linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23321 | Med | 5.5 | < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel. | |
| CVE-2026-23320 | — | >= 3.11.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||
| CVE-2026-23319 | Hig | 7.8 | >= 6.0.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may | |
| CVE-2026-23318 | Hig | 7.1 | >= 5.4.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have bee | |
| CVE-2026-23317 | Hig | 7.8 | < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that r | |
| CVE-2026-23316 | Med | 5.5 | >= 6.11.0, < 6.12.77 | 6.12.77 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix ARM64 alignment fault in multipath hash seed `struct sysctl_fib_multipath_hash_seed` contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment require | |
| CVE-2026-23315 | Hig | 7.1 | >= 5.10.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix | |
| CVE-2026-23314 | Med | 5.5 | >= 6.18.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio() In bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns without calling of_node_put(child), causing the device node | |
| CVE-2026-23313 | Med | 5.5 | >= 6.2.0, < 6.12.77 | 6.12.77 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered soft | |
| CVE-2026-23312 | Med | 5.5 | >= 2.6.12, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious d | |
| CVE-2026-23311 | Med | 5.5 | >= 6.15.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix invalid wait context in ctx_sched_in() Lockdep found a bug in the event scheduling when a pinned event was failed and wakes up the threads in the ring buffer like below. It seems it should not g | |
| CVE-2026-23310 | Med | 5.5 | >= 5.15.0, < 6.6.130 | 6.6.130 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, b | |
| CVE-2026-23309 | Med | 5.5 | < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, t | |
| CVE-2026-23308 | Med | 5.5 | >= 6.4.0, < 6.6.130 | 6.6.130 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: equilibrium: fix warning trace on load The callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also called in the callback function 'eqbr_irq_mask_ack()'. This is done to avoid source code du | |
| CVE-2026-23307 | Med | 5.5 | >= 2.6.32, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_ | |
| CVE-2026-23306 | Hig | 7.8 | >= 5.18.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double | |
| CVE-2026-23305 | Hig | 7.1 | >= 6.18.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and i | |
| CVE-2026-23304 | Med | 5.5 | >= 4.14.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to lo | |
| CVE-2026-23303 | Med | 5.5 | >= 3.3.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log | |
| CVE-2026-23302 | Med | 4.7 | >= 4.20.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: annotate data-races around sk->sk_{data_ready,write_space} skmsg (and probably other layers) are changing these pointers while other cpus might read them concurrently. Add corresponding READ_ONCE()/WRITE_ |
- affected < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.
- CVE-2026-23320Mar 25, 2026affected >= 3.11.0, < 6.18.17fixed 6.18.17
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- affected >= 6.0.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may
- affected >= 5.4.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have bee
- affected < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that r
- affected >= 6.11.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix ARM64 alignment fault in multipath hash seed `struct sysctl_fib_multipath_hash_seed` contains two u32 fields (user_seed and mp_seed), making it an 8-byte structure with a 4-byte alignment require
- affected >= 5.10.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix
- affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio() In bq257xx_reg_dt_parse_gpio(), if fails to get subchild, it returns without calling of_node_put(child), causing the device node
- affected >= 6.2.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered soft
- affected >= 2.6.12, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: validate USB endpoints The kaweth driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious d
- affected >= 6.15.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix invalid wait context in ctx_sched_in() Lockdep found a bug in the event scheduling when a pinned event was failed and wakes up the threads in the ring buffer like below. It seems it should not g
- affected >= 5.15.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded bond_option_mode_set() already rejects mode changes that would make a loaded XDP program incompatible via bond_xdp_check(). However, b
- affected < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: tracing: Add NULL pointer check to trigger_data_free() If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, t
- affected >= 6.4.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: pinctrl: equilibrium: fix warning trace on load The callback functions 'eqbr_irq_mask()' and 'eqbr_irq_ack()' are also called in the callback function 'eqbr_irq_mask_ack()'. This is done to avoid source code du
- affected >= 2.6.32, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message When looking at the data in a USB urb, the actual_length is the size of the buffer passed to the driver, not the transfer_buffer_
- affected >= 5.18.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double
- affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and i
- affected >= 4.14.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu() l3mdev_master_dev_rcu() can return NULL when the slave device is being un-slaved from a VRF. All other callers deal with this, but we lost the fallback to lo
- affected >= 3.3.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: smb: client: Don't log plaintext credentials in cifs_set_cifscreds When debug logging is enabled, cifs_set_cifscreds() logs the key payload and exposes the plaintext username and password. Remove the debug log
- affected >= 4.20.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: net: annotate data-races around sk->sk_{data_ready,write_space} skmsg (and probably other layers) are changing these pointers while other cpus might read them concurrently. Add corresponding READ_ONCE()/WRITE_
Page 5 of 88