SB2026071430 - Ubuntu update for linux-xilinx-zynqmp



SB2026071430 - Ubuntu update for linux-xilinx-zynqmp

Published: July 14, 2026

Security Bulletin ID SB2026071430
CSH Severity
High
Patch available
YES
Number of vulnerabilities 83
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 6% Medium 25% Low 69%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 83 vulnerabilities.


1) Use After Free (CVE-ID: CVE-2026-23351)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.

Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.


2) Use-after-free (CVE-ID: CVE-2026-23202)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the tegra_qspi_combined_seq_xfer() function in drivers/spi/spi-tegra210-quad.c. A local user can escalate privileges on the system.


3) NULL pointer dereference (CVE-ID: CVE-2026-23206)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the dpaa2_switch_init() function in drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c. A local user can perform a denial of service (DoS) attack.


4) Use-after-free (CVE-ID: CVE-2026-23216)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the iscsit_dec_conn_usage_count() function in drivers/target/iscsi/iscsi_target_util.c. A local user can escalate privileges on the system.


5) Exposed IOCTL with Insufficient Access Control (CVE-ID: CVE-2026-23256)

CWE-ID: CWE-782 - Exposed IOCTL with Insufficient Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a memory leak.

The vulnerability exists due to an off-by-one error in the VF setup_nic_devices() cleanup function in the net: liquidio component when initializing network devices. A local user can trigger a failure during device setup to cause a memory leak.

The vulnerability specifically affects the cleanup logic in setup_nic_devices() where the loop fails to release memory for the current index on error path. This requires the ability to configure or trigger virtual function (VF) device initialization, typically available to privileged users.


6) Exposed IOCTL with Insufficient Access Control (CVE-ID: CVE-2026-23257)

CWE-ID: CWE-782 - Exposed IOCTL with Insufficient Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an off-by-one error in the PF setup_nic_devices() function in the liquidio network driver when handling device initialization cleanup. A local user can trigger improper cleanup of allocated resources to cause a denial of service.

The vulnerability specifically results in a memory leak during device setup failure, which may lead to resource exhaustion over time. Administrative privileges are required to trigger the device setup process.


7) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23258)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a memory leak.

The vulnerability exists due to improper memory management in the net: liquidio component when initializing network devices. A local user can trigger a failure during queue setup to cause a memory leak.

The issue occurs because the netdev pointer is not initialized before calling netif_set_real_num_rx_queues() and netif_set_real_num_tx_queues(), leading to failure in freeing the allocated netdev on error paths.


8) Out-of-bounds write (CVE-ID: CVE-2026-23262)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption and incorrect statistics reporting.

The vulnerability exists due to improper buffer size management in the gve driver's statistics reporting region when changing the number of queues. A local user can trigger a queue count change to cause the NIC to write past the allocated stats region or create gaps in stats reporting.

The issue arises because the driver and NIC miscalculate offsets into the shared memory region during queue count changes, potentially leading to memory corruption or incorrect statistics.


9) Use After Free (CVE-ID: CVE-2026-23272)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.

The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.

Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.


10) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23274)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the netfilter xt_IDLETIMER module when processing timer rules with reused labels. A local user can insert a revision 0 IDLETIMER rule with a label that was previously used by a revision 1 rule with XT_IDLETIMER_ALARM, leading to modification of an uninitialized timer_list object, which can trigger debugobjects warnings and potentially cause a kernel panic when panic_on_warn=1 is enabled.

Exploitation requires the ability to load netfilter rules. The impact is limited to denial of service via system crash under specific kernel configurations.


11) Resource exhaustion (CVE-ID: CVE-2026-23278)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper memory management in the netfilter nf_tables component when processing transaction batches containing multiple catchall elements. A local user can provide a specially crafted batch request to cause a denial of service.

Exploitation requires the ability to inject or modify netfilter rules via the nf_tables interface, which is typically restricted to privileged users. The issue occurs during transaction abort processing, leading to a use-after-free condition that triggers a kernel warning and system instability.


12) Memory leak (CVE-ID: CVE-2026-23198)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the irqfd_shutdown(), irqfd_wakeup() and kvm_irqfd_deassign() functions in virt/kvm/eventfd.c. A local user can perform a denial of service (DoS) attack.


