SB2026053002 - SUSE update for the Linux Kernel
Published: May 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 62 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2021-47103)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a use-after-free error within the inet6_sk_rx_dst_set(), tcp_v6_do_rcv() and tcp_v6_early_demux() functions in net/ipv6/tcp_ipv6.c, within the udp_sk_rx_dst_set(), __udp4_lib_rcv() and udp_v4_early_demux() functions in net/ipv4/udp.c, within the tcp_v4_do_rcv(), tcp_v4_early_demux(), tcp_prequeue() and inet_sk_rx_dst_set() functions in net/ipv4/tcp_ipv4.c, within the tcp_rcv_established() function in net/ipv4/tcp_input.c, within the tcp_disconnect() function in net/ipv4/tcp.c, within the inet_sock_destruct() function in net/ipv4/af_inet.c. A local user can send specially crafted packets to the system, trigger a use-after-free error and potentially execute arbitrary code.
2) Buffer overflow (CVE-ID: CVE-2023-20585)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to a boundary error in IOMMU. A local administrator can trigger memory corruption and cause loss of SNP guest data integrity.
3) Improper privilege management (CVE-ID: CVE-2025-54518)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in x86 CPU opcode cache handling when executing code on affected AMD Fam17h CPUs. A local user can execute code to escalate privileges.
The issue can permit escalation across privilege boundaries including userspace to kernel and guest to host, and only AMD Fam17h CPUs based on the Zen2 microarchitecture are believed to be affected.
4) Use-after-free (CVE-ID: CVE-2026-23209)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the macvlan_common_newlink() function in drivers/net/macvlan.c. A local user can escalate privileges on the system.
5) Double free (CVE-ID: CVE-2026-23239)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the espintcp_close() function in net/xfrm/espintcp.c. A local user can perform a denial of service (DoS) attack.
6) Double free (CVE-ID: CVE-2026-23240)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the tls_sw_cancel_work_tx() function in net/tls/tls_sw.c. A local user can perform a denial of service (DoS) attack.
7) Improper Access Control (CVE-ID: CVE-2026-23268)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges, modify AppArmor security policies, and cause a denial of service.
The vulnerability exists due to improper access control in the AppArmor policy management interface when handling file descriptor operations. A local user can open the apparmorfs interface and pass the file descriptor to a privileged process, tricking it into performing privileged policy management operations on behalf of the user.
The user must have access to a privileged process that can be manipulated to write to the AppArmor interface. Once exploited, the user can load, replace, or remove AppArmor profiles, leading to removal of confinement, denial of service by blocking application execution, bypassing user namespace restrictions, and potentially enabling local privilege escalation via kernel exploits.
8) Out-of-bounds read (CVE-ID: CVE-2026-23269)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the AppArmor subsystem's DFA state table validation when processing untrusted policy data. A local user can provide a specially crafted AppArmor policy with an out-of-bounds start state to trigger an out-of-bounds read during policy unpacking.
Exploitation requires the ability to load or modify AppArmor policies, which typically requires privileged access. The out-of-bounds read may expose contents of kernel memory.
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a race condition in the perf subsystem when handling performance events. A local user can trigger a use-after-free condition during event overflow processing to execute arbitrary code, escalate privileges, and cause a denial of service.
The issue arises from improper synchronization between __perf_event_overflow() and perf_remove_from_context(), where the overflow handler may access memory after it has been freed by context removal routines. The attacker must be able to create and manipulate perf events, which typically requires low-privileged user access to the perf subsystem.
10) Use After Free (CVE-ID: CVE-2026-23273)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
11) Use After Free (CVE-ID: CVE-2026-23351)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.
Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the bridge CFM component when handling peer MEP deletion. A local user can trigger the deletion of a peer MEP, leading to a use-after-free condition if a delayed work item is rescheduled after cancellation but before memory is freed, resulting in a system crash.
The race condition occurs because br_cfm_frame_rx() runs in softirq context under RCU read lock and can re-schedule the delayed work between the cancellation and the memory release.
