linux package

kernel

pkg:linux/kernel

Vulnerabilities (1,755)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-23400	Med	5.5	>= 6.18.0, < 6.18.19	6.18.19	Mar 29, 2026	In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The remote process dies and sends a BR_DEAD_BINDER message. 2. The local process inv
CVE-2026-23399	Med	5.5	>= 5.11.0, < 6.12.78	6.12.78	Mar 28, 2026	In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place w
CVE-2026-23398	Med	5.5	>= 3.14.0, < 6.1.167	6.1.167	Mar 26, 2026	In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] arra
CVE-2026-23397	Hig	7.1	>= 2.6.31, < 6.1.167	6.1.167	Mar 26, 2026	In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length op
CVE-2026-23396	Med	5.5	>= 2.6.26, < 6.1.167	6.1.167	Mar 26, 2026	In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parse
CVE-2026-31788	Hig	8.2	>= 2.6.37, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the
CVE-2026-23395	Hig	8.8	>= 5.7.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_
CVE-2026-23394	Med	4.7	>= 6.10.0, < 6.19.10	6.19.10	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: af_unix: Give up GC if MSG_PEEK intervened. Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSG_PEEK with a nice repro. This is the exact same issue previously fixe
CVE-2026-23393	Hig	7.8	>= 5.11.0, < 6.12.78	6.12.78	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context und
CVE-2026-23392	Hig	7.8	>= 4.16.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already re
CVE-2026-23391	Hig	7.8	>= 3.4.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal.
CVE-2026-23390	Hig	7.8	>= 6.12.0, < 6.12.74	6.12.74	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creati
CVE-2026-23389	Med	5.5	>= 4.17.0, < 6.19.7	6.19.7	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_ring
CVE-2026-23388	Hig	7.1	>= 2.6.29, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negativ
CVE-2026-23387	Hig	7.8	< 6.6.130	6.6.130	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
CVE-2026-23386	Med	5.5	>= 6.6.0, < 6.6.130	6.6.130	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to
CVE-2026-23385	Med	5.5	>= 6.10.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:84
CVE-2026-23384	Med	5.5	>= 6.18.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask
CVE-2026-23383	Hig	7.8	>= 6.0.0, < 6.12.77	6.12.77	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JI
CVE-2026-23382	Med	5.5	>= 2.6.35, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can

CVE-2026-23400MedMar 29, 2026
affected >= 6.18.0, < 6.18.19fixed 6.18.19
In the Linux kernel, the following vulnerability has been resolved: rust_binder: call set_notification_done() without proc lock Consider the following sequence of events on a death listener: 1. The remote process dies and sends a BR_DEAD_BINDER message. 2. The local process inv
CVE-2026-23399MedMar 28, 2026
affected >= 5.11.0, < 6.12.78fixed 6.12.78
In the Linux kernel, the following vulnerability has been resolved: nf_tables: nft_dynset: fix possible stateful expression memleak in error path If cloning the second stateful expression in the element via GFP_ATOMIC fails, then the first stateful expression remains in place w
CVE-2026-23398MedMar 26, 2026
affected >= 3.14.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: icmp: fix NULL pointer dereference in icmp_tag_validation() icmp_tag_validation() unconditionally dereferences the result of rcu_dereference(inet_protos[proto]) without checking for NULL. The inet_protos[] arra
CVE-2026-23397HigMar 26, 2026
affected >= 2.6.31, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: nfnetlink_osf: validate individual option lengths in fingerprints nfnl_osf_add_callback() validates opt_num bounds and string NUL-termination but does not check individual option length fields. A zero-length op
CVE-2026-23396MedMar 26, 2026
affected >= 2.6.26, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL deref in mesh_matches_local() mesh_matches_local() unconditionally dereferences ie->mesh_config to compare mesh configuration parameters. When called from mesh_rx_csa_frame(), the parse
CVE-2026-31788HigMar 25, 2026
affected >= 2.6.37, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the
CVE-2026-23395HigMar 25, 2026
affected >= 5.7.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ Currently the code attempts to accept requests regardless of the command identifier which may cause multiple requests to be marked as pending (FLAG_
CVE-2026-23394MedMar 25, 2026
affected >= 6.10.0, < 6.19.10fixed 6.19.10
In the Linux kernel, the following vulnerability has been resolved: af_unix: Give up GC if MSG_PEEK intervened. Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSG_PEEK with a nice repro. This is the exact same issue previously fixe
CVE-2026-23393HigMar 25, 2026
affected >= 5.11.0, < 6.12.78fixed 6.12.78
In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context und
CVE-2026-23392HigMar 25, 2026
affected >= 4.16.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already re
CVE-2026-23391HigMar 25, 2026
affected >= 3.4.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal.
CVE-2026-23390HigMar 25, 2026
affected >= 6.12.0, < 6.12.74fixed 6.12.74
In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu creati
CVE-2026-23389MedMar 25, 2026
affected >= 4.17.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: ice: Fix memory leak in ice_set_ringparam() In ice_set_ringparam, tx_rings and xdp_rings are allocated before rx_rings. If the allocation of rx_rings fails, the code jumps to the done label leaking both tx_ring
CVE-2026-23388HigMar 25, 2026
affected >= 2.6.29, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negativ
CVE-2026-23387HigMar 25, 2026
affected < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
CVE-2026-23386MedMar 25, 2026
affected >= 6.6.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to
CVE-2026-23385MedMar 25, 2026
affected >= 6.10.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: clone set on flush only Syzbot with fault injection triggered a failing memory allocation with GFP_KERNEL which results in a WARN splat: iter.err WARNING: net/netfilter/nf_tables_api.c:84
CVE-2026-23384MedMar 25, 2026
affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask
CVE-2026-23383HigMar 25, 2026
affected >= 6.0.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JI
CVE-2026-23382MedMar 25, 2026
affected >= 2.6.35, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them In commit 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), we handle the fact that raw event callbacks can

Page 1 of 88