rpm package
suse/kernel-source&distro=SUSE Linux Enterprise Server 15 SP4-LTSS
pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS
Vulnerabilities (2,843)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46243 | Hig | 7.1 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | Jun 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in | |
| CVE-2026-46113 | Hig | 8.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 28, 2026 | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest pag | |
| CVE-2026-46043 | Cri | 9.1 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload | |
| CVE-2026-46021 | Med | 5.5 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from | |
| CVE-2026-45970 | Hig | 7.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX ha | |
| CVE-2026-45852 | Hig | 7.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 27, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function cal | |
| CVE-2026-43501 | Cri | 9.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 21, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h | |
| CVE-2026-43499 | Hig | 7.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 21, 2026 | In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_ | |
| CVE-2026-43206 | Hig | 7.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivile | |
| CVE-2026-43037 | Cri | 9.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. | |
| CVE-2026-31758 | Hig | 7.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | May 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw | |
| CVE-2026-31629 | Hig | 8.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | Apr 24, 2026 | In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but | |
| CVE-2026-31405 | Cri | 9.8 | < 5.14.21-150400.24.222.1 | 5.14.21-150400.24.222.1 | Apr 6, 2026 | In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices | |
| CVE-2026-23274 | Hig | 7.8 | < 5.14.21-150400.24.200.1 | 5.14.21-150400.24.200.1 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revisio | |
| CVE-2026-23272 | Hig | 7.8 | < 5.14.21-150400.24.200.1 | 5.14.21-150400.24.200.1 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be | |
| CVE-2026-23269 | Hig | 7.1 | < 5.14.21-150400.24.197.1 | 5.14.21-150400.24.197.1 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will acce | |
| CVE-2026-23268 | Hig | 7.8 | < 5.14.21-150400.24.197.1 | 5.14.21-150400.24.197.1 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by | |
| CVE-2026-23243 | Hig | 7.8 | < 5.14.21-150400.24.200.1 | 5.14.21-150400.24.200.1 | Mar 18, 2026 | In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len | |
| CVE-2026-23209 | Hig | 7.8 | < 5.14.21-150400.24.197.1 | 5.14.21-150400.24.197.1 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip l | |
| CVE-2026-23204 | Hig | 7.1 | < 5.14.21-150400.24.197.1 | 5.14.21-150400.24.197.1 | Feb 14, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro f |
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating in
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest pag
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX ha
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function cal
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old h
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivile
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: clear skb2->cb[] in ip4ip6_err() Oskar Kjos reported the following problem. ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm.
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but
- affected < 5.14.21-150400.24.222.1fixed 5.14.21-150400.24.222.1
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices
- affected < 5.14.21-150400.24.200.1fixed 5.14.21-150400.24.200.1
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call mod_timer() on timer->timer. If the label was created first by revisio
- affected < 5.14.21-150400.24.200.1fixed 5.14.21-150400.24.200.1
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unconditionally bump set->nelems before insertion In case that the set is full, a new element gets published then removed without waiting for the RCU grace period, while RCU reader can be
- affected < 5.14.21-150400.24.197.1fixed 5.14.21-150400.24.197.1
In the Linux kernel, the following vulnerability has been resolved: apparmor: validate DFA start states are in bounds in unpack_pdb Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will acce
- affected < 5.14.21-150400.24.197.1fixed 5.14.21-150400.24.197.1
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix unprivileged local user can do privileged policy management An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by
- affected < 5.14.21-150400.24.200.1fixed 5.14.21-150400.24.200.1
In the Linux kernel, the following vulnerability has been resolved: RDMA/umad: Reject negative data_len in ib_umad_write ib_umad_write computes data_len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data_len
- affected < 5.14.21-150400.24.197.1fixed 5.14.21-150400.24.197.1
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip l
- affected < 5.14.21-150400.24.197.1fixed 5.14.21-150400.24.197.1
In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_u32: use skb_header_pointer_careful() skb_header_pointer() does not fully validate negative @offset values. Use skb_header_pointer_careful() instead. GangMin Kim provided a report and a repro f
Page 1 of 143