SB2026060547 - openEuler 24.03 LTS SP1 update for kernel
Published: June 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 101 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2025-22060)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mvpp2_prs_hw_write(), mvpp2_prs_init_from_hw(), mvpp2_prs_flow_find(), mvpp2_prs_mac_drop_all_set(), mvpp2_prs_mac_promisc_set(), mvpp2_prs_dsa_tag_set(), mvpp2_prs_dsa_tag_ethertype_set(), mvpp2_prs_vlan_find(), mvpp2_prs_vlan_add(), mvpp2_prs_double_vlan_find(), mvpp2_prs_double_vlan_add(), mvpp2_prs_mac_init(), mvpp2_prs_vlan_init(), mvpp2_prs_vid_range_find(), mvpp2_prs_vid_entry_add(), mvpp2_prs_vid_entry_remove(), mvpp2_prs_vid_remove_all(), mvpp2_prs_vid_disable_filtering(), mvpp2_prs_vid_enable_filtering(), mvpp2_prs_default_init(), mvpp2_prs_mac_da_range_find(), mvpp2_prs_mac_da_accept(), mvpp2_prs_mac_del_all(), mvpp2_prs_tag_mode_set(), mvpp2_prs_add_flow(), mvpp2_prs_def_flow() and mvpp2_prs_hits() functions in drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c, within the mvpp2_probe() function in drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c. A local user can escalate privileges on the system.
2) NULL pointer dereference (CVE-ID: CVE-2025-23145)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the subflow_hmac_valid() and subflow_syn_recv_sock() functions in net/mptcp/subflow.c. A local user can perform a denial of service (DoS) attack.
3) Improper locking (CVE-ID: CVE-2025-39833)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the hfcpci_softirq() and HFC_init() functions in drivers/isdn/hardware/mISDN/hfcpci.c. A local user can perform a denial of service (DoS) attack.
4) Resource management error (CVE-ID: CVE-2025-68334)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the drivers/platform/x86/amd/pmc/pmc.h. A local user can perform a denial of service (DoS) attack.
5) Resource management error (CVE-ID: CVE-2025-68340)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the team_port_add() function in drivers/net/team/team_core.c. A local user can perform a denial of service (DoS) attack.
6) Resource management error (CVE-ID: CVE-2025-71094)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the asix_read_phy_addr() function in drivers/net/usb/asix_common.c. A local user can perform a denial of service (DoS) attack.
7) Improper error handling (CVE-ID: CVE-2025-71098)
CWE-ID: CWE-388 - Error Handling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the ip6gre_header() function in net/ipv6/ip6_gre.c. A local user can perform a denial of service (DoS) attack.
8) Out-of-bounds read (CVE-ID: CVE-2025-71112)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the hclge_set_vlan_filter() function in drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c. A local user can perform a denial of service (DoS) attack.
9) Memory leak (CVE-ID: CVE-2025-71123)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the parse_apply_sb_mount_options() function in fs/ext4/super.c. A local user can perform a denial of service (DoS) attack.
10) NULL pointer dereference (CVE-ID: CVE-2025-71130)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the eb_lookup_vmas(), i915_gem_do_execbuffer() and i915_gem_execbuffer2_ioctl() functions in drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c. A local user can perform a denial of service (DoS) attack.
11) Memory leak (CVE-ID: CVE-2025-71132)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the smc_rcv() function in drivers/net/ethernet/smsc/smc91x.c. A local user can perform a denial of service (DoS) attack.
12) Improper locking (CVE-ID: CVE-2025-71160)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the nft_validate_state_update(), nf_tables_rule_release(), nft_chain_validate() and nft_table_validate() functions in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.
13) Improper locking (CVE-ID: CVE-2025-71194)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the is_transaction_blocked(), start_transaction() and btrfs_wait_for_commit() functions in fs/btrfs/transaction.c. A local user can perform a denial of service (DoS) attack.
