linux package

kernel

pkg:linux/kernel

Vulnerabilities (1,755)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-23361	Hig	7.8	>= 4.19.0, < 6.12.77	6.12.77	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write trans
CVE-2026-23360	Med	5.5	< 6.12.77	6.12.77	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avo
CVE-2026-23359	Hig	7.8	>= 5.15.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of
CVE-2026-23358	Med	5.5	>= 6.16.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix error handling in slot reset If the device has not recovered after slot reset is called, it goes to out label for error handling. There it could make decision based on uninitialized hive pointer
CVE-2026-23357	Med	5.5	>= 2.6.34, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251x_open The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler wi
CVE-2026-23356	Med	5.5	>= 3.10.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code pat
CVE-2026-23355	Med	5.5	< 6.18.18	6.18.18	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: ata: libata: cancel pending work after clearing deferred_qc Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc. ata_scsi
CVE-2026-23354	Hig	7.8	>= 6.9.0, < 6.12.77	6.12.77	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions.
CVE-2026-23353	Med	5.5	>= 6.19.0, < 6.19.7	6.19.7	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor wr
CVE-2026-23352	Med	5.5	< 2.6.39.2	2.6.39.2	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: mem
CVE-2026-23351	Hig	7.8	>= 5.6.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long
CVE-2026-23350	Hig	7.8	>= 6.19.0, < 6.19.7	6.19.7	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id
CVE-2026-23349	Med	5.5	>= 6.18.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix condition effect bit clearing As reported by MPDarkGuy on discord, NULL pointer dereferences were happening because not all the conditional effects bits were cleared. Properly clear all conditi
CVE-2026-23348	Med	4.7	>= 5.14.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consist
CVE-2026-23347	Med	5.5	>= 6.5.0, < 6.6.130	6.6.130	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_ki
CVE-2026-23346	Med	5.5	>= 6.0.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from
CVE-2026-23345	Med	5.5	>= 6.13.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the shareability attribute with bits 50-51 of the output address. The _PAGE_GCS{,
CVE-2026-23344	Hig	7.8	>= 6.19.0, < 6.19.7	6.19.7	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en and
CVE-2026-23343	Hig	7.8	>= 5.18.0, < 6.1.167	6.1.167	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_in
CVE-2026-23342	Med	4.7	>= 6.18.0, < 6.18.17	6.18.17	Mar 25, 2026	In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in cpumap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() a

CVE-2026-23361HigMar 25, 2026
affected >= 4.19.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write trans
CVE-2026-23360MedMar 25, 2026
affected < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avo
CVE-2026-23359HigMar 25, 2026
affected >= 5.15.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of
CVE-2026-23358MedMar 25, 2026
affected >= 6.16.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix error handling in slot reset If the device has not recovered after slot reset is called, it goes to out label for error handling. There it could make decision based on uninitialized hive pointer
CVE-2026-23357MedMar 25, 2026
affected >= 2.6.34, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251x_open The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler wi
CVE-2026-23356MedMar 25, 2026
affected >= 3.10.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() Even though we check that we "should" be able to do lc_get_cumulative() while holding the device->al_lock spinlock, it may still fail, if some other code pat
CVE-2026-23355MedMar 25, 2026
affected < 6.18.18fixed 6.18.18
In the Linux kernel, the following vulnerability has been resolved: ata: libata: cancel pending work after clearing deferred_qc Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc. ata_scsi
CVE-2026-23354HigMar 25, 2026
affected >= 6.9.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions.
CVE-2026-23353MedMar 25, 2026
affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor wr
CVE-2026-23352MedMar 25, 2026
affected < 2.6.39.2fixed 2.6.39.2
In the Linux kernel, the following vulnerability has been resolved: x86/efi: defer freeing of boot services memory efi_free_boot_services() frees memory occupied by EFI_BOOT_SERVICES_CODE and EFI_BOOT_SERVICES_DATA using memblock_free_late(). There are two issue with that: mem
CVE-2026-23351HigMar 25, 2026
affected >= 5.6.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long
CVE-2026-23350HigMar 25, 2026
affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id
CVE-2026-23349MedMar 25, 2026
affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix condition effect bit clearing As reported by MPDarkGuy on discord, NULL pointer dereferences were happening because not all the conditional effects bits were cleared. Properly clear all conditi
CVE-2026-23348MedMar 25, 2026
affected >= 5.14.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consist
CVE-2026-23347MedMar 25, 2026
affected >= 6.5.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_ki
CVE-2026-23346MedMar 25, 2026
affected >= 6.0.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from
CVE-2026-23345MedMar 25, 2026
affected >= 6.13.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled When FEAT_LPA2 is enabled, bits 8-9 of the PTE replace the shareability attribute with bits 50-51 of the output address. The _PAGE_GCS{,
CVE-2026-23344HigMar 25, 2026
affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en and
CVE-2026-23343HigMar 25, 2026
affected >= 5.18.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_in
CVE-2026-23342MedMar 25, 2026
affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in cpumap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() a

Page 3 of 88