linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23301 | Med | 5.5 | >= 6.19.0, < 6.19.7 | 6.19.7 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: Add allocation failure check for Entity name Currently find_sdca_entity_iot() can allocate a string for the Entity name but it doesn't check if that allocation succeeded. Add the missing NULL check | |
| CVE-2026-23300 | Med | 5.5 | >= 5.3.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassif | |
| CVE-2026-23299 | Med | 5.5 | >= 6.15.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to rea | |
| CVE-2026-23298 | Med | 5.5 | >= 4.19.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging | |
| CVE-2026-23297 | Med | 5.5 | >= 6.10.0, < 6.12.77 | 6.12.77 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after tha | |
| CVE-2026-23296 | Med | 5.5 | >= 6.0.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation | |
| CVE-2026-23295 | Med | 5.5 | >= 6.19.0, < 6.19.7 | 6.19.7 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix dead lock for suspend and resume When an application issues a query IOCTL while auto suspend is running, a deadlock can occur. The query path holds dev_lock and then calls pm_runtime_resume_a | |
| CVE-2026-23294 | Hig | 7.0 | >= 6.18.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in devmap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue | |
| CVE-2026-23293 | Med | 5.5 | >= 3.12.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which ini | |
| CVE-2026-23292 | Med | 5.5 | >= 5.3.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This | |
| CVE-2026-23291 | Med | 5.5 | >= 3.1.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe call | |
| CVE-2026-23290 | Med | 5.5 | >= 2.6.12, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious | |
| CVE-2026-23289 | Med | 5.5 | >= 2.6.14, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path. | |
| CVE-2026-23288 | Hig | 7.8 | < 6.19.7 | 6.19.7 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before verify | |
| CVE-2026-23287 | Med | 5.5 | >= 5.1.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executi | |
| CVE-2026-23286 | Med | 5.5 | >= 2.6.12, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE (LAN Emulatio | |
| CVE-2026-23285 | Med | 5.5 | >= 6.4.0, < 6.6.130 | 6.6.130 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: drbd: fix null-pointer dereference on local read error In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to __req_mod() with a NULL peer_device: __req_mod(req, what, NULL, &m); The READ_COMPLETED | |
| CVE-2026-23284 | Med | 5.5 | >= 6.0.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Reset eBPF program pointer to old_prog and do not decrease its ref-count if mtk_open routine in mtk_xdp_setup() fails. | |
| CVE-2026-23283 | Med | 5.5 | >= 6.19.0, < 6.19.7 | 6.19.7 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: regulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read() In fp9931_hwmon_read(), if regmap_read() failed, the function returned the error code without calling pm_runtime_put_autosuspend(), causin | |
| CVE-2026-23282 | Med | 5.5 | >= 6.17.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to uninitialised var in smb2_unlink() If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the iovs set @rqst will be left uninitialised, hence calling SMB2_open_free(), SM |
- affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: Add allocation failure check for Entity name Currently find_sdca_entity_iot() can allocate a string for the Entity name but it doesn't check if that allocation succeeded. Add the missing NULL check
- affected >= 5.3.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop When a standalone IPv6 nexthop object is created with a loopback device (e.g., "ip -6 nexthop add id 100 dev lo"), fib6_nh_init() misclassif
- affected >= 6.15.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: purge error queues in socket destructors When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to rea
- affected >= 4.19.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: can: ucan: Fix infinite loop from zero-length messages If a broken ucan device gets a message with the message length field set to 0, then the driver will loop for forever in ucan_read_bulk_callback(), hanging
- affected >= 6.10.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after tha
- affected >= 6.0.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation
- affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix dead lock for suspend and resume When an application issues a query IOCTL while auto suspend is running, a deadlock can occur. The query path holds dev_lock and then calls pm_runtime_resume_a
- affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in devmap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_dev_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue
- affected >= 3.12.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which ini
- affected >= 5.3.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix recursive locking in __configfs_open_file() In flush_write_buffer, &p->frag_sem is acquired and then the loaded store function is called, which, here, is target_core_item_dbroot_store(). This
- affected >= 3.1.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: properly drop the usb interface reference on disconnect When the device is disconnected from the driver, there is a "dangling" reference count on the usb interface that was grabbed in the probe call
- affected >= 2.6.12, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious
- affected >= 2.6.14, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path.
- affected < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before verify
- affected >= 5.1.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executi
- affected >= 2.6.12, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: atm: lec: fix null-ptr-deref in lec_arp_clear_vccs syzkaller reported a null-ptr-deref in lec_arp_clear_vccs(). This issue can be easily reproduced using the syzkaller reproducer. In the ATM LANE (LAN Emulatio
- affected >= 6.4.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: drbd: fix null-pointer dereference on local read error In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to __req_mod() with a NULL peer_device: __req_mod(req, what, NULL, &m); The READ_COMPLETED
- affected >= 6.0.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup() Reset eBPF program pointer to old_prog and do not decrease its ref-count if mtk_open routine in mtk_xdp_setup() fails.
- affected >= 6.19.0, < 6.19.7fixed 6.19.7
In the Linux kernel, the following vulnerability has been resolved: regulator: fp9931: Fix PM runtime reference leak in fp9931_hwmon_read() In fp9931_hwmon_read(), if regmap_read() failed, the function returned the error code without calling pm_runtime_put_autosuspend(), causin
- affected >= 6.17.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to uninitialised var in smb2_unlink() If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the iovs set @rqst will be left uninitialised, hence calling SMB2_open_free(), SM
Page 6 of 88