rpm package
almalinux/kernel-modules-core
pkg:rpm/almalinux/kernel-modules-core
Vulnerabilities (831)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-43501 | Cri | 9.8 | < 6.12.0-211.22.1.el10_2 | 6.12.0-211.22.1.el10_2 | May 21, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h | |
| CVE-2026-46333 | Hig | 7.1 | < 5.14.0-687.10.1.el9_8 | 5.14.0-687.10.1.el9_8 | May 15, 2026 | In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y | |
| CVE-2026-43414 | Cri | 9.8 | < 5.14.0-687.17.1.el9_8 | 5.14.0-687.17.1.el9_8 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() | |
| CVE-2026-43330 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache a | |
| CVE-2026-43329 | Hig | 7.8 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN | |
| CVE-2026-43322 | Hig | 8.8 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_con | |
| CVE-2026-43303 | Hig | 7.8 | < 5.14.0-687.12.1.el9_8 | 5.14.0-687.12.1.el9_8 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-or | |
| CVE-2026-43284 | Hig | 8.8 | < 5.14.0-611.55.1.el9_7 | 5.14.0-611.55.1.el9_7 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th | |
| CVE-2026-43279 | Hig | 7.8 | < 5.14.0-687.17.1.el9_8 | 5.14.0-687.17.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the b | |
| CVE-2026-43260 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when | |
| CVE-2026-43205 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iter | |
| CVE-2026-43198 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible fro | |
| CVE-2026-43190 | Hig | 8.2 | < 5.14.0-687.12.1.el9_8 | 5.14.0-687.12.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining | |
| CVE-2026-43163 | Med | 4.7 | < 5.14.0-687.10.1.el9_8 | 5.14.0-687.10.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bit | |
| CVE-2026-43158 | Hig | 8.8 | < 5.14.0-687.12.1.el9_8 | 5.14.0-687.12.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr- | |
| CVE-2026-43128 | Hig | 7.8 | < 5.14.0-687.10.1.el9_8 | 5.14.0-687.10.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the um | |
| CVE-2026-43125 | Cri | 9.8 | < 5.14.0-687.15.1.el9_8 | 5.14.0-687.15.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm | |
| CVE-2026-43116 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->mas | |
| CVE-2026-43110 | Hig | 8.8 | < 5.14.0-687.12.1.el9_8 | 5.14.0-687.12.1.el9_8 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a | |
| CVE-2026-43056 | Hig | 7.8 | < 5.14.0-687.15.1.el9_8 | 5.14.0-687.15.1.el9_8 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t |
- affected < 6.12.0-211.22.1.el10_2fixed 6.12.0-211.22.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h
- affected < 5.14.0-687.10.1.el9_8fixed 5.14.0-687.10.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y
- affected < 5.14.0-687.17.1.el9_8fixed 5.14.0-687.17.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put()
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache a
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_con
- affected < 5.14.0-687.12.1.el9_8fixed 5.14.0-687.12.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-or
- affected < 5.14.0-611.55.1.el9_7fixed 5.14.0-611.55.1.el9_7
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th
- affected < 5.14.0-687.17.1.el9_8fixed 5.14.0-687.17.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the b
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iter
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible fro
- affected < 5.14.0-687.12.1.el9_8fixed 5.14.0-687.12.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining
- affected < 5.14.0-687.10.1.el9_8fixed 5.14.0-687.10.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bit
- affected < 5.14.0-687.12.1.el9_8fixed 5.14.0-687.12.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr-
- affected < 5.14.0-687.10.1.el9_8fixed 5.14.0-687.10.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the um
- affected < 5.14.0-687.15.1.el9_8fixed 5.14.0-687.15.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->mas
- affected < 5.14.0-687.12.1.el9_8fixed 5.14.0-687.12.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a
- affected < 5.14.0-687.15.1.el9_8fixed 5.14.0-687.15.1.el9_8
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t
Page 2 of 42