)]}' { "log": [ { "commit": "7fd67046a01b01cece46a3bed1544c3e2622f974", "tree": "39f794fb70babd4918b382d8ec5ab62b3326fd00", "parents": [ "9b8a275722b0d704f8d6415cc09e4d96049a3ead" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Sun Dec 14 06:14:38 2025 +0000" }, "committer": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Sun May 31 19:41:06 2026 +0100" }, "message": "WIP: Skip items with no positive reviews\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit a6f218884fc58983aacf045012d8880dd5e78ca5)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit f2d1eeb13abe59cc6bf92431da7dbc8aa0718582)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit d90a0f127560182904eafc671ebdde887d36c541)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 330890ea4b167f49e32ffa513e1bca92d943994a)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit b28812aa63c20454f72be0177fe1f9b92a1ae4a9)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit a7006cc6e0878f3330db345ca1fc56bf2c2684bf)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 0f99349b0d8a42dfafaf21e2b6788c97c7330444)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 732c9ee9007bc24eb269135a813c1a2413c8a48b)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit f8199e35c99c674b8493ba64a46311f729297ffb)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit afa9e3b78256d50119e736ae87b44491bd711fed)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 230dedfbe0fbc32a8b24a531994108626adea692)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit f03afe0275b09939fef70fba396d68da73f7e54c)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n" }, { "commit": "9b8a275722b0d704f8d6415cc09e4d96049a3ead", "tree": "6c21bf717379f74a82da3232c70599bdc370e12d", "parents": [ "ce9fbb3bad9fc9fa1ebde7864edfd3b3288119cd" ], "author": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Tue Nov 19 11:44:46 2024 +0000" }, "committer": { "name": "Lee Jones", "email": "lee@kernel.org", "time": "Sun May 31 19:41:03 2026 +0100" }, "message": "WIP: Skip 0-vote / 0-regex-match commits when majority of voters have already voted\n\nAlso auto-vote positively if everyone else has voted positively.\n\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit c333c6821e63542d4addf97b1bedb01f465bebb0)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit af835422623c4356d20f91a15bac6a76fcb2bfa1)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 358ce186bba32ad7c89abd873ad65c43f342404b)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit f82690e417cd15a6bd079c6e57c804bb7fb4449d)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 71bde48a74ba4bf55fca4c4464c2072e1d4d9d5e)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 482c3ebb2d476ed988edf910db5123db22f5c171)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 880226f66d1345b67239d895fafca99988066401)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 1b8d4d2f3feb6cba2b5dc5a98ab8e1a95394bbfc)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit d64a906808e8b86156d27ad82da2a8b5d8ae6d42)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit a3a91f3cbd41b684e76e730003bddcf5823bb7f0)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 1cd184673a8e9cdda65a54d7d411b9f4b9dec8cb)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 1d5599a1abe243edc3e238ba6639c02512f62422)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 1e0f9c20ccd372c858d5772b34aaf97a790c7b12)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 9b8392fc5b0572fb858d584aad59840c07cafdc0)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit d3f4590233d89ca8cda62560cbe74b51705e5b04)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit b3939fd42a18cc1e37da063d487b01c4ecaaedba)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 40b3e0cb648c84a544db508f0e789fc42071809a)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit f5582a38d9538c5a99eb1c3bc5e6ebbc077f3d65)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 756f33d0299c8956232bbfd2a31d554e82943f3a)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 33308bfae921c8b211e8fec9f36bc4699a003c2b)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 46510e955cf5ce5a1ca2435da636a1992549c1a0)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 4a250e0edd7b7134b25f0c38037f14a0438ce9db)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit ede2350627280b4a4e0aab9f1b372d76974b9c07)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 359ca23d5bab22d7caaf90a2d552b2ff8059f8ae)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 576526669a00fa05fae63538950282c0f2fce584)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 2e51e9b2c63d857e42ef26904711268fd080dbd0)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 14fb599b14332a8e22e23566f2ba8bbb469a494b)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n(cherry picked from commit 1fced27d548695148e80595d750da88a969a5da9)\nSigned-off-by: Lee Jones \u003clee@kernel.org\u003e\n" }, { "commit": "ce9fbb3bad9fc9fa1ebde7864edfd3b3288119cd", "tree": "c3fd109e3daf8309ccc01da4f6cb88df89f5ddd7", "parents": [ "60577eafa57df2a33e4d0ff86f0bc7164fd132e8" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 14:14:07 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 14:14:07 2026 +0200" }, "message": "strip the new mbox file\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "60577eafa57df2a33e4d0ff86f0bc7164fd132e8", "tree": "bc5fefa397aef4df1a5d89cf976cdd5bfc042cf3", "parents": [ "8beb79ceb379a1ab9382e7a5df407d169737416a" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 14:13:29 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 14:13:29 2026 +0200" }, "message": "assign a cve on request\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "8beb79ceb379a1ab9382e7a5df407d169737416a", "tree": "6755cf9bcbf03c821130eca0b977f0451a137269", "parents": [ "0851e95b94de61015f1dd814be2b5aba84d9d06a" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:59:22 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:59:22 2026 +0200" }, "message": "updates based on new cvss scores\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "0851e95b94de61015f1dd814be2b5aba84d9d06a", "tree": "c1386d6af1c3e5560195ff3a7eafe2a782ba785e", "parents": [ "4ff4e8f55ef6542882a1469229fd87ec8558568b", "c6099ec52a772e1f20c945f08eb1b142a1396d0d" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:43:17 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:43:17 2026 +0200" }, "message": "Merge branch \u0027sasha-cvss-important\u0027\n\nTake the new updates\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "4ff4e8f55ef6542882a1469229fd87ec8558568b", "tree": "d0b0e25ea92790e4f9dbc7f31560356d2edcc41b", "parents": [ "cf59435b0a2272267954eccc85b351d3b2390b79" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:42:29 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Sat May 30 12:42:29 2026 +0200" }, "message": "updates for new .vulnerable entries\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "cf59435b0a2272267954eccc85b351d3b2390b79", "tree": "23597fc4fefaa9d5973e69bb227d1fcab5d01937", "parents": [ "7e4b96390309d6bf136fd29de3ea7dd4d56a316e" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 17:45:20 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 17:45:20 2026 -0400" }, "message": "sasha: review v7.0.10\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c6099ec52a772e1f20c945f08eb1b142a1396d0d", "tree": "56d7b880e2d8c62282d5c07db9cb18a9e4ef22e9", "parents": [ "229be25e30ebf68b4d14b3bd31620b24db05cbc2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:45:29 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43497: Add CVSS 3.1 score (7.3 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\n\nAV:L -The entire exploit is driven by local syscalls\n (open/mmap/FBIOPUT_VSCREENINFO/close) on the /dev/fbN character\n device; the attacker is a local software user, not a malicious USB\n device feeding crafted data, so the vector to the vulnerable\n component is local rather than physical.