rpm package
almalinux/kernel-modules-extra-matched
pkg:rpm/almalinux/kernel-modules-extra-matched
Vulnerabilities (270)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46331 | — | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | Jun 16, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account | ||
| CVE-2026-46316 | Cri | 9.3 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | Jun 9, 2026 | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each en | |
| CVE-2026-46243 | Hig | 7.1 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | Jun 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in | |
| CVE-2026-46173 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedu | |
| CVE-2026-46166 | Hig | 8.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-aft | |
| CVE-2026-46152 | Hig | 8.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share on | |
| CVE-2026-46145 | Hig | 7.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the mem | |
| CVE-2026-46135 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing again | |
| CVE-2026-46125 | Hig | 8.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since i | |
| CVE-2026-46117 | Hig | 7.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on | |
| CVE-2026-46056 | Hig | 8.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connec | |
| CVE-2026-46054 | Hig | 7.1 | < 6.12.0-211.22.1.el10_2 | 6.12.0-211.22.1.el10_2 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the | |
| CVE-2026-45898 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") changed the work submission logic to unconditionally call queue_work() with the expec | |
| CVE-2026-46300 | Hig | 7.8 | < 6.12.0-211.16.1.el10_2 | 6.12.0-211.16.1.el10_2 | May 23, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally | |
| CVE-2026-43501 | Cri | 9.8 | < 6.12.0-211.22.1.el10_2 | 6.12.0-211.22.1.el10_2 | May 21, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h | |
| CVE-2026-46333 | Hig | 7.1 | < 6.12.0-211.16.1.el10_2 | 6.12.0-211.16.1.el10_2 | May 15, 2026 | In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y | |
| CVE-2026-43414 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() | |
| CVE-2026-43330 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache a | |
| CVE-2026-43329 | Hig | 7.8 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN | |
| CVE-2026-43322 | Hig | 8.8 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_con |
- CVE-2026-46331Jun 16, 2026affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each en
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedu
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-aft
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share on
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the mem
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing again
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since i
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connec
- affected < 6.12.0-211.22.1.el10_2fixed 6.12.0-211.22.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") changed the work submission logic to unconditionally call queue_work() with the expec
- affected < 6.12.0-211.16.1.el10_2fixed 6.12.0-211.16.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally
- affected < 6.12.0-211.22.1.el10_2fixed 6.12.0-211.22.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h
- affected < 6.12.0-211.16.1.el10_2fixed 6.12.0-211.16.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when y
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put()
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache a
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SN
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_con
Page 1 of 14