18.31-r0	Apr 27, 2026	In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize
CVE-2026-31685	Cri	9.4	< 6.18.31-r0	6.18.31-r0	Apr 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The ex
CVE-2026-31684	Med	5.5	< 6.18.31-r0	6.18.31-r0	Apr 25, 2026	In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulat
CVE-2026-31681	Med	5.5	< 6.18.31-r0	6.18.31-r0	Apr 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range e
CVE-2026-31677	Med	5.5	< 6.18.31-r0	6.18.31-r0	Apr 25, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_read

CVE-2026-31706HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base
CVE-2026-31705CriMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the val
CVE-2026-31704MedMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: ksmbd: use check_add_overflow() to prevent u16 DACL size overflow set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated
CVE-2026-31703HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inode_switch_wbs_work_fn() inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do?
CVE-2026-31702HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f
CVE-2026-31701MedMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in create_card() The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback,
CVE-2026-31700HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel valid
CVE-2026-31699HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an i
CVE-2026-31698HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due
CVE-2026-31697HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was du
CVE-2026-31696HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <
CVE-2026-31694HigMay 1, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: fuse: reject oversized dirents in page cache fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existi
CVE-2026-31787HigApr 30, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
CVE-2026-31786HigApr 30, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
CVE-2026-31692MedApr 30, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: add missing netlink_ns_capable() check for peer netns rtnl_newlink() lacks a CAP_NET_ADMIN capability check on the peer network namespace when creating paired devices (veth, vxcan, netkit). This allo
CVE-2026-31686HigApr 27, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: mm/kasan: fix double free for kasan pXds kasan_free_pxd() assumes the page table is always struct page aligned. But that's not always the case for all architectures. E.g. In case of powerpc with 64K pagesize
CVE-2026-31685CriApr 25, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The ex
CVE-2026-31684MedApr 25, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulat
CVE-2026-31681MedApr 25, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_multiport: validate range encoding in checkentry ports_match_v1() treats any non-zero pflags entry as the start of a port range and unconditionally consumes the next ports[] element as the range e
CVE-2026-31677MedApr 25, 2026
affected < 6.18.31-r0fixed 6.18.31-r0
In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - limit RX SG extraction by receive buffer budget Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_read

Page 3 of 11