\nAC:L -The attacker reliably performs the mmap + realloc-via-ioctl +\n close sequence and can detect the disconnect before closing; the\n freed-page mapping is then deterministic with no race or\n uncontrolled memory-layout condition required to trigger the UAF.\nPR:L -Exploitation requires read/write access to the framebuffer\n device node, which is available to an ordinary\n logged-in/video-group user (or kiosk app user) but not to a fully\n unprivileged unauthenticated actor.\nUI:R -The freeing vfree only runs after a USB disconnect\n (unregister_framebuffer), so completing the exploit depends on a\n disconnect event (undock/unplug) performed by the user or\n environment rather than by the attacker\u0027s own code.\nS:U -The use-after-free corrupts kernel memory within the same\n security authority (the kernel); there is no VM, IOMMU, or sandbox\n boundary crossed.\nC:H -The process keeps a read mapping to freed pages that are\n recycled for arbitrary kernel allocations, allowing disclosure of\n arbitrary kernel memory.\nI:H -The same mapping retains write access to the freed pages once\n reused by other kernel objects, providing an arbitrary-write\n primitive suitable for privilege escalation or control-flow hijack.\nA:H -A use-after-free of freed kernel pages readily causes memory\n corruption and a kernel panic/oops.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "229be25e30ebf68b4d14b3bd31620b24db05cbc2", "tree": "706ef00954ecff03424d61e59ee45b508a6caee0", "parents": [ "4618f88a1b695961367e8724593712e8b65eefaa" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:43:55 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43495: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:A -The vulnerable parser consumes control messages supplied by\n the cellular modem/baseband over PCIe; the realistic worst-case\n attacker is a rogue base station / over-the-air baseband compromise\n that pivots to the host kernel, which is the cellular-radio analog\n of WiFi/Bluetooth adjacency. It is not directly Network-reachable\n because these are internal AP↔modem control messages, not\n internet-routable packets.\nAC:L -A malicious/compromised modem reliably triggers the OOB read\n by setting port_count to a large value (up to 65535) in an\n undersized buffer; there is no race or attacker-uncontrollable\n precondition, and the ~256 KB read reliably reaches unmapped memory.\nPR:N -The modem\u0027s messages are parsed automatically during the\n handshake/port-enumeration with no authentication or privilege\n check on the device-supplied data, so the attacker needs no\n host-side credentials.\nUI:N -Port enumeration and runtime-feature handshake are processed\n automatically by kernel threads at modem init and runtime; no user\n action is required.\nS:U -The vulnerable code and the impacted resource are both the\n host kernel; there is no crossing into a different security\n authority such as a VM/hypervisor or IOMMU domain.\nC:H -The flaw is a large slab-out-of-bounds read of up to ~256 KB\n of adjacent kernel heap, and the read values steer channel\n enable/disable behavior, providing a disclosure oracle — well above\n a few bounded bytes.\nI:H -The out-of-bounds data is interpreted as port_info and drives\n kernel driver channel enable/disable state, modifying\n kernel-internal state based on attacker-influenced out-of-bounds\n memory; rounding up under uncertainty.\nA:H -An out-of-bounds read of up to ~256 KB past a 12-byte slab\n object reliably crosses into unmapped/poisoned pages, causing a\n kernel oops/panic (denial of service).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "4618f88a1b695961367e8724593712e8b65eefaa", "tree": "d449361d8c850c34eb5f56a0876dccec1e1ea4b3", "parents": [ "969ad89e3185e42a94df15f57e829dcb11284ead" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:43:13 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43494: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Triggered entirely by a local `sendmsg(MSG_ZEROCOPY)` syscall\n operating on the sending process\u0027s own user memory; a remote peer\n has no control over the page-pinning that fails, so it is not\n network-reachable.\nAC:L -The attacker fully controls the iovec layout and can\n deterministically pin one valid segment then point a later segment\n at unmapped memory to force `iov_iter_get_pages2()` to fail with\n `op_nents\u003e\u003d1`; no race or uncontrolled condition.\nPR:L -`rds_create()` performs no capability check, so any\n unprivileged local user can open the AF_RDS socket and reach the\n zerocopy send path; no real root or CAP needed.\nUI:N -The attacker performs the entire socket/setsockopt/sendmsg\n sequence themselves; no victim action is required.\nS:U -The corruption is within the kernel\u0027s own page-management\n security authority; there is no VM, IOMMU, or sandbox boundary\n crossed.\nC:H -The refcount underflow frees a page still mapped in the\n attacker\u0027s address space; once reused for other kernel/process data\n it remains readable through the stale mapping, enabling arbitrary\n memory disclosure.\nI:H -The same stale-mapping primitive permits writing into\n reallocated pages (page tables, slab, other tasks\u0027 memory),\n yielding an arbitrary-write/control-flow-hijack primitive suitable\n for privilege escalation.\nA:H -The double-free / page reference-count underflow corrupts\n kernel page state and reliably causes oops/panic, a full\n availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "969ad89e3185e42a94df15f57e829dcb11284ead", "tree": "f1081ce615302dfc338aed37296ca7beb4f46a58", "parents": [ "7399396c113caa7e12c4d01f17b56c80bbd51cdf" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:42:48 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43498: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The accel/ivpu NPU driver is reachable only through local\n `/dev/accel/accelX` ioctls (BO_CREATE_FROM_USERPTR,\n PRIME_HANDLE_TO_FD/FD_TO_HANDLE, SUBMIT); it is not network- or\n adjacent-facing.\nAC:L -The exploit is a fully attacker-controlled, deterministic\n sequence (create RO userptr BO, re-export, re-import losing the RO\n flag, submit a write job) with no race or uncontrolled\n memory-layout dependency.\nPR:L -No root or capability is required—only access to the accel\n device node, which unprivileged local users typically hold on\n NPU-equipped systems; the ioctls carry no DRM_ROOT_ONLY/capable()\n gate.\nUI:N -The attacker performs every step (BO creation,\n re-export/re-import, NPU job submission) without any victim action.\nS:U -Impacted memory is all under the kernel\u0027s authority and the\n DMA/IOMMU isolation itself is not bypassed (pages are legitimately\n mapped, only the device-MMU read-only bit is dropped); this is\n standard in-OS privilege escalation.