13) Use-after-free (CVE-ID: CVE-2026-23428)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to use-after-free in smb2_get_ksmbd_tcon compound request handling when processing crafted compound smb requests. A remote attacker can send a compound request that disconnects a tree connection and then triggers subsequent commands to dereference freed share_conf data to cause a denial of service.

The issue occurs because the compound request reuse path reuses work->tcon without validating that t_state remains TREE_CONNECTED after an SMB2_TREE_DISCONNECT operation.


14) Use-after-free (CVE-ID: CVE-2026-23450)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.

The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.


15) NULL pointer dereference (CVE-ID: CVE-2026-23450)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.

The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.


16) Out-of-bounds read (CVE-ID: CVE-2026-23455)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.

The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.


17) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to corrupt heap memory.

The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.

The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.


18) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.


19) Use-after-free (CVE-ID: CVE-2026-31419)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.

The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.


20) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-31478)

CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper buffer size calculation in smb2_calc_max_out_buf_len() when handling SMB2 compound read responses. A remote user can send a specially crafted SMB request to cause a denial of service.


21) Use-after-free (CVE-ID: CVE-2026-31504)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.

The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.


22) Use-after-free (CVE-ID: CVE-2025-68263)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ipc_msg_send_request() function in fs/smb/server/transport_ipc.c. A local user can escalate privileges on the system.


23) Improper locking (CVE-ID: CVE-2022-48816)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the xs_get_srcport() function in net/sunrpc/xprtsock.c, within the rpc_sysfs_xprt_srcaddr_show() function in net/sunrpc/sysfs.c. A local user can perform a denial of service (DoS) attack.


24) Use-after-free (CVE-ID: CVE-2023-53673)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the hci_cs_disconnect() function in net/bluetooth/hci_event.c. A local user can escalate privileges on the system.


25) Use-after-free (CVE-ID: CVE-2024-35862)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the smb2_is_network_name_deleted() function in fs/smb/client/smb2ops.c. A remote non-authenticated attacker can perform a denial of service (DoS) attack.


26) Improper locking (CVE-ID: CVE-2024-50060)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __io_cqring_overflow_flush() function in io_uring/io_uring.c. A local user can perform a denial of service (DoS) attack.


27) Use-after-free (CVE-ID: CVE-2025-37778)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a use-after-free error within the krb5_authenticate() function in fs/smb/server/smb2pdu.c. A remote attacker can trick the victim into connecting to a malicious SMB server and execute arbitrary code on the target system.


28) Buffer overflow (CVE-ID: CVE-2025-37822)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the arch_uprobe_copy_ixol() function in arch/riscv/kernel/probes/uprobes.c. A local user can perform a denial of service (DoS) attack.


29) Use-after-free (CVE-ID: CVE-2025-37924)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the krb5_authenticate() function in fs/smb/server/smb2pdu.c, within the ksmbd_krb5_authenticate() function in fs/smb/server/auth.c. A local user can escalate privileges on the system.


30) Buffer overflow (CVE-ID: CVE-2025-38201)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the jffs2_sum_write_sumnode() function in fs/jffs2/summary.c. A local user can perform a denial of service (DoS) attack.


31) Out-of-bounds read (CVE-ID: CVE-2025-40082)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the hfsplus_listxattr() function in fs/hfsplus/xattr.c. A local user can perform a denial of service (DoS) attack.


32) NULL pointer dereference (CVE-ID: CVE-2025-68214)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the __try_to_del_timer_sync() function in kernel/time/timer.c. A local user can perform a denial of service (DoS) attack.


33) Use-after-free (CVE-ID: CVE-2026-31533)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a use-after-free.

The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.

The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.


34) Double free (CVE-ID: CVE-2025-71089)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a double free error within the iommu_sva_bind_device() function in drivers/iommu/iommu-sva.c. A local user can perform a denial of service (DoS) attack.


35) Input validation error (CVE-ID: CVE-2025-71220)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the create_smb2_pipe() function in fs/smb/server/smb2pdu.c. A local user can perform a denial of service (DoS) attack.