14) Use-after-free (CVE-ID: CVE-2025-71202)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the kernel_pgtable_work_func() function in mm/pgtable-generic.c. A local user can escalate privileges on the system.
15) Insufficient logging (CVE-ID: CVE-2025-71239)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass audit logging.
The vulnerability exists due to improper audit event classification in the audit subsystem when handling the fchmodat2() system call. A local user can invoke fchmodat2() to change file attributes in a manner similar to chmod() or fchmodat(), which bypasses existing audit rules designed to monitor such operations.
The vulnerability specifically affects audit rules that monitor file attribute changes, allowing unauthorized attribute modifications to go unlogged. Authentication and local access are required to exploit this vulnerability.
16) Use-after-free (CVE-ID: CVE-2026-23001)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the macvlan_hash_lookup_source(), macvlan_hash_add_source(), macvlan_hash_add(), macvlan_flush_sources(), macvlan_forward_source() and macvlan_fill_info_macaddr() functions in drivers/net/macvlan.c. A local user can escalate privileges on the system.
17) NULL pointer dereference (CVE-ID: CVE-2026-23063)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the uacce_start_queue() and uacce_fops_unl_ioctl() functions in drivers/misc/uacce/uacce.c. A local user can perform a denial of service (DoS) attack.
18) Use-after-free (CVE-ID: CVE-2026-23074)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the teql_qdisc_init() function in net/sched/sch_teql.c. A local user can escalate privileges on the system.
19) Out-of-bounds read (CVE-ID: CVE-2026-23102)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the restore_sve_fpsimd_context() function in arch/arm64/kernel/signal.c. A local user can perform a denial of service (DoS) attack.
20) Improper locking (CVE-ID: CVE-2026-23161)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the shmem_delete_from_page_cache() and shmem_undo_range() functions in mm/shmem.c. A local user can perform a denial of service (DoS) attack.
21) Out-of-bounds read (CVE-ID: CVE-2026-23243)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
22) Resource exhaustion (CVE-ID: CVE-2026-23244)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the nvme_pr_read_keys() function when processing a user-provided num_keys value. A local user can send a specially crafted request with a large num_keys value to cause excessive memory allocation attempts, leading to a denial of service.
Exploitation requires local system access and the ability to invoke NVMe ioctl commands. No authentication beyond standard system access is required.
23) Use After Free (CVE-ID: CVE-2026-23272)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.
Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.
24) Uncontrolled Recursion (CVE-ID: CVE-2026-23312)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kaweth USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered remote as it targets kernel-level USB subsystem handling.
25) Use After Free (CVE-ID: CVE-2026-23340)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free in the network scheduler (qdisc) component when resetting transmit queues for lockless qdiscs during changes in the number of real transmit queues. A local user can trigger a race condition between qdisc_reset() and the packet dequeue path, leading to use-after-free and potential execution of arbitrary code or system crash.
Exploitation requires the ability to modify network interface queue configurations, which typically requires local user privileges. The issue affects systems using lockless qdiscs such as pfifo_fast, especially under high network load and frequent queue resizing operations.
26) Out-of-bounds read (CVE-ID: CVE-2026-23448)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp16() and cdc_ncm_rx_fixup() when parsing a crafted NDP16 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size check does not account for ndpoffset, allowing DPE entries near the end of the buffer to extend past the skb data buffer and be read out of bounds.
27) Race condition (CVE-ID: CVE-2026-23473)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a wakeup race in io_uring multishot recv polling when processing socket wakeups and shutdown state changes. A local user can trigger back-to-back socket send and shutdown events to cause a denial of service.
The issue can cause the multishot recv operation to hang indefinitely because the shutdown event may be lost and no further wakeups occur.
28) Improper access control (CVE-ID: CVE-2026-31392)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to a share using incorrect credentials.
The vulnerability exists due to improper access control in the smb client session matching logic when processing cifs mounts with sec=krb5 and a username mount option. A local user can mount another share with a different username option to gain access to a share using incorrect credentials.