\nC:H -The resulting write primitive into shared read-only\n page-cache/executable pages can be leveraged for code execution in\n privileged contexts and thus arbitrary memory disclosure, and per\n guidance such memory corruption is scored High.\nI:H -The device, under attacker control, gains an arbitrary write\n into host pages that must be read-only (shared/file-backed/CoW\n pages), yielding controlled corruption of memory belonging to other\n contexts.\nA:H -Corrupting shared page-cache/executable pages or other\n processes\u0027 memory readily crashes processes and the system, a High\n availability impact consistent with memory-corruption guidance.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7399396c113caa7e12c4d01f17b56c80bbd51cdf", "tree": "106e4abd0e305f3f829a6a1c63bcf28558babe23", "parents": [ "dbcc4700e1a5e4f308359c2255aba5f6343040e5" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:40:11 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43503: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -Triggering the impact requires locally splicing a root-owned\n file\u0027s page-cache pages into a socket and configuring an xfrm SA\n plus an nftables `dup`/TEE rule; a purely remote peer cannot create\n externally-owned, page-cache-backed frags. Matches the predecessor\n CVE-2026-43284 (AV:L).\nAC:L -The attacker controls every condition — the SA key, the\n dup/TEE rule, the spliced file pages, and the crafted ESP packet —\n and can reliably reproduce the in-place decrypt with no race or\n layout dependency outside their control.\nPR:L -Requires only an unprivileged local user: CAP_NET_ADMIN for\n xfrm/nftables is obtainable via user namespaces (`unshare -Urn`),\n and only read access to a (e.g. world-readable) root-owned file is\n needed to splice its page-cache pages.\nUI:N -The attacker performs all steps; the page-cache corruption\n occurs at decrypt time with no action required from any victim.\nS:C -The vulnerable component (ESP/network packet processing acting\n on the attacker\u0027s own packet) modifies resources in a different\n security authority — the page cache of a root-owned read-only file\n — crossing a privilege boundary, as scored in the predecessor\n CVE-2026-43284 (S:C).\nC:H -The in-place AEAD operation reads and writes\n externally-owned/potentially-freed pages across a trust boundary, a\n memory-safety violation leverageable for information disclosure;\n scored C:H consistent with the predecessor.\nI:H -The decrypt writes attacker-influenced data into the page\n cache of a root-owned read-only file, corrupting content read by\n privileged processes — a powerful confused-deputy write primitive\n enabling privilege escalation.\nA:H -Writing into pages the skb does not own (page-cache or\n freed/reused spliced pages) is memory corruption that can crash or\n destabilize the kernel and corrupt file/system state.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "dbcc4700e1a5e4f308359c2255aba5f6343040e5", "tree": "150b2107b36a384591deb52e9ca11ddfdbbbac20", "parents": [ "6d54dc8ca237b1b54b78880ec0aa64fb78ef9177" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:40:05 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43499: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached through the futex(2) syscall\n (FUTEX_CMP_REQUEUE_PI → futex_requeue → rt_mutex_start_proxy_lock),\n which requires local access to issue syscalls and is not reachable\n over any network.\nAC:L -The attacker controls all the threads and PI-futexes involved\n and can deterministically construct the deadlock-detection error\n that drives the proxy-lock rollback into remove_waiter(); the\n resulting UAF/corruption is reliably triggerable without depending\n on conditions outside the attacker\u0027s control.\nPR:L -Any basic unprivileged local user can call futex() with\n FUTEX_CMP_REQUEUE_PI — no capabilities, root, or namespaces are\n required.\nUI:N -The bug is triggered entirely by the attacker\u0027s own threads\n and syscalls; no action by any other user is needed.\nS:U -The corruption is confined to kernel memory within the same\n security authority; it is a standard local kernel privilege issue\n with no cross-boundary (VM/IOMMU) escape.\nC:H -The dangling pi_blocked_on pointer and rbtree dequeue under\n the wrong pi_lock give a use-after-free over reclaimed stack\n memory, which can be leveraged to read controlled kernel memory\n contents.\nI:H -The UAF and unsynchronized rbtree manipulation provide a write\n primitive into kernel data structures, enabling memory corruption\n exploitable for control-flow hijacking and privilege escalation.\nA:H -The dangling pointer dereference and PI-chain corruption\n readily cause kernel oops/panic, so availability impact is high.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6d54dc8ca237b1b54b78880ec0aa64fb78ef9177", "tree": "e1b7f94fd707942933318a78e7dddac11752a12d", "parents": [ "5cbe00de55df4aa9c453ae8f951acc0eadf2352d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:39:48 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43501: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The bug is in the IPv6 receive path processing a routing\n extension header (RFC 6554 RPL SRH); a remote attacker triggers it\n by sending a crafted unicast IPv6 packet addressed to a host that\n processes RPL source routing, with no link-locality requirement in\n the code.\nAC:L -Triggering is deterministic — a single packet drains headroom\n over loopback, and the attacker fully controls header compression\n and segment count (forcing repeated looped_back passes) to drive\n headroom below mac_len; success does not depend on uncontrolled\n memory layout.\nPR:N -Processing happens automatically during inbound packet\n handling with no authentication or capability check; an\n unauthenticated network peer needs only to send a packet.\nUI:N -The kernel processes the malicious extension header\n automatically on receipt; no victim action is required.\nS:U -The out-of-bounds write corrupts kernel heap memory within the\n kernel\u0027s own security authority; no crossing of a VM/IOMMU/sandbox\n boundary occurs.\nC:H -The out-of-bounds heap write is a memory-corruption primitive\n that can corrupt adjacent length/pointer fields to enable\n subsequent kernel memory disclosure, warranting High under the\n corruption-could-leak-info guidance.\nI:H -This is a heap out-of-bounds write (~64 KiB past skb-\u003ehead),\n directly corrupting kernel memory — out-of-bounds writes are High\n integrity impact and can be groomed toward control-flow hijacking.\nA:H -Writing mac_len bytes far past the skb buffer corrupts\n unrelated kernel memory, reliably producing an oops/panic\n (confirmed by KASAN), a High availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "5cbe00de55df4aa9c453ae8f951acc0eadf2352d", "tree": "dadde8cb077138a1619c7da12a6055ff344c83ef", "parents": [ "6c02ab2d7724590531de8f83f0a1fd22958d1edb" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:39:45 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-43502: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered by a local\n sendmsg(MSG_ZEROCOPY) syscall on an AF_RDS socket; the buggy\n cleanup decision depends only on local send-side failure\n conditions, not on any data received from a remote peer.