rpm package
almalinux/bpftool
pkg:rpm/almalinux/bpftool
Vulnerabilities (950)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46331 | — | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | Jun 16, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account | ||
| CVE-2026-46243 | Hig | 7.1 | < 4.18.0-553.129.1.el8_10 | 4.18.0-553.129.1.el8_10 | Jun 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in | |
| CVE-2026-46181 | Hig | 7.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical se | |
| CVE-2026-46152 | Hig | 8.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share on | |
| CVE-2026-46145 | Hig | 7.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the mem | |
| CVE-2026-46135 | Cri | 9.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing again | |
| CVE-2026-46125 | Hig | 8.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since i | |
| CVE-2026-46090 | Hig | 7.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa6 | |
| CVE-2026-46056 | Hig | 8.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connec | |
| CVE-2026-46054 | Hig | 7.1 | < 4.18.0-553.137.1.el8_10 | 4.18.0-553.137.1.el8_10 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the | |
| CVE-2026-45852 | Hig | 7.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function cal | |
| CVE-2026-46300 | Hig | 7.8 | < 4.18.0-553.125.1.el8_10 | 4.18.0-553.125.1.el8_10 | May 23, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally | |
| CVE-2026-46333 | Hig | 7.1 | < 4.18.0-553.125.1.el8_10 | 4.18.0-553.125.1.el8_10 | May 15, 2026 | In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y | |
| CVE-2026-43329 | Hig | 7.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN | |
| CVE-2026-43284 | Hig | 8.8 | < 4.18.0-553.124.1.el8_10 | 4.18.0-553.124.1.el8_10 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th | |
| CVE-2026-43279 | Hig | 7.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the b | |
| CVE-2026-43190 | Hig | 8.2 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining | |
| CVE-2026-43163 | Med | 4.7 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bit | |
| CVE-2026-43158 | Hig | 8.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr- | |
| CVE-2026-43125 | Cri | 9.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm |
- CVE-2026-46331Jun 16, 2026affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account
- affected < 4.18.0-553.129.1.el8_10fixed 4.18.0-553.129.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical se
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share on
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the mem
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing again
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since i
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa6
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connec
- affected < 4.18.0-553.137.1.el8_10fixed 4.18.0-553.137.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function cal
- affected < 4.18.0-553.125.1.el8_10fixed 4.18.0-553.125.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally
- affected < 4.18.0-553.125.1.el8_10fixed 4.18.0-553.125.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN
- affected < 4.18.0-553.124.1.el8_10fixed 4.18.0-553.124.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the b
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bit
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr-
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm
Page 1 of 48