The issue occurs when Kerberos mounts reuse an SMB session from a previous mount even though a different username was specified, which can cause a mount that should fail with -ENOKEY to proceed with the first user's session.
29) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-31398)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to incorrect pte restoration in folio_unmap_pte_batch() when restoring page table entries for lazyfree folios during reclaim. A local user can trigger a crafted memory-management sequence to cause a denial of service.
The issue can lead to a kernel BUG and crash when a batch contains a mix of writable and non-writable bits, causing writable mappings to be restored incorrectly and breaking anonymous memory copy-on-write semantics.
30) NULL pointer dereference (CVE-ID: CVE-2026-31421)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fw_classify() in the cls_fw packet classifier when classifying a packet after attaching an empty cls_fw filter to a shared block using the old method without TCA_OPTIONS. A local user can attach such a filter and trigger packet classification with a nonzero major skb mark to cause a denial of service.
The issue occurs because shared blocks leave block->q NULL in the old-method path.
31) NULL pointer dereference (CVE-ID: CVE-2026-31422)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in flow_change() in the cls_flow classifier when creating a flow filter without a fully qualified baseclass on a shared block. A local user can create such a flow filter to cause a denial of service.
32) Double free (CVE-ID: CVE-2026-31429)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a cross-cache free in skb_kfree_head() when freeing KFENCE-allocated skb head data. A local user can trigger allocation and freeing of a specially sized skb head object to cause a denial of service.
Exploitation requires KFENCE to be enabled.
33) Out-of-bounds read (CVE-ID: CVE-2026-31430)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the X.509 extension parser when parsing a certificate with an empty Basic Constraints or Key Usage extension. A local user can submit a specially crafted certificate through the keyrings(7) API to cause a denial of service.
34) Improper resource shutdown or release (CVE-ID: CVE-2026-31441)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in idxd workqueue reset handling when resetting a workqueue. A local user can trigger a workqueue reset to cause a denial of service.
35) Use-after-free (CVE-ID: CVE-2026-31442)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the idxd dmaengine driver when handling a second function level reset after a prior reset completed and scratch area allocation fails. A local user can trigger this condition to cause a denial of service.
36) Use-after-free (CVE-ID: CVE-2026-31446)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ext4 update_super_work when racing with filesystem unmount. A local user can trigger error notification activity during unmount to cause a denial of service.
The issue occurs because sysfs notification may access a freed kernfs_node after sysfs teardown during the race.
37) Out-of-bounds read (CVE-ID: CVE-2026-31449)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ext4_ext_correct_indexes when processing a corrupted or crafted on-disk extent header. A local user can supply a crafted filesystem image to disclose sensitive information.
38) Race condition (CVE-ID: CVE-2026-31450)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
39) Reachable assertion (CVE-ID: CVE-2026-31451)
CWE-ID: CWE-617 - Reachable Assertion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of oversized inline data in ext4_read_inline_folio when reading inline data from a crafted ext4 filesystem. A local user can trigger processing of inline data whose size exceeds PAGE_SIZE to cause a denial of service.
40) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31452)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.
The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.
41) Resource exhaustion (CVE-ID: CVE-2026-31467)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the erofs bio completion path when processing decompression in process context. A local user can trigger memory pressure during this operation to cause a denial of service.
The issue can lead to a deadlock when memory reclaim causes swap I/O through submit_bio_wait.
42) Use-after-free (CVE-ID: CVE-2026-31469)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the virtio_net driver transmit path when transmitting packets after the network namespace is destroyed while previously queued skbs are still pending. A local user can trigger packet transmission and network namespace teardown to cause a denial of service.
The issue occurs when the virtio_net driver is configured with napi_tx disabled and the device's IFF_XMIT_DST_RELEASE flag is cleared.
43) Use-after-free (CVE-ID: CVE-2026-31487)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the SPI driver_override handling when matching drivers during device probing. A local user can trigger driver probing to cause a denial of service.
