Vendor CVEs
Linux
All CVEs
15,975 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-31398 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix incorrect pte restoration for lazyfree folios We batch unmap anonymous lazyfree folios by folio_unmap_pte_batch. If the batch has a mix of writable and non-writable bits, we may end up setting… | ||
| CVE-2026-31397 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to… | ||
| CVE-2026-31396 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is… | ||
| CVE-2026-31389 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid… | ||
| CVE-2026-23466 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded.… | ||
| CVE-2026-23458 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the… | ||
| CVE-2026-23449 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so… | ||
| CVE-2026-23448 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: … | ||
| CVE-2026-23447 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against… | ||
| CVE-2026-23445 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: igc: fix page fault in XDP TX timestamps handling If an XDP application that requested TX timestamping is shutting down while the link of the interface in use is still up the following kernel splat is… | ||
| CVE-2026-23444 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning… | ||
| CVE-2026-23437 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU… | ||
| CVE-2026-23432 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshv_map_user_memory error path In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps… | ||
| CVE-2026-23429 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free()… | ||
| CVE-2026-23422 | Hig | 0.44 | 7.8 | 0.00 | Apr 3, 2026 | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an… | ||
| CVE-2026-23415 | Hig | 0.44 | 7.8 | 0.00 | Apr 2, 2026 | In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call… | ||
| CVE-2026-23413 | Hig | 0.44 | 7.8 | 0.00 | Apr 2, 2026 | In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact… | ||
| CVE-2026-23412 | Hig | 0.44 | 7.8 | 0.00 | Apr 2, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in… | ||
| CVE-2026-23411 | Hig | 0.44 | 7.8 | 0.00 | Apr 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand… | ||
| CVE-2026-23410 | Hig | 0.44 | 7.8 | 0.00 | Apr 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata… | ||
| CVE-2026-23408 | Hig | 0.44 | 7.8 | 0.00 | Apr 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 }… | ||
| CVE-2026-23407 | Hig | 0.44 | 7.8 | 0.00 | Apr 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop… | ||
| CVE-2026-23406 | Hig | 0.44 | 7.8 | 0.00 | Apr 1, 2026 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the… | ||
| CVE-2026-23393 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context… | ||
| CVE-2026-23392 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already… | ||
| CVE-2026-23391 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal.… | ||
| CVE-2026-23390 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu… | ||
| CVE-2026-23387 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put. | ||
| CVE-2026-23383 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the… | ||
| CVE-2026-23378 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata.… | ||
| CVE-2026-23372 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and… | ||
| CVE-2026-23361 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write… | ||
| CVE-2026-23359 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number… | ||
| CVE-2026-23354 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory… | ||
| CVE-2026-23351 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long… | ||
| CVE-2026-23350 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id… | ||
| CVE-2026-23344 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en… | ||
| CVE-2026-23343 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely… | ||
| CVE-2026-23340 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for… | ||
| CVE-2026-23336 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in… | ||
| CVE-2026-23326 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free… | ||
| CVE-2026-23323 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines. … | ||
| CVE-2026-23322 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without… | ||
| CVE-2026-23319 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but… | ||
| CVE-2026-23317 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that… | ||
| CVE-2026-23306 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a… | ||
| CVE-2026-23288 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before… | ||
| CVE-2026-23281 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is… | ||
| CVE-2026-23280 | Hig | 0.44 | 7.8 | 0.00 | Mar 25, 2026 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size… | ||
| CVE-2026-23278 | Hig | 0.44 | 7.8 | 0.00 | Mar 20, 2026 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part… |
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix incorrect pte restoration for lazyfree folios We batch unmap anonymous lazyfree folios by folio_unmap_pte_batch. If the batch has a mix of writable and non-writable bits, we may end up setting…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix use of NULL folio in move_pages_huge_pmd() move_pages_huge_pmd() handles UFFDIO_MOVE for both normal THPs and huge zero pages. For the huge zero page path, src_folio is explicitly set to…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net: macb: fix use-after-free access to PTP clock PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: spi: fix use-after-free on controller registration failure Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Open-code GGTT MMIO access protection GGTT MMIO access is currently protected by hotplug (drm_dev_enter), which works correctly when the driver loads successfully and is later unbound or unloaded.…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net/sched: teql: Fix double-free in teql_master_xmit Whenever a TEQL devices has a lockless Qdisc as root, qdisc_reset should be called using the seq_lock to avoid racing with the datapath. Failure to do so…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE entries fit within the skb. The first check correctly accounts for ndpoffset: …
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated against…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: igc: fix page fault in XDP TX timestamps handling If an XDP application that requested TX timestamping is shutting down while the link of the interface in use is still up the following kernel splat is…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshv_map_user_memory error path In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: Fix crash in iommu_sva_unbind_device() domain->mm->iommu_mm can be freed by iommu_domain_free(): iommu_domain_free() mmdrop() __mmdrop() mm_pasid_drop() After iommu_domain_free()…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: clsact: Fix use-after-free in init/destroy rollback asymmetry Fix a use-after-free in the clsact qdisc upon init/destroy rollback asymmetry. The latter is achieved by first fully initializing a clsact…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: defer hook memory release until rcu readers are done Yiming Qian reports UaF when concurrent process is dumping hooks via nfnetlink_hooks: BUG: KASAN: slab-use-after-free in…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race between freeing data and fs accessing it AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix double free of ns_name in aa_replace_profiles() if ns_name is NULL after 1071 error = aa_unpack(udata, &lh, &ns_name); and if ent->ns_name contains an ns_name in 1089 }…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix missing bounds check on DEFAULT table in verify_dfa() The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix side-effect bug in match_char() macro usage The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release flowtable after rcu grace period on error Call synchronize_rcu() after unregistering the hooks from error path, since a hook that already refers to this flowtable can be already…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_CT: drop pending enqueued packets on template removal Templates refer to objects that can go away while packets are sitting in nfqueue refer to: - helper, this can be an issue on module removal.…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. With devices like virtio-gpu…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put.
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata.…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: nfc: rawsock: cancel tx_work before socket teardown In rawsock_release(), cancel any pending tx_work and purge the write queue before orphaning the socket. rawsock_tx_work runs on the system workqueue and…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry Endpoint drivers use dw_pcie_ep_raise_msix_irq() to raise an MSI-X interrupt to the host using a writel(), which generates a PCI posted write…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix use-after-free on error path In the error path of sev_tsm_init_locked(), the code dereferences 't' after it has been freed with kfree(). The pr_err() statement attempts to access t->tio_en…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs When shrinking the number of real tx queues, netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush qdiscs for…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() There is a use-after-free error in cfg80211_shutdown_all_interfaces found by syzkaller: BUG: KASAN: use-after-free in…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines. …
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Return the correct value in vmw_translate_ptr functions Before the referenced fixes these functions used a lookup function that returned a pointer. This was changed to another lookup function that…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size…
- risk 0.44cvss 7.8epss 0.00
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part…
Page 67 of 320