36) Input validation error (CVE-ID: CVE-2025-71222)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the wl1271_tx_allocate() function in drivers/net/wireless/ti/wlcore/tx.c. A local user can perform a denial of service (DoS) attack.


37) Resource management error (CVE-ID: CVE-2025-71224)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the ieee80211_ocb_rx_no_sta() function in net/mac80211/ocb.c. A local user can perform a denial of service (DoS) attack.


38) Memory leak (CVE-ID: CVE-2026-23176)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the toshiba_haps_add() function in drivers/platform/x86/toshiba_haps.c. A local user can perform a denial of service (DoS) attack.


39) Out-of-bounds read (CVE-ID: CVE-2026-23180)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the dpaa2_switch_irq0_handler_thread() function in drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c. A local user can perform a denial of service (DoS) attack.


40) Memory leak (CVE-ID: CVE-2026-23182)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the tegra_slink_probe() function in drivers/spi/spi-tegra20-slink.c. A local user can perform a denial of service (DoS) attack.


41) Memory leak (CVE-ID: CVE-2026-23190)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the acp_pdm_dma_close() function in sound/soc/amd/renoir/acp3x-pdm-dma.c. A local user can perform a denial of service (DoS) attack.


42) Use-after-free (CVE-ID: CVE-2026-23193)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the iscsit_dec_session_usage_count() function in drivers/target/iscsi/iscsi_target_util.c. A local user can escalate privileges on the system.


43) Integer underflow (CVE-ID: CVE-2026-46043)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer underflow in rxe_rcv when processing a crafted RDMA packet with a forged BTH pad field and insufficient length. A remote attacker can send a specially crafted packet to cause a denial of service.

The issue occurs because payload_size() uses the attacker-controlled pad value and ICRC size when calculating the payload length.


44) Integer overflow (CVE-ID: CVE-2026-43341)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an integer overflow in ioam6_fill_trace_data() when processing IPv6 IOAM trace data with bit 22 enabled and a maximal schema payload. A local user can trigger the vulnerable code path to cause a denial of service.

The issue occurs because the schema length can wrap from 256 to 0, bypassing the remaining-space check and leading to a trace buffer overrun.


45) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43383)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing differences in tcp-md5 MAC comparison when verifying TCP MD5 signatures. A remote attacker can measure response timing during crafted network interactions to disclose sensitive information.


46) Out-of-bounds read (CVE-ID: CVE-2026-43406)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in process_message_header() when processing a maliciously corrupted message frame. A remote attacker can send a specially crafted message frame to disclose sensitive information.

The issue can be triggered if the control segment length is smaller than the message header size or if a different frame is made to appear as a message frame.


47) Integer overflow (CVE-ID: CVE-2026-43407)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an integer overflow leading to an out-of-bounds read in ceph_handle_auth_reply() when processing a CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted CEPH_MSG_AUTH_REPLY message to disclose sensitive information.


48) Double free (CVE-ID: CVE-2026-43414)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in qla24xx_els_dcmd_iocb() error handling when releasing fcport references. A local user can trigger an error condition to cause a denial of service.


49) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43493)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of error conditions in the pcrypt crypto subsystem when processing MAY_BACKLOG requests. A local user can trigger requests that return EBUSY to cause a denial of service.


50) Double free (CVE-ID: CVE-2026-43494)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in rds_message_zcopy_from_user() and rds_message_purge() when handling a zerocopy page pin failure during sendmsg processing. A local user can trigger a page pin failure and subsequent cleanup to cause a denial of service.


51) Out-of-bounds write (CVE-ID: CVE-2026-43501)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in ipv6_rpl_srh_rcv() and skb_mac_header_rebuild() when processing a crafted IPv6 packet with a recompressed type-3 source routing header. A local user can send a specially crafted raw IPv6 packet to trigger an out-of-bounds write and cause a denial of service.

Exploitation requires the ability to send an AF_INET6 SOCK_RAW packet with IPV6_HDRINCL over the loopback interface.