44) Improper input validation (CVE-ID: CVE-2026-31495)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ctnetlink when handling netlink attribute values. A local user can send a specially crafted netlink message to cause a denial of service.
The issue involves invalid TCP state, window scale, and flag values accepted through ctnetlink attributes.
45) Improper access control (CVE-ID: CVE-2026-31496)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in nf_conntrack_expect proc handling when reading proc entries. A local user can read expectation entries from other network namespaces to disclose sensitive information.
46) Resource exhaustion (CVE-ID: CVE-2026-31498)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in the Bluetooth L2CAP ERTM implementation when processing configuration requests and segmenting user-supplied protocol data. A remote attacker can send specially crafted L2CAP configuration data to cause a denial of service.
The issue can be triggered during channel reconfiguration in the connected state, and a zero remote_mps value can lead to an infinite loop that exhausts available memory.
47) Deadlock (CVE-ID: CVE-2026-31499)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in l2cap_conn_del() when canceling delayed work items. A local user can trigger Bluetooth L2CAP connection deletion while the associated timer work is executing to cause a denial of service.
48) Out-of-bounds write (CVE-ID: CVE-2026-31505)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in iavf_get_ethtool_stats() when handling concurrent ethtool channel and statistics operations. A local user can issue crafted ethtool requests to cause a denial of service.
The issue can be triggered when "ethtool -L" and "ethtool -S" are executed simultaneously during queue reconfiguration.
49) NULL pointer dereference (CVE-ID: CVE-2026-31510)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in l2cap_sock_ready_cb when handling L2CAP connection state changes. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can lead to a kernel panic.
50) Use-after-free (CVE-ID: CVE-2026-31511)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in mgmt_add_adv_patterns_monitor_complete when handling Bluetooth management operations. A local user can trigger a crafted sequence of management operations to cause a denial of service.
The issue can be triggered by subsequent list traversal that dereferences freed memory.
51) Out-of-bounds read (CVE-ID: CVE-2026-31512)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in l2cap_ecred_data_rcv() when processing a crafted L2CAP Enhanced Credit Based Flow Control data packet with less than 2 bytes of data. A remote attacker can send a specially crafted Bluetooth packet to disclose sensitive information.
52) Use-after-free (CVE-ID: CVE-2026-31516)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfrm_hash_rebuild() when processing an XFRM_MSG_NEWSPDINFO request that queues policy_hthresh.work during net namespace teardown. A local user can send a specially crafted XFRM_MSG_NEWSPDINFO request to cause a denial of service.
53) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31518)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in esp_output_tail_tcp when handling a full espintcp TX queue with asynchronous crypto. A local user can trigger packet processing errors to cause a denial of service.
The issue occurs when asynchronous crypto is used instead of synchronous crypto.
54) Integer overflow (CVE-ID: CVE-2026-31525)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to access out-of-bounds map values.
The vulnerability exists due to improper handling of signed integer minimum values in the BPF interpreter's signed 32-bit division and modulo handlers when processing crafted BPF operations that use INT_MIN. A local user can load a crafted BPF program to access out-of-bounds map values.
The issue is caused by a verifier and interpreter mismatch in range tracking for signed 32-bit division and modulo operations.
55) Out-of-bounds read (CVE-ID: CVE-2026-31528)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds memory access in x86_pmu_del() when rolling back a failed group_sched_in() operation for a group whose leader is a software event. A local user can trigger a failed group scheduling operation to cause a denial of service.
The issue occurs because inherited events may use the wrong PMU context for grouped events.
56) Use-after-free (CVE-ID: CVE-2026-31532)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.
The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.
57) Use-after-free (CVE-ID: CVE-2026-31533)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a use-after-free.
The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.
The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.
58) NULL pointer dereference (CVE-ID: CVE-2026-31540)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the i915 driver suspend handling path when suspending a system without i915 driver firmware binaries present. A local user can trigger a suspend operation to cause a denial of service.