\nAC:L -The attacker fully and deterministically controls the\n pre-queue failure (e.g., nonblocking socket with a full send\n buffer, or an invalid RDMA/atomic cmsg), so no race or uncontrolled\n condition is involved.\nPR:L -Creating an AF_RDS SOCK_SEQPACKET socket and enabling\n SO_ZEROCOPY require no capabilities (rds_create has no privilege\n check), so any unprivileged local user can reach the code.\nUI:N -The attacker triggers the entire flow through its own\n syscall; no action by another user is required.\nS:U -The memory corruption stays within the kernel\u0027s own security\n authority and does not cross into another security scope such as a\n VM or IOMMU boundary.\nC:H -Releasing GUP-pinned user pages through the wrong path (and\n underflowing compound-page refcounts) can free/reuse pages still\n owned by user space, enabling disclosure of memory contents after\n reuse.\nI:H -The struct-page refcount underflow and improper page free\n constitute memory corruption that can be leveraged into a page\n use-after-free/write primitive, not merely a clean crash.\nA:H -The corrupted page accounting/refcounting and improper\n buddy-allocator free can cause VM_BUG_ON, oops, or kernel panic, in\n addition to leaking pinned-page accounting and the notifier struct.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6c02ab2d7724590531de8f83f0a1fd22958d1edb", "tree": "f57df3ebdbe76548e13c11a093ec8e87a95cf106", "parents": [ "a0cd87caa851753f7f720c5c01f519ac1801bc1b" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:32:59 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-45843: Add CVSS 3.1 score (8.2 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\n\nAV:N -slhc_uncompress() processes VJ-compressed headers received\n from the remote PPP/SLIP link peer; via PPP-over-PPTP/L2TP tunnels\n that peer is an internet-reachable attacker sending crafted frames.\nAC:L -A short compressed frame with a change byte requesting\n optional fields reliably triggers the over-read; no race, timing,\n or memory-layout condition outside the attacker\u0027s control.\nPR:N -The attacker is a remote link peer (e.g., malicious\n VPN/dial-up server, or a client of the target\u0027s PPTP/L2TP server)\n with no account or privilege on the target host.\nUI:N -Once a VJ-enabled PPP link exists, the malicious frame is\n processed automatically; in the attacker-initiated server scenario\n no victim action is needed at exploit time.\nS:U -The over-read and its effects stay within the kernel\u0027s own\n decompression buffers and state; no crossing into another security\n authority.\nC:H -Out-of-bounds read of adjacent memory — including\n uninitialized kernel slab memory in the PPP fresh-skb path — folded\n into reconstructed TCP/IP header fields delivered to the IP stack,\n disclosing kernel memory.\nI:L -The over-read pollutes the cached decompression state\n (cs_tcp/cs_ip) and corrupts header fields of subsequently\n reconstructed packets with stale data, but yields no arbitrary or\n out-of-bounds write primitive.\nA:N -Guaranteed buffer slack plus the len\u003c0 rejection keep all\n reads within the allocation and prevent any out-of-bounds write, so\n there is no crash, hang, or panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a0cd87caa851753f7f720c5c01f519ac1801bc1b", "tree": "5329f077db9e49965da05c40939b7f1eb3f40c73", "parents": [ "6272113919133f01d3dc11d4f501a3563333deac" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:24:51 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-45852: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is triggered through the RDMA uverbs character device\n (/dev/infiniband/uverbsN) via a local write()/ioctl() syscall\n during SRQ creation; it is not reachable from network packets, as\n rxe SRQ creation is a purely local control-plane operation.\nAC:L -The attacker fully controls the trigger by supplying a bad\n userspace outbuf pointer so copy_to_user() faults\n deterministically; no race or attacker-uncontrolled condition is\n involved.\nPR:L -Reaching ib_create_srq_user requires access to the RDMA verbs\n device, which by design is used by unprivileged applications and is\n commonly exposed to regular users in RDMA-enabled (HPC/cloud)\n deployments; no real root is needed.\nUI:N -The attacker\u0027s own process performs the offending verbs call;\n no separate victim action is required.\nS:U -The corruption is confined to kernel heap memory within the\n same security authority; no VM/IOMMU/sandbox boundary is crossed.\nC:H -The double-free/UAF lets the attacker reallocate and control\n the freed queue object\u0027s contents, yielding an arbitrary\n kernel-memory read primitive for information disclosure.\nI:H -Double-free of a kmalloc\u0027d object enables heap grooming and\n reallocation into attacker-controlled structures, providing a write\n primitive that can be leveraged for control-flow hijacking.\nA:H -The double free reliably corrupts the slab allocator and\n crashes the kernel (panic/oops).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6272113919133f01d3dc11d4f501a3563333deac", "tree": "465b725a02477f89a8a9b77d8fee553170af7a19", "parents": [ "cf146c4a81c3a35398a06b986f5622a6ecbddd63" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:22:43 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:46 2026 -0400" }, "message": "CVE-2026-45859: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The vulnerable nfnetlink_queue path processes packets that\n hit an NFQUEUE netfilter verdict; GRO-aggregated UDP traffic\n received from the network reaches it, so the dropping condition is\n triggered by remote network packets.\nAC:L -Once an nfqueue without F_GSO exists, an attacker reliably\n triggers the drop by sending a UDP burst that GRO coalesces into a\n GSO skb for a new (unconfirmed) flow; no uncontrollable condition\n is required.\nPR:N -Triggering the condition requires only sending network\n traffic to the host; no authentication or privileges are needed by\n the remote sender.\nUI:N -The packet drop occurs automatically during kernel packet\n processing with no victim interaction.\nS:U -The impact is confined to the kernel\u0027s own network packet\n processing; no security boundary is crossed.\nC:N -The bug only causes packets to be dropped; no kernel memory is\n read or disclosed.\nI:N -No data is modified or written; dropped packets are simply not\n delivered, which is an availability rather than integrity effect.\nA:H -All GSO-aggregated UDP packets of new (unconfirmed) conntrack\n flows are dropped on a non-F_GSO nfqueue, denying\n establishment/processing of those new flows — a sustained,\n network-triggerable denial of that traffic class.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "cf146c4a81c3a35398a06b986f5622a6ecbddd63", "tree": "2d4569eb2e8c3b9947c64f7ad713c6dbbe4eec81", "parents": [ "977f1e06c1320552b89e20141d2f8b3c82ec94e7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:22:29 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45856: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The vulnerable code is reached via write() on the local RDMA\n uverbs character device (/dev/infiniband/uverbs*) dispatched\n through UAPI_DEF_WRITE_IO; it is not reachable over any network.\nAC:L -The attacker fully controls cmd.wqe_size and can reliably\n trigger the OOB read by simply setting wqe_size\u003d1 (or the WARN with\n a huge value); no uncontrolled conditions are involved.