13) Memory leak (CVE-ID: CVE-2026-23403)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the AppArmor subsystem when processing multiple profiles during profile unpacking. A local user can provide specially crafted profile data to cause a memory leak, leading to resource exhaustion.
Exploitation requires the ability to load AppArmor profiles, which is restricted to users with appropriate privileges.
14) Uncontrolled Recursion (CVE-ID: CVE-2026-23404)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor profile removal functionality when handling deeply nested profiles. A local attacker can send a specially crafted request to cause a denial of service.
Exploitation requires the ability to load AppArmor profiles and trigger their removal, which is typically available to unprivileged users on systems where AppArmor is enabled.
15) Resource exhaustion (CVE-ID: CVE-2026-23405)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the AppArmor policy namespace subsystem when creating nested policy namespaces. A local user can create deeply nested policy namespaces to cause a denial of service.
Exploitation requires the ability to create AppArmor policy namespaces, which is available to unprivileged users in a user namespace.
16) Out-of-bounds write (CVE-ID: CVE-2026-23406)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper pointer arithmetic in the AppArmor match_char() macro within the Linux kernel's DFA matching logic when processing path permissions during file open operations. A local user can provide a specially crafted file access request that triggers differential encoding chain traversal with a post-incremented string pointer, causing the pointer to advance multiple times per iteration and resulting in out-of-bounds memory reads. This can lead to kernel memory corruption and system instability.
The vulnerability is exploitable during AppArmor policy enforcement when opening files, and may allow privilege escalation or system crash.
17) Out-of-bounds write (CVE-ID: CVE-2026-23407)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper bounds checking in the AppArmor verify_dfa() function when parsing a malformed DFA policy. A local user can provide a specially crafted AppArmor policy with differential encoding that triggers out-of-bounds memory access to execute arbitrary code or crash the kernel.
Successful exploitation requires the ability to load a malicious AppArmor profile, which requires user privileges but no special administrative rights beyond those needed to manage AppArmor policies.
18) Double free (CVE-ID: CVE-2026-23408)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in the AppArmor profile replacement component when processing user-supplied profile data. A local user can send a specially crafted request to cause a denial of service.
19) Resource exhaustion (CVE-ID: CVE-2026-23409)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor's differential encoding verification when processing encoded profile data. A local user can provide a specially crafted differential-encoded profile that creates loops in the chain to cause a denial of service.
Successful exploitation requires the ability to load AppArmor profiles, which is restricted to privileged users. However, since no additional authentication beyond standard system privileges is required, the attacker capability is considered as a local user with low privileges in the context of the vulnerability.
20) Use-after-free (CVE-ID: CVE-2026-23410)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in AppArmor rawdata inode handling when opening rawdata files while simultaneously removing the corresponding profile. A local attacker can trigger a race condition to access freed memory and cause a denial of service.
21) Race condition (CVE-ID: CVE-2026-23411)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the AppArmor i_private data management when accessing filesystem callback functions after reference removal. A local attacker can trigger a use-after-free condition by exploiting the race between freeing data and filesystem access to trigger a denial of service.
The issue arises when the inode persists beyond AppArmor data cleanup and filesystem callbacks are invoked after the reference has been released. This race condition primarily affects data stored in i_private, including rawdata/loaddata interfaces.
22) Double free (CVE-ID: CVE-2026-23449)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
23) Use-after-free (CVE-ID: CVE-2026-23458)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
24) Use-after-free (CVE-ID: CVE-2026-23462)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the HIDP subsystem when handling a user->remove callback without dropping the l2cap_conn reference. A local user can trigger the affected code path to cause a denial of service.
The issue is in the Linux kernel Bluetooth HIDP code path and is evidenced by a kernel crash trace during connection cleanup.
25) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.
The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.
26) Use-after-free (CVE-ID: CVE-2026-31403)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the /proc/fs/nfs/exports proc entry handling when reading from a still-open file descriptor after the associated network namespace is torn down. A local user can keep the file descriptor open across namespace teardown and perform subsequent reads to cause a denial of service.
The issue occurs because the open file captures the current network namespace and stores its export cache without holding a reference to the namespace for the lifetime of the file descriptor.
27) Use-after-free (CVE-ID: CVE-2026-31408)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.