52) Improper Initialization (CVE-ID: CVE-2026-45988)

CWE-ID: CWE-665 - Improper Initialization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper state management in RxRPC packet processing when handling RESPONSE or CHALLENGE packets after a temporary processing failure. A remote attacker can send a sequence of crafted packets that trigger packet reprocessing to cause a denial of service.

The issue can occur when a packet is left in a partially decrypted state and then requeued for retry.


53) Race condition (CVE-ID: CVE-2026-46028)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper state management in the algif_aead AF_ALG AEAD request handling when processing asynchronous AEAD AIO requests. A local user can trigger concurrent socket activity to cause a denial of service.

The issue arises because in-flight operations depend on a mutable socket-wide IV buffer that can be changed before the original request completes.


54) Improper input validation (CVE-ID: CVE-2026-43304)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in process_auth_done() when decoding ceph authentication keys. A remote attacker can send a crafted key with excessive key material to cause a denial of service.


55) Out-of-bounds read (CVE-ID: CVE-2026-46119)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in libceph auth message processing when handling a crafted CEPH_MSG_AUTH_REPLY message. A remote attacker can send a specially crafted auth reply message to disclose sensitive information.

The issue occurs when a positive result value is misinterpreted as the size of the front segment to send, which can cause memory beyond the allocated buffer to be transmitted.


56) Race condition (CVE-ID: CVE-2026-46135)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a race condition in nvmet_tcp_handle_icreq() and target-side queue teardown when processing an initialization connection request and a connection close concurrently. A remote attacker can send an initialization connection request and immediately close the connection to cause a denial of service.

The issue can lead to a second kref_put() being issued on an already released queue.


57) Integer overflow (CVE-ID: CVE-2026-46195)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an integer overflow in parse_sec_desc(), build_sec_desc(), and id_mode_to_cifs_acl() when processing a server-supplied security descriptor with a crafted dacloffset value. A remote attacker can return a malicious security descriptor to trigger pointer wraparound and cause a denial of service.

The issue affects 32-bit builds and can be reached through the chmod/chown rewrite paths.


58) Improper input validation (CVE-ID: CVE-2026-46243)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, modify data, or cause a denial of service.

The vulnerability exists due to improper input validation in the cifs.spnego key description handling in fs/smb/client/cifs_spnego.c when processing userspace-created cifs.spnego keys through request_key(2) or add_key(2). A local user can supply a crafted cifs.spnego description to disclose sensitive information, modify data, or cause a denial of service.

The issue arises because authority-bearing fields such as pid, uid, creduid, and upcall_target may be treated by cifs.upcall as kernel-originating inputs.


59) Improper access control (CVE-ID: CVE-2026-46333)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Clear


The vulnerability allows a local privileged user to disclose sensitive information.

The vulnerability exists due to improper access control in ptrace_may_access() when checking dumpability for tasks without an associated mm pointer. A local privileged user can inspect kernel thread details to disclose sensitive information.

The issue affects cases involving threads that no longer have a VM or never had one, such as kernel threads.


60) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46300)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to improper state management in skb_try_coalesce() when transferring paged fragments during TCP receive coalescing. A local user can trigger packet processing that moves shared fragments into an unmarked skb to cause memory corruption.

The issue can lead ESP input to incorrectly treat an uncloned nonlinear skb as not having shared fragments and perform in-place decryption over externally owned or page-cache-backed fragments.


61) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to modify the page cache of a root-owned read-only file.

The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.

One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.


62) Resource management error (CVE-ID: CVE-2026-43500)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber


The vulnerability allows a local user to escalate privileges on the system.

The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.

Note, this vulnerability is one of two issues described as Dirty Frag.


63) Resource management error (CVE-ID: CVE-2026-43284)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Amber


The vulnerability allows a local user to escalate privileges on the system.

The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges. 

Note, this is one of two vulnerabilities reported as Dirty Frag.


64) Double free (CVE-ID: CVE-2026-43011)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to cause a denial of service.

The vulnerability exists due to double free in x25_queue_rx_frame and x25_backlog_rcv when processing received x25 frames after alloc_skb failure. A local attacker can trigger the error path to cause a denial of service.


65) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.

The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.