\nPR:L -An unprivileged local user with access to the RDMA uverbs\n device (the normal case on RDMA-enabled systems, and obtainable via\n Soft-RoCE) can open a context, create a QP, and issue POST_SEND; no\n real-root privilege is required.\nUI:N -The command is issued directly by the attacker via a syscall;\n no action by any other user is needed.\nS:U -The OOB read and resulting impact remain within the kernel\u0027s\n own security authority; no crossing of a security boundary\n (VM/IOMMU/sandbox) occurs.\nC:H -The bug reads ~48 bytes of kernel heap memory beyond the\n undersized allocation, and the leaked values (e.g. wr_id) are\n returned to userspace via completion polling, giving a repeatable\n kernel-heap information disclosure.\nI:N -The defect is purely an out-of-bounds read; num_sge is bounded\n by the sge_count check, so no kernel memory is modified and there\n is no write primitive.\nA:H -An excessively large wqe_size triggers a WARNING in the\n allocator (syzkaller-reported), which becomes a kernel panic under\n the common panic_on_warn hardening, causing denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "977f1e06c1320552b89e20141d2f8b3c82ec94e7", "tree": "d91481b136c71424a8c31aa6dbe8e7ce75126937", "parents": [ "1682f9d6d4c870e740c1ef51d6fd0ed43718bdec" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:21:02 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45862: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -The vulnerable PASID-table allocation is reached locally via\n IOMMU domain attach (SVA bind through an accelerator device, or\n guest/IOMMUFD device setup) using syscalls/ioctls; there is no\n network-facing path to this code.\nAC:H -Exploitation requires non-coherent VT-d hardware and winning\n a nanosecond-scale cache-writeback race in which the IOMMU must\n read the entry before the CPU flushes the zeroes to RAM, with the\n stale data happening to form a usable present entry — conditions\n governed by microarchitectural timing the attacker cannot control.\nPR:L -An unprivileged local user with access to an SVA-capable\n accelerator device can drive `iommu_sva_bind_device` to trigger the\n PASID-table allocation while controlling the device\u0027s DMA; no real\n root is required.\nUI:N -The allocation and the device DMA are driven entirely by the\n attacker; no victim interaction is needed.\nS:C -The IOMMU enforces the DMA isolation boundary; using stale\n garbage PASID entries lets a device\u0027s DMA escape its assigned\n domain, impacting host physical memory in a different security\n authority — an IOMMU/DMA boundary bypass.\nC:H -A misdirected DMA translated through a garbage page table can\n read arbitrary host physical memory, yielding disclosure beyond the\n device\u0027s domain.\nI:H -The same misdirected DMA path provides write access to\n arbitrary host physical memory, allowing corruption of kernel data\n outside the device\u0027s intended domain.\nA:H -Garbage PASID entries can cause IOMMU faults, DMA failures,\n and memory corruption leading to oops/panic or device/system hangs.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "1682f9d6d4c870e740c1ef51d6fd0ed43718bdec", "tree": "5dc3426ea6044f4dac9895243889617e6bc11300", "parents": [ "fcb784f2f975d40f8a6ad2fa5bb41fac2e6d3eec" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:21:01 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45861: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -GFS2 is a local disk filesystem with no network-facing\n handler; the vulnerable qd lifecycle is reached only via local\n filesystem operations (mount, quota-incurring I/O,\n unmount/withdrawal, and the memory shrinker). No remote peer data\n path exists.\nAC:L -The bug leaves a freed object permanently linked on the\n global gfs2_qd_lru, so it is persistent rather than a tight race;\n the attacker can reliably drive the shrinker into the freed object\n by inducing memory pressure, with no condition outside the\n attacker\u0027s control.\nPR:L -Triggering requires local access to a GFS2 filesystem and the\n poisoned LRU is then dereferenced by an unprivileged\n memory-pressure-driven shrinker walk; consistent with\n clustered-filesystem UAF scoring (ocfs2 CVE-2026-31597/43075).\nUI:N -Once the LRU is corrupted, the use-after-free is reached\n through ordinary kernel memory reclaim without requiring any\n separate victim action.\nS:U -The corruption and its impact are confined to the kernel\u0027s own\n memory/security authority; no VM, IOMMU, or sandbox boundary is\n crossed.\nC:H -The shrinker reads fields of the freed gfs2_quota_data object,\n and the freed slab can be reallocated with attacker-controlled\n data, enabling kernel memory disclosure typical of a use-after-free.\nI:H -gfs2_qd_isolate writes to the freed object (lockref_mark_dead\n and list_lru_isolate_move), giving a write primitive over\n freed/reallocated memory that can be leveraged for heap\n manipulation and control-flow corruption.\nA:H -The slab-use-after-free reliably corrupts the LRU list and\n freed memory, causing kernel oops/panic as observed by KASAN/syzbot.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "fcb784f2f975d40f8a6ad2fa5bb41fac2e6d3eec", "tree": "5af511a985a78adb893b7673339a288afb6cd533", "parents": [ "9df5abe63291eda60adea9b3c4eedfb0df27b89d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:19:50 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45860: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The code runs in a netfilter packet-processing hook\n (nft_connlimit/xt_connlimit/OVS limit); it is driven by connection\n packets from a remote peer, so the vulnerability is reachable over\n the network.\nAC:L -The attacker fully controls the trigger condition (generating\n more than 8 new connections per jiffy), which is trivially\n achievable with ordinary connection flooding and requires no\n conditions outside the attacker\u0027s control.\nPR:N -A remote attacker merely opening connections to a\n connlimit-protected service needs no authentication or privileges\n on the target system.\nUI:N -Exploitation requires only sending connection traffic; no\n victim interaction is needed.\nS:U -The faulty accounting and its effect stay within the kernel\u0027s\n network stack and the protected service; no security boundary is\n crossed.\nC:N -The bug is a connection-count accounting error with no memory\n disclosure or information leak of any kind.\nI:N -No attacker-controlled data is modified and there is no memory\n corruption; only the internal connection counter is transiently\n inaccurate.\nA:H -The inflated count causes the connlimit to reach its threshold\n prematurely, so legitimate new connections to the protected service\n are rejected; an attacker can sustain this to deny service (total\n loss of new-connection availability under a global/zone limit).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9df5abe63291eda60adea9b3c4eedfb0df27b89d", "tree": "a6b41d18bf523472887cf1e43567536e4c7c3ff0", "parents": [ "fb9c934345182f0cfa1ec902f9ea2d23157d5ae3" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:11:36 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45878: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached only through an ioctl\n (AMDKFD_IOC_DBG_TRAP) on the local /dev/kfd device node; there is\n no network or remote path.