The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.
28) Double free (CVE-ID: CVE-2026-31436)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
29) Use-after-free (CVE-ID: CVE-2026-31504)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
30) Double free (CVE-ID: CVE-2026-31507)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in smc_rx_pipe_buf_release() and SMC splice pipe buffer handling when duplicating splice pipe buffers with tee(2) or splice_pipe_to_pipe(). A local user can duplicate an SMC splice buffer to cause a denial of service.
The issue can trigger a slab-use-after-free that leads to a NULL-pointer dereference and kernel panic.
31) Out-of-bounds read (CVE-ID: CVE-2026-31512)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in l2cap_ecred_data_rcv() when processing a crafted L2CAP Enhanced Credit Based Flow Control data packet with less than 2 bytes of data. A remote attacker can send a specially crafted Bluetooth packet to disclose sensitive information.
32) Use-after-free (CVE-ID: CVE-2026-31533)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a use-after-free.
The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.
The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.
33) Out-of-bounds write (CVE-ID: CVE-2026-31570)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
34) Use-after-free (CVE-ID: CVE-2026-31586)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.
The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().
35) Use-after-free (CVE-ID: CVE-2026-31588)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in complete_emulated_mmio() when servicing an emulated MMIO write that splits a page boundary across MMIO pages. A local user can trigger crafted KVM_RUN operations to cause a denial of service.
The issue occurs for write payloads of 8 bytes or less and is most visible when the second KVM_RUN is performed by a separate task.
36) Out-of-bounds write (CVE-ID: CVE-2026-31602)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.
The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.
37) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
38) Integer underflow (CVE-ID: CVE-2026-31649)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information and cause memory corruption.
The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.
On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.
39) Use-after-free (CVE-ID: CVE-2026-31656)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in intel_engine_park_heartbeat when racing the heartbeat worker and request retirement paths while releasing engine->heartbeat.systole. A local user can trigger concurrent request retirement and heartbeat handling to cause a denial of service.
The issue arises because the same systole request can be released twice after a stale non-NULL pointer is observed in a non-atomic read-and-clear sequence.
40) Integer underflow (CVE-ID: CVE-2026-31662)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in tipc_group_proto_rcv() when handling duplicate or stale GRP_ACK_MSG messages. A remote attacker can send duplicate group acknowledgment messages to cause a denial of service.
After the counter wraps, group broadcasts on the affected socket remain blocked until the group is recreated.
41) Use-after-free (CVE-ID: CVE-2026-31669)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.
The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.
42) Improper input validation (CVE-ID: CVE-2026-31685)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.
43) Heap-based buffer overflow (CVE-ID: CVE-2026-31694)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in fuse_add_dirent_to_cache() when processing directory entries returned by a FUSE server. A remote attacker can return a specially crafted directory entry with an oversized name length to cause a denial of service.
The issue occurs when a serialized directory entry exceeds a single page size and is copied into the readdir cache.
44) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31700)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass safety checks.
The vulnerability exists due to a time-of-check time-of-use race condition in tpacket_snd() when processing a mmap'd vnet_hdr in the TPACKET TX path with PACKET_VNET_HDR enabled. A local user can modify vnet_hdr fields in the shared ring buffer between validation and use to bypass safety checks.
Only the TPACKET TX path is affected.
45) Out-of-bounds read (CVE-ID: CVE-2026-31738)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in vxlan_na_create when parsing neighbor discovery options. A remote attacker can send a specially crafted packet to cause a denial of service.
46) Double free (CVE-ID: CVE-2026-31787)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.
The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.
Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.
47) Out-of-bounds read (CVE-ID: CVE-2026-43025)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the ctnetlink expectation handling code when processing netlink requests that create expectations with a helper different from the existing master conntrack helper. A remote user can send a specially crafted netlink request to disclose sensitive information.
The issue can allow reading kernel memory bytes beyond the expectation boundary.
48) Use-after-free (CVE-ID: CVE-2026-43027)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.
The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.
49) Use-after-free (CVE-ID: CVE-2026-43050)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in sock_def_readable() when accessing priv->lecd during concurrent socket teardown. A local user can trigger a race condition to cause a denial of service.
