rpm package
almalinux/kernel-modules-extra-matched
pkg:rpm/almalinux/kernel-modules-extra-matched
Vulnerabilities (270)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-43303 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-or | |
| CVE-2026-43284 | Hig | 8.8 | < 6.12.0-211.7.3.el10_2 | 6.12.0-211.7.3.el10_2 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th | |
| CVE-2026-43260 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when | |
| CVE-2026-43205 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iter | |
| CVE-2026-43198 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible fro | |
| CVE-2026-43190 | Hig | 8.2 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining | |
| CVE-2026-43158 | Hig | 8.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr- | |
| CVE-2026-43128 | Hig | 7.8 | < 6.12.0-211.16.1.el10_2 | 6.12.0-211.16.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the um | |
| CVE-2026-43116 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->mas | |
| CVE-2026-43110 | Hig | 8.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a | |
| CVE-2026-43056 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t | |
| CVE-2026-43051 | Hig | 8.1 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an | |
| CVE-2026-43038 | Cri | 9.8 | < 6.12.0-211.28.1.el10_2 | 6.12.0-211.28.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_p | |
| CVE-2026-43037 | Cri | 9.8 | < 6.12.0-211.22.1.el10_2 | 6.12.0-211.22.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. | |
| CVE-2026-43027 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it | |
| CVE-2026-43023 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the c | |
| CVE-2026-43020 | Hig | 7.8 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger th | |
| CVE-2026-43006 | Hig | 7.1 | < 6.12.0-211.18.1.el10_2 | 6.12.0-211.18.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu | |
| CVE-2026-31772 | Hig | 7.8 | < 6.12.0-211.26.1.el10_2 | 6.12.0-211.26.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries | |
| CVE-2026-31709 | Hig | 8.8 | < 6.12.0-211.20.1.el10_2 | 6.12.0-211.20.1.el10_2 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th |
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-or
- affected < 6.12.0-211.7.3.el10_2fixed 6.12.0-211.7.3.el10_2
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths th
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iter
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible fro
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr-
- affected < 6.12.0-211.16.1.el10_2fixed 6.12.0-211.16.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the um
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->mas
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as a
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: net: mana: fix use-after-free in add_adev() error path If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev). The auxiliary device has its release callback set t
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an
- affected < 6.12.0-211.28.1.el10_2fixed 6.12.0-211.28.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() Sashiko AI-review observed: In ip6_err_gen_icmpv6_unreach(), the skb is an outer IPv4 ICMP error packet where its cb contains an IPv4 inet_skb_p
- affected < 6.12.0-211.22.1.el10_2fixed 6.12.0-211.22.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm.
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_helper: pass helper to expect cleanup nf_conntrack_helper_unregister() calls nf_ct_expect_iterate_destroy() to remove expectations belonging to the helper being unregistered. However, it
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: fix race conditions in sco_sock_connect() sco_sock_connect() checks sk_state and sk_type without holding the socket lock. Two concurrent connect() syscalls on the same socket can both pass the c
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate LTK enc_size on load Load Long Term Keys stores the user-provided enc_size and later uses it to size fixed-size stack operations when replying to LE LTK requests. An enc_size larger th
- affected < 6.12.0-211.18.1.el10_2fixed 6.12.0-211.18.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: reject zero-length fixed buffer import validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu
- affected < 6.12.0-211.26.1.el10_2fixed 6.12.0-211.26.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries
- affected < 6.12.0-211.20.1.el10_2fixed 6.12.0-211.20.1.el10_2
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl build_sec_desc() and id_mode_to_cifs_acl() derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild th
Page 2 of 14