\nAC:L -The attacker fully controls both the allocation of a watch\n point and the crafted watch_id; the negative-shift behavior is\n deterministic on x86, so the out-of-bounds write is triggered\n reliably and repeatably.\nPR:L -The ioctl has flags\u003d0 with no capability check, and\n self-debugging (target\u003d\u003dp) is permitted, so any unprivileged local\n user with access to the GPU device node (/dev/kfd) can reach the\n bug; no root/CAP_SYS_ADMIN is required.\nUI:N -The attacking process performs the enable/allocate/clear\n sequence entirely on its own; no action by another user is needed.\nS:U -The out-of-bounds write corrupts kernel memory within the same\n kernel security authority; it does not cross into a separate\n authority such as a hypervisor or IOMMU boundary.\nC:H -The bug is a kernel out-of-bounds write (memory corruption)\n that can be groomed to overwrite adjacent kernel structures (e.g.,\n size/pointer fields), which can be leveraged to enable information\n disclosure.\nI:H -Attacker-influenced out-of-bounds write of a 32-bit value into\n kernel memory at a controllable offset is a direct kernel\n memory-corruption/write primitive.\nA:H -The out-of-bounds write into unmapped or critical kernel\n memory readily causes a kernel oops/panic, producing a denial of\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "fb9c934345182f0cfa1ec902f9ea2d23157d5ae3", "tree": "59113d7ca5accda02d1c64cba6ec6f88b584ccd1", "parents": [ "5f2e3378e41e57ad236929f856d1a918a348faf8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:05:14 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45910: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The race is between the local rxe_destroy_qp verb and a local\n QP timer firing, both driven through the RDMA uverbs interface; a\n remote peer cannot create or destroy QPs, so local access is\n required.\nAC:L -This is a race the attacker controls on both sides — creating\n a QP, driving RC traffic to arm the retransmit/rnr_nak timers, then\n destroying the QP — and it can be retried indefinitely across many\n QPs.\nPR:L -Triggering requires issuing RDMA verbs (create/destroy QP,\n post sends) via the uverbs device, which in RDMA deployments is\n routinely granted to non-root users (rdma group / container device\n access).\nUI:N -The attacker performs all QP creation, traffic, and\n destruction operations themselves with no victim action required.\nS:U -The use-after-free is contained within the kernel\u0027s own\n security authority with no crossing of a VM, IOMMU, or sandbox\n boundary.\nC:H -The refcount underflow / use-after-free on the QP object can\n give an attacker control over freed-object contents, enabling\n kernel memory disclosure.\nI:H -A use-after-free of the QP object enables heap grooming and\n arbitrary write primitives, per kernel UAF scoring guidance.\nA:H -The refcount underflow/use-after-free produces kernel warnings\n and can crash or panic the system when the freed QP is accessed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "5f2e3378e41e57ad236929f856d1a918a348faf8", "tree": "f03f2c59a3a9f86b6b67a494f0fd122960394712", "parents": [ "606078d0981958f41235029dacb3081b5383f4d4" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 01:01:58 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45894: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -The teardown path is reached only through local interfaces —\n IOMMU domain attach/detach, SVA bind/unbind via accelerator char\n devices, and VFIO/iommufd ioctls — plus a locally-controlled\n device\u0027s DMA; there is no remote/network path to this code.\nAC:H -Triggering the torn read requires the IOMMU\u0027s internal\n multi-burst fetch of the 64-byte entry to interleave with the CPU\u0027s\n eight 64-bit zeroing writes during the narrow teardown window; this\n sub-microsecond hardware-internal timing is beyond the attacker\u0027s\n control and cannot be reliably reproduced.\nPR:L -Reaching the teardown requires local access to manage an\n IOMMU domain or to bind/unbind a PASID on an SVA-capable\n accelerator (reachable by an unprivileged user granted device\n access), not a pre-auth or fully unauthenticated path.\nUI:N -No victim interaction is needed; the attacker drives both the\n device DMA and the PASID-entry teardown.\nS:C -The IOMMU enforces the DMA isolation boundary; a\n torn/inconsistent PASID-entry read can cause the IOMMU to\n mistranslate a device\u0027s DMA, allowing access outside the device\u0027s\n authorized memory scope — an IOMMU/DMA boundary crossing.\nC:H -Mistranslation from an inconsistent entry read could let a\n device (e.g., guest-assigned or SVA-bound) read host physical\n memory outside its domain, yielding disclosure of memory beyond its\n authorized scope.\nI:H -The same mistranslation could let a device perform DMA writes\n to host physical memory outside its assigned domain, corrupting\n memory across the isolation boundary.\nA:H -The torn read causes \"spurious faults\" and \"unpredictable\"\n IOMMU behavior, which can produce DMA fault storms or\n device/translation failures impacting availability.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "606078d0981958f41235029dacb3081b5383f4d4", "tree": "ab34d65db8b52f3d6d0b9494c69132caddeedba2", "parents": [ "1c30da0166591378218bb1e1ac89f2b98e7d8367" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:57:31 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45898: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The vulnerable cm_event_handler is driven by iWARP\n connection-management events generated from a remote peer\u0027s\n iWARP/MPA-over-TCP traffic (connect-request/reply/disconnect),\n delivered by the provider driver; an iWARP endpoint is reachable\n over a routed network, not just the local LAN.\nAC:L -The attacker controls both the rate and pattern of connection\n events, so flooding connection requests at a listening cm_id\n reliably creates the multiple-events/reused-work-element condition\n (the bug reproduced readily under ucmatose stress); the attacker\n drives both sides of the race.\nPR:N -Connection-request events are processed by the iwcm before\n any application-level authentication, so an unauthenticated remote\n peer that can speak iWARP/MPA to a listening endpoint needs no\n privileges on the target.\nUI:N -Triggering requires only that the attacker initiate\n connection traffic; no action by a local user or victim is needed.\nS:U -The corruption is confined to the kernel\u0027s own workqueue\n structures within the same security authority; no VM/IOMMU/sandbox\n boundary is crossed.\nC:H -The bug is a use-after-free-class reuse of an iwcm_work\n element (whose contents include remote-supplied MPA private_data)\n causing workqueue list corruption, which per kernel scoring\n guidance can be leveraged for arbitrary memory disclosure.\nI:H -Reinitializing a still-queued work_struct corrupts the\n workqueue\u0027s doubly-linked lists, giving a list-unlink write\n primitive over kernel memory that can be steered toward arbitrary\n write / control-flow hijack.\nA:H -The corruption produces an immediate kernel BUG/Oops in the\n iw_cm_wq kworker (panic), and the underlying memory corruption can\n crash the system repeatedly.