linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23281 | Hig | 7.8 | >= 2.6.24, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is i | |
| CVE-2026-23280 | Hig | 7.8 | >= 6.18.0, < 6.18.17 | 6.18.17 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size cal | |
| CVE-2026-23279 | Med | 5.5 | >= 3.13.0, < 6.1.167 | 6.1.167 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl = | |
| CVE-2026-23278 | Hig | 7.8 | >= 6.4.0, < 6.12.78 | 6.12.78 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part o | |
| CVE-2026-23277 | Med | 5.5 | >= 4.5.0, < 6.1.167 | 6.1.167 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the sl | |
| CVE-2026-23276 | Med | 5.5 | >= 2.6.37, < 6.12.78 | 6.12.78 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves | |
| CVE-2026-23275 | Hig | 7.8 | >= 6.13.0, < 6.18.19 | 6.18.19 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_ | |
| CVE-2026-23274 | Hig | 7.8 | >= 5.7.0, < 6.1.167 | 6.1.167 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revisio | |
| CVE-2026-23273 | Hig | 7.8 | < 5.10.252 | 5.10.252 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before | |
| CVE-2026-23272 | Hig | 7.8 | >= 4.10.0, < 6.18.17 | 6.18.17 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be | |
| CVE-2026-23271 | Hig | 7.8 | >= 2.6.31, < 6.1.167 | 6.1.167 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up runni | |
| CVE-2026-23270 | Hig | 7.8 | < 6.1.167 | 6.1.167 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held b | |
| CVE-2026-23269 | Hig | 7.1 | >= 3.4.0, < 6.6.130 | 6.6.130 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will acce | |
| CVE-2026-23268 | Hig | 7.8 | >= 4.11.0, < 6.6.130 | 6.6.130 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by | |
| CVE-2026-23267 | Med | 5.5 | >= 4.7.0, < 6.1.164 | 6.1.164 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The | |
| CVE-2026-23266 | Med | 5.5 | >= 2.6.12, < 5.10.251 | 5.10.251 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitra | |
| CVE-2026-23265 | Med | 5.5 | >= 3.8.0, < 6.18.13 | 6.18.13 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace: blk_update_request+0x5eb/0xe70 block/blk-mq.c:987 bl | |
| CVE-2026-23264 | Med | 5.5 | >= 5.18.0, < 6.1.163 | 6.1.163 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" This reverts commit 7294863a6f01248d72b61d38478978d638641bee. This commit was erroneously applied again after commit 0ab5d711ec74 ("drm/amd: Refac | |
| CVE-2026-23263 | Med | 5.5 | >= 6.17.0, < 6.18.10 | 6.18.10 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix page array leak d9f595b9a65e ("io_uring/zcrx: fix leaking pages on sg init fail") fixed a page leakage but didn't free the page array, release it as well. | |
| CVE-2026-23262 | Hig | 7.8 | >= 5.10.0, < 5.10.250 | 5.10.250 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats re |
- affected >= 2.6.24, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is i
- affected >= 6.18.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size cal
- affected >= 3.13.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced at lines 1638 and 1642 without a prior NULL check: ifmsh->chsw_ttl =
- affected >= 6.4.0, < 6.12.78fixed 6.12.78
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part o
- affected >= 4.5.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave xmit teql_master_xmit() calls netdev_start_xmit(skb, slave) to transmit through slave devices, but does not update skb->dev to the sl
- affected >= 2.6.37, < 6.12.78fixed 6.12.78
In the Linux kernel, the following vulnerability has been resolved: net: add xmit recursion limit to tunnel xmit functions Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own recursion limit. When a bond device in broadcast mode has GRE tap interfaces as slaves
- affected >= 6.13.0, < 6.18.19fixed 6.18.19
In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_
- affected >= 5.7.0, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revisio
- affected < 5.10.252fixed 5.10.252
In the Linux kernel, the following vulnerability has been resolved: macvlan: observe an RCU grace period in macvlan_common_newlink() error path valis reported that a race condition still happens after my prior patch. macvlan_common_newlink() might have made @dev visible before
- affected >= 4.10.0, < 6.18.17fixed 6.18.17
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be
- affected >= 2.6.31, < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up runni
- affected < 6.1.167fixed 6.1.167
In the Linux kernel, the following vulnerability has been resolved: net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held b
- affected >= 3.4.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will acce
- affected >= 4.11.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by
- affected >= 4.7.0, < 6.1.164fixed 6.1.164
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The
- affected >= 2.6.12, < 5.10.251fixed 5.10.251
In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitra
- affected >= 3.8.0, < 6.18.13fixed 6.18.13
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on node footer in {read,write}_end_io -----------[ cut here ]------------ kernel BUG at fs/f2fs/data.c:358! Call Trace: blk_update_request+0x5eb/0xe70 block/blk-mq.c:987 bl
- affected >= 5.18.0, < 6.1.163fixed 6.1.163
In the Linux kernel, the following vulnerability has been resolved: Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem" This reverts commit 7294863a6f01248d72b61d38478978d638641bee. This commit was erroneously applied again after commit 0ab5d711ec74 ("drm/amd: Refac
- affected >= 6.17.0, < 6.18.10fixed 6.18.10
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix page array leak d9f595b9a65e ("io_uring/zcrx: fix leaking pages on sg init fail") fixed a page leakage but didn't free the page array, release it as well.
- affected >= 5.10.0, < 5.10.250fixed 5.10.250
In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats re
Page 7 of 88