rpm package
almalinux/bpftool
pkg:rpm/almalinux/bpftool
Vulnerabilities (953)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-43158 | Hig | 8.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr- | |
| CVE-2026-43125 | Cri | 9.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm | |
| CVE-2026-43110 | Hig | 8.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a | |
| CVE-2026-43056 | Hig | 7.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t | |
| CVE-2026-43051 | Hig | 8.1 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an | |
| CVE-2026-43038 | Cri | 9.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_p | |
| CVE-2026-43037 | Cri | 9.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. | |
| CVE-2026-43027 | Hig | 7.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it | |
| CVE-2026-43020 | Hig | 7.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger th | |
| CVE-2026-31709 | Hig | 8.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th | |
| CVE-2026-31787 | Hig | 7.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | Apr 30, 2026 | In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the | |
| CVE-2026-31786 | Hig | 7.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | Apr 30, 2026 | In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid | |
| CVE-2026-31685 | Cri | 9.4 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | Apr 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The ex | |
| CVE-2026-31684 | Med | 5.5 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | Apr 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulat | |
| CVE-2026-31669 | Cri | 9.8 | < 4.18.0-553.134.1.el8_10 | 4.18.0-553.134.1.el8_10 | Apr 24, 2026 | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Bot | |
| CVE-2026-31613 | Hig | 8.1 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | Apr 24, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the | |
| CVE-2026-31581 | Hig | 7.8 | < 4.18.0-553.132.1.el8_10 | 4.18.0-553.132.1.el8_10 | Apr 24, 2026 | In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed | |
| CVE-2026-31532 | Hig | 7.8 | < 4.18.0-553.126.1.el8_10 | 4.18.0-553.126.1.el8_10 | Apr 23, 2026 | In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rc | |
| CVE-2026-31488 | Hig | 7.8 | < 4.18.0-553.136.1.el8_10 | 4.18.0-553.136.1.el8_10 | Apr 22, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed fla | |
| CVE-2026-31431 | Hig | 7.8 | KEV | < 4.18.0-553.123.1.el8_10 | 4.18.0-553.123.1.el8_10 | Apr 22, 2026 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the so |
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr-
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_p
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm.
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger th
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: fix double free via VMA splitting privcmd_vm_ops defines .close (privcmd_close), but neither .may_split nor .open. When userspace does a partial munmap() on a privcmd mapping, the kernel splits the
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: Buffer overflow in drivers/xen/sys-hypervisor.c The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is neither NUL terminated nor a string. The first causes a buffer overflow as sprintf in buildid
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_eui64: reject invalid MAC header for all packets `eui64_mt6()` derives a modified EUI-64 from the Ethernet source address and compares it with the low 64 bits of the IPv6 source address. The ex
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: net: sched: act_csum: validate nested VLAN headers tcf_csum_act() walks nested VLAN headers directly from skb->data when an skb still carries in-payload VLAN tags. The current code reads vlan->h_vlan_encapsulat
- affected < 4.18.0-553.134.1.el8_10fixed 4.18.0-553.134.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Bot
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the
- affected < 4.18.0-553.132.1.el8_10fixed 4.18.0-553.132.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: ALSA: 6fire: fix use-after-free on disconnect In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed
- affected < 4.18.0-553.126.1.el8_10fixed 4.18.0-553.126.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), but receiver deletion is deferred with call_rcu(). This leaves a window where raw_rc
- affected < 4.18.0-553.136.1.el8_10fixed 4.18.0-553.136.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Do not skip unrelated mode changes in DSC validation Starting with commit 17ce8a6907f7 ("drm/amd/display: Add dsc pre-validation in atomic check"), amdgpu resets the CRTC state mode_changed fla
- affected < 4.18.0-553.123.1.el8_10fixed 4.18.0-553.123.1.el8_10
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the so
Page 2 of 48