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "1c30da0166591378218bb1e1ac89f2b98e7d8367", "tree": "a9905d00ae858bd0ba954e5960031844973e3f83", "parents": [ "397cd81b6551288a40142d78acf5949e5d96cf00" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:49:19 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45909: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is a clock-gate operation in the MediaTek\n clk driver, reached only by local clock-framework calls\n (driver/runtime-PM toggling); no remote network input flows into\n it, so the attacker needs local system access.\nAC:L -This is a use-after-free that becomes active\n deterministically once free_initmem() releases the .init.rodata\n gate arrays; the first runtime toggle of an affected gate reliably\n dereferences freed memory with no race or attacker-uncontrollable\n condition.\nPR:L -On these SoCs the affected peripheral gates are toggled by\n ordinary runtime-PM/device-idle transitions that an unprivileged\n local user can induce through normal device I/O, so basic\n unprivileged access suffices.\nUI:N -Triggering only requires a clock enable/disable on an\n affected gate; no victim action such as opening a file or mounting\n a filesystem is needed.\nS:U -The dangling pointer and its impact are entirely within the\n kernel\u0027s clock subsystem; no VM, IOMMU, or sandbox boundary is\n crossed.\nC:H -The UAF reads a freed init-memory object whose contents can be\n reclaimed/sprayed by the attacker, and the controlled gate-\u003eregs\n pointer is dereferenced for register offsets, enabling\n kernel-memory disclosure.\nI:H -Attacker-influenced freed-memory contents control gate-\u003eshift\n and gate-\u003eregs, turning regmap_write(offset, BIT(shift)) into a\n corrupted/controlled MMIO write — memory corruption leverageable\n beyond simple modification.\nA:H -Dereferencing the dangling cg-\u003egate pointer (and a corrupted\n gate-\u003eregs) after init memory is freed reliably causes a kernel\n oops/crash.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "397cd81b6551288a40142d78acf5949e5d96cf00", "tree": "620a18ef4d4adba3ee8ad6ed03a92ca0ae872683", "parents": [ "baa7851d6a214e9156146ee9db51edff478b1269" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:39:36 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45929: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is `ovpn_net_xmit`, the netdevice TX path\n (ndo_start_xmit), triggered by transmitting a packet out the local\n ovpn tunnel interface; the triggering precondition (a shared skb)\n is a local TX-side artifact and cannot be induced by a remote peer,\n whose data flows through the separate RX path.\nAC:L -The attacker controls both sides — arranging the skb-sharing\n reference holder and initiating the transmit — so the\n use-after-free race is within their control; choosing the\n higher-severity value where exploitation reliability is uncertain.\nPR:L -Creating an ovpn device and establishing the shared-skb\n condition requires CAP_NET_ADMIN/CAP_NET_RAW, which an unprivileged\n user can obtain inside a user namespace (unshare -Urn), so this is\n Low rather than High.\nUI:N -The bug is triggered purely by transmitting packets through\n the interface; no victim action is required.\nS:U -The use-after-free is contained within the kernel\u0027s own\n security authority and does not cross into a different security\n scope such as a VM or IOMMU boundary.\nC:H -A use-after-free read of the freed skb (protocol, data, len)\n lets an attacker who controls the reclaimed object contents read\n sensitive kernel memory.\nI:H -The use-after-free can be leveraged via heap grooming of the\n freed skb to corrupt kernel state and achieve write/control-flow\n primitives.\nA:H -Dereferencing the freed skb readily causes a kernel\n oops/panic, a full denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "baa7851d6a214e9156146ee9db51edff478b1269", "tree": "ffc1243d7f7a664e947ba009a8ecba457fb730a9", "parents": [ "2c5d0764fe7c4ec8506a341dd793c91ac294015a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:39:35 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45931: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable bind/unbind code is reached only by opening\n the local amdxdna accel device file (/dev/accel/accelN) and closing\n it; there is no network or remote-peer path to this driver.\nAC:L -The attacker controls both sides of the lifetime issue (the\n SVA bind at open and the unbind timing via process/fd teardown),\n and the crash reproduces reliably in tests, so no condition is\n beyond the attacker\u0027s control.\nPR:L -Opening the device and triggering the SVA bind/unbind\n requires no capability (no CAP check on the path; DRM_ROOT_ONLY\n only guards SET_STATE), only the ability to open the accel node,\n which unprivileged ML workloads on AMD NPU systems possess.\nUI:N -The attacker\u0027s own process triggers the bug entirely through\n its own open/close sequence; no action by another user is required.\nS:U -The use-after-free corrupts kernel-managed objects\n (mm_struct/iommu_mm_data) within the kernel\u0027s own security\n authority and does not breach the IOMMU DMA-isolation boundary or\n escape to another scope.\nC:H -Per kernel guidance a use-after-free is High; the freed\n iommu_mm_data/mm_struct is read after free, and controlling the\n reallocated contents enables disclosure of freed kernel memory.\nI:H -The UAF lets an attacker who reallocates the freed\n iommu_mm_data control the pasid value driving\n iommu_detach_device_pasid(), enabling kernel/IOMMU state corruption\n and the heap-spray/arbitrary-write potential characteristic of UAFs.\nA:H -Dereferencing the freed mm structure during unbind reliably\n oopses/panics the kernel, a High availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "2c5d0764fe7c4ec8506a341dd793c91ac294015a", "tree": "615fddefdd0f1a60fec6fd43eecf5cd748d1d4d5", "parents": [ "d432a83d9ac9e51a30cbc54ff87a3887d3b2f005" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:38:59 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45932: Add CVSS 3.1 score (7.3 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\n\nAV:L -The vulnerability is reached through the local bpf(2) syscall\n (BPF_PROG_DETACH command); there is no remote network entry point\n to this code.\nAC:L -An unprivileged user can reliably trigger the detach with a\n single deterministic syscall; there is no race, timing, or\n memory-layout dependency, and the only precondition (a tcx/netkit\n program already attached) is a standard deployment condition.\nPR:L -The entire bug is that no capability is required where\n CAP_NET_ADMIN/CAP_SYS_ADMIN should be; any basic local unprivileged\n user can call BPF_PROG_DETACH, which is not gated by\n unprivileged_bpf_disabled or any default check.\nUI:N -Detaching the program requires only the attacker\u0027s own\n syscall; no action by any other user or victim is needed.\nS:U -The impact stays within the kernel\u0027s own security authority\n (manipulating network BPF attachment state); no VM/IOMMU/sandbox\n boundary is crossed.\nC:L -Detaching does not read kernel memory directly, but removing a\n tcx/netkit filtering/isolation program (e.g., a Cilium network\n policy) can expose traffic or services that were previously\n confidential, a limited information exposure.