linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23244 | Hig | 7.1 | >= 6.5.0, < 6.6.130 | 6.6.130 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: nvme: fix memory allocation in nvme_pr_read_keys() nvme_pr_read_keys() takes num_keys from userspace and uses it to calculate the allocation size for rse via struct_size(). The upper limit is PR_KEYS_MAX (64K). | |
| CVE-2026-23243 | Hig | 7.8 | >= 2.6.24, < 5.10.252 | 5.10.252 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len | |
| CVE-2026-23242 | Hig | 7.5 | >= 5.3.0, < 5.10.252 | 5.10.252 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp- | |
| CVE-2025-71267 | Med | 5.5 | >= 5.15.0, < 5.15.202 | 5.15.202 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an i | |
| CVE-2025-71266 | Med | 5.5 | >= 5.15.0, < 5.15.202 | 5.15.202 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 fi | |
| CVE-2025-71265 | Med | 5.5 | >= 5.15.0, < 5.15.202 | 5.15.202 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image | |
| CVE-2026-23241 | Med | 5.5 | >= 6.13.0, < 6.18.16 | 6.18.16 | Mar 17, 2026 | In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes wi | |
| CVE-2025-71239 | Med | 5.5 | >= 6.6.0, < 6.6.128 | 6.6.128 | Mar 17, 2026 | In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashi | |
| CVE-2026-23240 | Cri | 9.8 | >= 5.3.0, < 6.12.75 | 6.12.75 | Mar 10, 2026 | In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled | |
| CVE-2026-23239 | Hig | 7.8 | >= 5.6.0, < 6.12.75 | 6.12.75 | Mar 10, 2026 | In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths su | |
| CVE-2024-14027 | — | >= 6.11.0, < 6.12.77 | 6.12.77 | Mar 9, 2026 | In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() | ||
| CVE-2026-23225 | Hig | 7.8 | >= 6.19.0, < 6.19.1 | 6.19.1 | Feb 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1 T1 runs in userspac | |
| CVE-2026-23183 | — | >= 6.14.0, < 6.18.10 | 6.18.10 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code( | ||
| CVE-2026-23182 | — | < 5.15.200 | 5.15.200 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with | ||
| CVE-2026-23181 | — | >= 6.15.0, < 6.18.10 | 6.18.10 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET | ||
| CVE-2026-23180 | Hig | 7.0 | >= 5.15.0, < 5.15.200 | 5.15.200 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since i | |
| CVE-2026-23179 | — | >= 6.7.0, < 6.12.70 | 6.12.70 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with t | ||
| CVE-2026-23178 | Hig | 7.8 | >= 5.18.0, < 6.1.163 | 6.1.163 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the h | |
| CVE-2026-23177 | — | >= 6.12.0, < 6.12.70 | 6.12.70 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment. The failure fallb | ||
| CVE-2026-23176 | — | >= 3.17.0, < 5.10.250 | 5.10.250 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remov |
- affected >= 6.5.0, < 6.6.130fixed 6.6.130
In the Linux kernel, the following vulnerability has been resolved: nvme: fix memory allocation in nvme_pr_read_keys() nvme_pr_read_keys() takes num_keys from userspace and uses it to calculate the allocation size for rse via struct_size(). The upper limit is PR_KEYS_MAX (64K).
- affected >= 2.6.24, < 5.10.252fixed 5.10.252
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len
- affected >= 5.3.0, < 5.10.252fixed 5.10.252
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp-
- affected >= 5.15.0, < 5.15.202fixed 5.15.202
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image can cause an i
- affected >= 5.15.0, < 5.15.202fixed 5.15.202
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: check return value of indx_find to avoid infinite loop We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed dentry in the ntfs3 fi
- affected >= 5.15.0, < 5.15.202fixed 5.15.202
In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata We found an infinite loop bug in the ntfs3 file system that can lead to a Denial-of-Service (DoS) condition. A malformed NTFS image
- affected >= 6.13.0, < 6.18.16fixed 6.18.16
In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class. Calling getxattrat() or listxattrat() on a file to read its extended attributes wi
- affected >= 6.6.0, < 6.6.128fixed 6.6.128
In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit. Calling fchmodat2() to change a file attribute in the same fashi
- affected >= 5.3.0, < 6.12.75fixed 6.12.75
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled
- affected >= 5.6.0, < 6.12.75fixed 6.12.75
In the Linux kernel, the following vulnerability has been resolved: espintcp: Fix race condition in espintcp_close() This issue was discovered during a code audit. After cancel_work_sync() is called from espintcp_close(), espintcp_tx_work() can still be scheduled from paths su
- CVE-2024-14027Mar 9, 2026affected >= 6.11.0, < 6.12.77fixed 6.12.77
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user()
- affected >= 6.19.0, < 6.19.1fixed 6.19.1
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Don't assume CID is CPU owned on mode switch Shinichiro reported a KASAN UAF, which is actually an out of bounds access in the MMCID management code. CPU0 CPU1 T1 runs in userspac
- CVE-2026-23183Feb 14, 2026affected >= 6.14.0, < 6.18.10fixed 6.18.10
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(
- CVE-2026-23182Feb 14, 2026affected < 5.15.200fixed 5.15.200
In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with
- CVE-2026-23181Feb 14, 2026affected >= 6.15.0, < 6.18.10fixed 6.18.10
In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET
- affected >= 5.15.0, < 5.15.200fixed 5.15.200
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation. Since i
- CVE-2026-23179Feb 14, 2026affected >= 6.7.0, < 6.12.70fixed 6.12.70
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready() When the socket is closed while in TCP_LISTEN a callback is run to flush all outstanding packets, which in turns calls nvmet_tcp_listen_data_ready() with t
- affected >= 5.18.0, < 6.1.163fixed 6.1.163
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the h
- CVE-2026-23177Feb 14, 2026affected >= 6.12.0, < 6.12.70fixed 6.12.70
In the Linux kernel, the following vulnerability has been resolved: mm, shmem: prevent infinite loop on truncate race When truncating a large swap entry, shmem_free_swap() returns 0 when the entry's index doesn't match the given index due to lookup alignment. The failure fallb
- CVE-2026-23176Feb 14, 2026affected >= 3.17.0, < 5.10.250fixed 5.10.250
In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remov
Page 9 of 88