The issue occurs because concurrent code paths dereference priv->lecd without protection while lec_atm_close() clears the pointer and the socket may be freed via RCU.
50) Out-of-bounds read (CVE-ID: CVE-2026-43110)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in brcmf_fweh_handle_if_event() when handling firmware-provided IF events. A remote attacker can supply a crafted bsscfg index to cause a denial of service.
51) Use-after-free (CVE-ID: CVE-2026-43126)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a use-after-free in the ALSA OSS mixer layer when handling OSS mixer accesses during device disconnection. A local user can trigger concurrent mixer control operations on a disconnecting sound card to cause a denial of service or execute arbitrary code.
The issue arises because pending kcontrol operation calls may not be caught while the device is being disconnected.
52) Out-of-bounds read (CVE-ID: CVE-2026-43190)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.
53) Race condition (CVE-ID: CVE-2026-43214)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in __get_sregs2() when reading PDPTR registers during ioctl handling. A local user can issue a crafted ioctl request to cause a denial of service.
The issue is triggered when reading PDPTRs causes access to guest memory through memslot lookups without the required SRCU read-side protection.
54) Memory corruption (CVE-ID: CVE-2026-43329)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in flowtable hardware offload action handling when processing IPv6 flowtable offload configurations with multiple actions. A remote attacker can trigger a flow configuration that exceeds the supported number of actions to cause a denial of service.
The issue can be reached in IPv6 setups involving combinations of ethernet mangling, NAT, double VLAN for QinQ, redirect, and tunnel-related actions.
55) Improper access control (CVE-ID: CVE-2026-43334)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass man-in-the-middle protection during Bluetooth pairing.
The vulnerability exists due to improper access control in the Bluetooth SMP pairing response handling when processing a pairing request. A remote attacker can initiate a pairing request that omits MITM requirements to bypass man-in-the-middle protection during Bluetooth pairing.
Exploitation is possible when the local side requires high security and the selected pairing method becomes inconsistent with the responder's security policy.
56) Improper input validation (CVE-ID: CVE-2026-43365)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause filesystem corruption and a denial of service.
The vulnerability exists due to improper input validation in XFS log roundoff handling when mounting or recovering a crafted XFS filesystem with a malformed superblock. A local user can provide a specially crafted filesystem image to cause filesystem corruption and a denial of service.
The issue can result in corrupt logs and an unmountable filesystem on systems using 4k physical sectors.
57) Use-after-free (CVE-ID: CVE-2026-43437)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in snd_pcm_drain() when handling a linked stream runtime after releasing the stream lock. A local user can trigger a concurrent close() on the linked stream's file descriptor to cause a denial of service.
The issue occurs because the drain path dereferences stale runtime fields from a linked stream after the runtime can be freed by concurrent unlink and detach operations.
58) Double free (CVE-ID: CVE-2026-43494)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in rds_message_zcopy_from_user() and rds_message_purge() when handling a zerocopy page pin failure during sendmsg processing. A local user can trigger a page pin failure and subsequent cleanup to cause a denial of service.
59) Resource management error (CVE-ID: CVE-2026-43500)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber
The vulnerability allows a local user to escalate privileges on the system.
The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.
Note, this vulnerability is one of two issues described as Dirty Frag.
60) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify the page cache of a root-owned read-only file.
The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.
One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.
61) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46300)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to improper state management in skb_try_coalesce() when transferring paged fragments during TCP receive coalescing. A local user can trigger packet processing that moves shared fragments into an unmarked skb to cause memory corruption.
The issue can lead ESP input to incorrectly treat an uncloned nonlinear skb as not having shared fragments and perform in-place decryption over externally owned or page-cache-backed fragments.
62) Improper access control (CVE-ID: CVE-2026-46333)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to improper access control in ptrace_may_access() when checking dumpability for tasks without an associated mm pointer. A local privileged user can inspect kernel thread details to disclose sensitive information.
The issue affects cases involving threads that no longer have a VM or never had one, such as kernel threads.
Remediation
Install update from vendor's website.