66) Improper input validation (CVE-ID: CVE-2026-31637)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in rxkad_decrypt_ticket() when processing a malformed RXKAD RESPONSE ticket with a non-block-aligned length. A remote attacker can send a specially crafted response ticket to cause a denial of service.


67) Integer underflow (CVE-ID: CVE-2026-31649)

CWE-ID: CWE-191 - Integer underflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information and cause memory corruption.

The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.

On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.


68) Use-after-free (CVE-ID: CVE-2026-31657)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the batman-adv BLA claim handling code when processing netlink claim dump operations or checking claims. A local user can trigger concurrent claim updates and reader access to dereference a freed backbone gateway pointer to cause a denial of service.


69) Heap-based buffer overflow (CVE-ID: CVE-2026-31659)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in batadv_tt_prepare_tvlv_global_data() when processing an oversized global TT response from a remote originator. A remote attacker can advertise a large global TT to trigger a wrapped allocation and write past the end of the heap object to cause a denial of service or execute arbitrary code.


70) Improper access control (CVE-ID: CVE-2026-31668)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass routing policy restrictions.

The vulnerability exists due to improper access control in the seg6 lwtunnel dst_cache handling when processing input and output paths in different routing contexts. A local user can trigger packet processing through one path so that the other path reuses an incorrect cached destination to bypass routing policy restrictions.

The issue occurs because a single destination cache is shared between seg6_input_core() and seg6_output_core(), even though these paths may perform SID lookup under different routing contexts such as ingress-interface-based rules or VRF table separation.


71) Use-after-free (CVE-ID: CVE-2026-31669)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.

The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.


72) Out-of-bounds read (CVE-ID: CVE-2026-31682)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.


73) Improper input validation (CVE-ID: CVE-2026-31685)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.


74) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31431)

CWE-ID: CWE-664 - Improper control of a resource through its lifetime

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper memory handling within the authencesn cryptographic template in algif_aead when processing AEAD operations. A local user can trigger the vulnerable code path to execute arbitrary code on the system.

Note, this vulnerability was dubbed "Copy Fail". 


75) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43033)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of high-order sequence bits in authencesn when decrypting data out of place. A local user can trigger out-of-place decryption with a specially crafted data layout to cause a denial of service.


76) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.

The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.


77) Out-of-bounds read (CVE-ID: CVE-2026-43038)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.

The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.


78) Out-of-bounds read (CVE-ID: CVE-2026-43071)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in dentry_hashtable when processing lookups with dhash_entries set to 1. A local user can trigger filesystem lookup operations to cause a denial of service.

The issue occurs because a single hash bucket can cause an invalid shift calculation that leads to access of unallocated memory.


79) Improper input validation (CVE-ID: CVE-2026-43077)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in algif_aead when processing decryption requests. A local user can provide a crafted receive buffer size to cause a denial of service.


80) Out-of-bounds write (CVE-ID: CVE-2026-43078)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in af_alg_pull_tsgl when reassigning pages. A local user can trigger page reassignment that reassigns one more page than necessary to cause a denial of service.


81) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43114)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of stale bits in nft_set_pipapo_avx2 match functions in the netfilter pipapo set implementation when processing crafted set elements during avx2-based matching. A local user can load and reload a crafted pipapo set to cause a denial of service.

The issue occurs with avx2 matching functions and can cause a non-matching expired entry to be treated as a match after a set flush and reload operation.


82) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-43117)

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of the superblock reference in the btrfs tracepoint event btrfs_sync_file() when overlay is used on top of btrfs. A local user can trigger file synchronization on the affected filesystem to cause a denial of service.

The issue occurs because the dentry superblock may resolve to the overlay superblock instead of the btrfs superblock.


83) Heap-based buffer overflow (CVE-ID: CVE-2026-43186)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in __ioam6_fill_trace_data() when processing a crafted incoming IPv6 IOAM packet on the receive path. A remote attacker can send a specially crafted packet to cause a denial of service.

A packet with an inconsistent nodelen field and type bits can trigger an out-of-bounds write of about 100 bytes into adjacent heap memory.


Remediation

Install update from vendor's website.