The issue occurs because the set_default_submission function pointer may be unset and still dereferenced during suspend.
59) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31542)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of deconfigured sockets in UV hub info structure allocation when allocating UV hub info structures for a socket mapped to SOCK_EMPTY. A local user can trigger allocation in this state to cause a denial of service.
60) NULL pointer dereference (CVE-ID: CVE-2026-31546)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in bond_debug_rlb_hash_show when reading debugfs entries for RLB hash-table entries with no assigned slave. A local user can read the affected debugfs entry to cause a denial of service.
The issue occurs when an entry remains on the rx_hashtbl_used_head list with its slave pointer set to NULL.
61) Use-after-free (CVE-ID: CVE-2026-31555)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.
62) Use-after-free (CVE-ID: CVE-2026-31566)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in amdgpu_amdkfd_submit_ib() when waiting for GPU job completion after submitting a GPU job. A local user can trigger the vulnerable code path to cause a denial of service.
63) Out-of-bounds write (CVE-ID: CVE-2026-31570)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
64) Integer overflow (CVE-ID: CVE-2026-31590)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of an integer overflow condition in sev_pin_memory() when processing a KVM_MEMORY_ENCRYPT_REG_REGION ioctl request with a crafted size value. A local user can submit a specially crafted ioctl request to cause a kernel warning.
The issue is reachable from userspace through the KVM SEV memory encryption region registration interface.
65) Race condition (CVE-ID: CVE-2026-31595)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the epf_ntb_cmd_handler work handler in pci-epf-vntb when cleaning up endpoint controller resources. A local user can trigger the vulnerable cleanup path to cause a denial of service.
66) Information disclosure (CVE-ID: CVE-2026-31628)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to improper isolation of partial divider results in x86 CPU handling when executing division operations on Zen1 processors. A local attacker can run a thread that observes residual partial results from previous operations to disclose sensitive information.
Exploitation requires another thread to access leaked partial results left by a previous operation under certain circumstances.
67) Stack-based buffer overflow (CVE-ID: CVE-2026-31630)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a stack-based buffer overflow in the AF_RXRPC procfs helpers when formatting socket addresses for procfs output with "%pISpc". A local user can trigger address formatting with a specially crafted IPv6 address representation to cause a denial of service.
The issue occurs because the fixed 50-byte stack buffers are too small for the longest current IPv6-with-port textual form, including certain ISATAP address formats.
68) NULL pointer dereference (CVE-ID: CVE-2026-31651)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the vub300 mmc driver disconnect handler when disconnecting the device. A local user can trigger a device disconnect to cause a denial of service.
The issue may also lead to a use-after-free condition.
69) Use-after-free (CVE-ID: CVE-2026-31665)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nft_ct_timeout_obj_destroy() when destroying timeout objects during concurrent packet processing. A local user can trigger concurrent packet processing and object destruction to cause a denial of service.
The issue arises because other CPUs may still hold RCU-protected references to the timeout object.
70) Improper locking (CVE-ID: CVE-2026-31667)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the uinput force-feedback handling path when processing force-feedback operations and device lifecycle events. A local user can trigger a circular locking dependency to cause a denial of service.
The issue can be triggered when using a force-feedback gamepad with uinput.
71) Out-of-bounds read (CVE-ID: CVE-2026-31675)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in netem_enqueue() when processing fully non-linear packets sent over an IPIP tunnel through an AF_PACKET TX_RING. A local user can send a specially crafted packet to cause a denial of service.
72) Resource exhaustion (CVE-ID: CVE-2026-31677)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in af_alg_get_rsgl() when processing recvmsg calls with data extraction into the RX scatterlist. A local user can send a specially crafted recvmsg request to cause a denial of service.
73) Race condition (CVE-ID: CVE-2026-31678)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch tunnel device destruction path when destroying a tunnel vport after device unregistration. A local user can trigger concurrent access to a detached device reference to cause a denial of service.
74) Out-of-bounds read (CVE-ID: CVE-2026-31684)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in tcf_csum_act() when processing packets with nested in-payload VLAN headers. A remote attacker can send a specially crafted packet to cause a denial of service.
75) Improper input validation (CVE-ID: CVE-2026-31685)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.
76) Improper Initialization (CVE-ID: CVE-2026-31689)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in edac_mc_alloc() when handling a failed mci->pvt_info allocation. A local user can trigger the vulnerable error path to cause a denial of service.
The issue occurs because put_device() may invoke the device release function before device initialization has completed.
77) Out-of-bounds read (CVE-ID: CVE-2026-31697)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_get_id2 in the ccp/sev ioctl handler when handling a request to retrieve the CPU ID with a userspace buffer and length that are too small after a firmware command failure. A local user can issue a specially crafted ioctl request to disclose sensitive information.
The issue occurs when the firmware command fails due to an invalid length and the kernel still copies the firmware-required byte count to userspace.
78) Out-of-bounds read (CVE-ID: CVE-2026-31698)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in sev_ioctl_do_pdh_export when handling a PDH certificate export ioctl after a firmware command failure caused by an invalid length. A local user can provide a userspace buffer and length that are too small to trigger copying beyond the kernel-allocated buffer to disclose sensitive information.
The issue occurs when retrieving the PDH certificate and the firmware reports the required size after the supplied userspace buffer is too small.
79) Out-of-bounds read (CVE-ID: CVE-2026-31699)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sev_ioctl_do_pek_csr ioctl handler when processing a PEK CSR retrieval request after a failed firmware command. A local user can supply a too-small userspace buffer and length to trigger a copy to userspace that discloses sensitive information.
The issue occurs when the firmware reports an invalid length for the requested blob.
80) Out-of-bounds read (CVE-ID: CVE-2026-31708)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in smb2_ioctl_query_info() when processing a crafted QUERY_INFO response from an SMB server. A remote attacker can return a malformed response with an OutputBufferLength larger than the actual response buffer to disclose sensitive information.
81) Out-of-bounds read (CVE-ID: CVE-2026-31738)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in vxlan_na_create when parsing neighbor discovery options. A remote attacker can send a specially crafted packet to cause a denial of service.
82) NULL pointer dereference (CVE-ID: CVE-2026-31755)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in __cdns3_gadget_ep_queue() when queueing requests on a disabled or unconfigured gadget endpoint. A local user can trigger the vulnerable code path to cause a denial of service.
83) Out-of-bounds read (CVE-ID: CVE-2026-31771)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the Bluetooth HCI event handling logic when processing a short HCI event frame. A local attacker can send a specially crafted HCI event frame to cause a denial of service.
The issue occurs because wake reason storage is reached before per-event minimum payload length validation is enforced.
84) Improper Authentication (CVE-ID: CVE-2026-31773)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication requirements.
The vulnerability exists due to improper authentication state handling in the Bluetooth SMP legacy responder STK handling in smp_random() when processing Just Works or Confirm legacy pairing. A remote attacker can initiate a legacy pairing sequence that results in an unauthenticated STK being stored as authenticated to bypass authentication requirements.
The issue affects the legacy responder path and occurs when high security is requested but the pairing flow does not achieve MITM authentication.
85) Out-of-bounds read (CVE-ID: CVE-2026-31779)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in iwl_mvm_nd_match_info_handler() when processing a crafted notification packet. A local user can supply a notification with an insufficient packet length to disclose sensitive information.
86) Observable discrepancy (CVE-ID: CVE-2026-31781)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper restriction of speculative execution in drm_compat_ioctl when processing a user-controlled pointer used as an index into a function pointer table. A local user can supply a crafted index value to disclose sensitive information.
The issue affects the drm compat ioctl path.
87) Stack-based buffer overflow (CVE-ID: CVE-2026-43020)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in the Bluetooth MGMT Long Term Key load and reply handling logic when processing a crafted management LTK record with an oversized enc_size value. A remote user can supply a specially crafted LTK record to overflow a reply stack buffer to cause a denial of service or execute arbitrary code.
88) Use of uninitialized resource (CVE-ID: CVE-2026-43036)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper handling of packet header data in gso_features_check() when processing packets injected through PF_PACKET paths. A local attacker can inject a specially crafted packet to cause a denial of service.
The issue occurs because the IPv4 header access may rely on skb header offsets that are not always safe for direct dereference in this context.
89) Improper Initialization (CVE-ID: CVE-2026-43040)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper initialization in ndisc_ra_useropt when processing router advertisements with user options. A remote attacker can send a specially crafted router advertisement to disclose sensitive information.
The issue affects the RTM_NEWNDUSEROPT netlink message because padding fields in the nduseroptmsg structure are not zeroed before being exposed.
90) NULL pointer dereference (CVE-ID: CVE-2026-43043)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the crypto scatterwalk code when processing sendmsg() operations that chain a new scatter/gather list after an existing list is filled exactly to MAX_SGL_ENTS. A local user can send crafted messages through the AF_ALG interface to cause a denial of service.
The issue is triggered when a subsequent sendmsg() allocates a new scatter/gather list after the previous list's last data entry remains incorrectly marked as the end, leading to a kernel panic.
91) Improper resource shutdown or release (CVE-ID: CVE-2026-43064)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the idxd DSA/IAA device workqueue handling when releasing a device object. A local user can trigger release of a crafted or repeatedly created device object to cause a denial of service.
92) Out-of-bounds write (CVE-ID: CVE-2026-43079)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in uncore_pci_pmu_register() when parsing the discovery table for offline dies. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can be triggered when NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0.
93) NULL pointer dereference (CVE-ID: CVE-2026-43148)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in parse_thread_groups() when parsing device tree thread group properties. A local user can trigger allocation failure conditions to cause a denial of service.
94) Improper input validation (CVE-ID: CVE-2026-43212)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in cpumask_of_node() when handling a NUMA_NO_NODE index. A local user can trigger the vulnerable code path to cause a denial of service.
The issue affects the LoongArch architecture-specific implementation.
95) Improper locking (CVE-ID: CVE-2026-43262)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in gfs2_fiemap() when processing fiemap requests on a memory-mapped fiemap buffer associated with the same inode. A local user can trigger a page fault that leads to recursive glock taking to cause a denial of service.
96) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43273)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause data inconsistencies in snapshots.
The vulnerability exists due to improper context handling in ceph_zero_partial_object() when performing OSD write operations for partial object zeroing. A local user can modify a file and access its snapshot to cause data inconsistencies in snapshots.
Exploitation requires access to a CephFS mount and interaction with snapshot functionality.
97) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43345)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper register field definition in the IPA GSI event ring configuration logic when initializing event rings on IPA v5.0+ hardware. A local user can trigger channel operations that wait for transfer completion to cause a denial of service.
The issue can cause runtime suspend, system suspend, and remoteproc stop operations to hang indefinitely, and the IPA data path may become non-functional.
98) Memory leak (CVE-ID: CVE-2026-43419)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ceph_mdsc_build_path() when handling error paths. A local user can trigger the vulnerable code path to cause a denial of service.
99) Improper resource shutdown or release (CVE-ID: CVE-2026-43428)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore when handling USB message timeouts. A local user can trigger an excessively long synchronous timeout to cause a denial of service.
Exploitation can leave a task stuck in an uninterruptible wait until the target device is unplugged.
100) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43493)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of error conditions in the pcrypt crypto subsystem when processing MAY_BACKLOG requests. A local user can trigger requests that return EBUSY to cause a denial of service.
101) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify the page cache of a root-owned read-only file.
The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.
One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.
Remediation
Install update from vendor's website.