\nI:H -An unprivileged user can make an unauthorized,\n CAP_NET_ADMIN-level modification to the device\u0027s network datapath,\n and by repeating the call can remove all attached programs, fully\n subverting the configured network security/policy enforcement.\nA:H -Removing the tcx/netkit datapath program disrupts packet\n processing for the affected device; in eBPF-datapath deployments\n this breaks forwarding/NAT/policy and causes loss of network\n connectivity for the node or its workloads.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d432a83d9ac9e51a30cbc54ff87a3887d3b2f005", "tree": "7acf6999a9ddecf73423691b074f55dbc7421df8", "parents": [ "e0a84a04679da6644a9869b4d04a50c29d29ce65" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:37:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45935: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached only during NTFS journal\n ($LogFile) replay at mount time of a block-device filesystem;\n exploitation requires a locally-presented crafted NTFS\n image/device, not network access.\nAC:L -The attacker fully controls the on-disk $LogFile contents\n including the unbounded entry size; once the crafted image is\n mounted the overflow triggers deterministically with no race or\n uncontrolled condition.\nPR:N -The attacker only needs to craft the malicious filesystem\n image and requires no privileges on the target; this matches the\n established scoring for ntfs3 crafted-image parsing bugs (e.g.,\n CVE-2026-46062).\nUI:R -A victim must mount the attacker-supplied crafted NTFS\n filesystem image for the journal replay to run, consistent with the\n directly analogous ntfs3 mount-time CVE-2026-46062.\nS:U -The out-of-bounds access is confined to kernel heap memory\n within the same kernel security authority; there is no crossing of\n a VM, sandbox, or IOMMU boundary.\nC:H -The memmove uses an attacker-influenced, effectively unbounded\n length, producing a large out-of-bounds read of adjacent slab/heap\n memory rather than a few-byte bounded read.\nI:H -The same memmove writes the enormous length starting at e1,\n overflowing the slab buffer into adjacent heap objects — an\n out-of-bounds write causing memory corruption.\nA:H -The catastrophic memmove of a near-SIZE_MAX length faults on\n unmapped memory, reliably causing a kernel oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e0a84a04679da6644a9869b4d04a50c29d29ce65", "tree": "3e6e83125a3dd69691f2f9f4a2182521cec9e4c8", "parents": [ "1c574a1f9559d132bc660cfd35f6563438c29ea2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:36:32 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45933: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is in the BPF verifier, reached only by loading a\n crafted BPF program via the bpf() syscall from a local process;\n remote data never reaches this code.\nAC:L -The attacker writes the exact BPF instruction sequence that\n deterministically triggers the broken link in sync_linked_regs();\n no race or uncontrolled condition is involved.\nPR:L -The verifier runs for all program loads, and\n socket-filter/cgroup-skb programs are loadable without CAP_BPF when\n unprivileged_bpf_disabled\u003d0 (a supported default), so any\n unprivileged local user can reach it.\nUI:N -The attacker loads and runs their own program; no victim\n action is required.\nS:U -Impact is confined to the kernel\u0027s own security authority —\n standard local privilege escalation, no crossing into a separate\n VM/IOMMU boundary.\nC:H -The verifier can be made to believe a register holds a wrong\n value, allowing a verified-as-safe out-of-bounds read primitive\n over kernel memory, yielding arbitrary kernel memory disclosure.\nI:H -The same false-bounds primitive enables an out-of-bounds write\n the verifier \"proved\" safe, giving an arbitrary kernel write usable\n for privilege escalation and code-flow hijacking.\nA:H -The resulting out-of-bounds accesses on attacker-controlled\n values readily corrupt kernel memory and panic/crash the system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "1c574a1f9559d132bc660cfd35f6563438c29ea2", "tree": "bb0995042c2a2f812f643662d596d90925ad10db", "parents": [ "6201329956a511fd0ad5a328b0da070b424064f0" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:32:10 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45951: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached only through the local bpf()\n syscall (BPF_PROG_LOAD verifying a BPF_PSEUDO_BTF_ID ldimm64\n instruction); there is no network, adjacent, or physical input path.\nAC:L -Triggering the UAF requires racing a concurrent close of the\n BTF fd against the verifier, but the attacker controls both sides\n (loading thread and closing thread) and can retry/heap-spray\n indefinitely, so per kernel guidance an attacker-created race is\n Low.\nPR:L -Obtaining a BTF fd (BPF_BTF_LOAD) and loading the program\n both require CAP_BPF, which can be delegated to a non-init user\n namespace via BPF token/bpffs in reasonable container deployments,\n making this reachable to a non-host-root local user.\nUI:N -The attacker performs the entire attack themselves by issuing\n bpf() syscalls and closing the fd; no victim action is required.\nS:U -The use-after-free and its consequences are confined to the\n kernel\u0027s own memory and security authority; no boundary such as VM\n or IOMMU is crossed.\nC:H -The freed BTF object is dereferenced (type/name/kallsyms\n lookups) and can be reallocated with attacker-controlled data,\n giving a kernel-memory read primitive characteristic of a\n use-after-free.\nI:H -The UAF causes a refcount increment on freed memory and stores\n a dangling btf pointer into env-\u003eused_btfs[] that is used later,\n enabling heap grooming and type confusion that can be leveraged\n into a write/control-flow primitive.\nA:H -Dereferencing the freed BTF object reliably crashes the kernel\n (oops/panic), so availability impact is High.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6201329956a511fd0ad5a328b0da070b424064f0", "tree": "5c11eec6027d1d827cb42f7191dffe832316af3c", "parents": [ "ad7561724c919b11e8466152d049206ff6c7893c" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:30:23 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45942: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached through local filesystem\n block-allocation activity combined with local folio migration\n (compaction/NUMA/huge-page reclaim), which is a kernel\n memory-management event an attacker induces locally; there is no\n remote path that controls the migration side of the race.\nAC:L -The attacker controls both sides of the race—heavy\n block-allocation I/O plus memory pressure that forces folio\n migration—and the commit confirms the window \"is still hit in\n practice\" under sustained workloads, so it is reliably reproducible\n by an attacker-constructed workload.\nPR:L -An ordinary unprivileged local user with write access to any\n ext4 filesystem (e.g., /tmp or /home) can drive block allocation\n and induce memory migration; no elevated capabilities are required.\nUI:N -The attacker performs all actions (file writes plus memory\n pressure) on an already-mounted filesystem with no action by any\n other user.\nS:U -The corruption is confined to the ext4 filesystem and kernel\n within the same security authority; no VM, sandbox, or IOMMU\n boundary is crossed.\nC:H -A lost bitmap update can cause block double-allocation,\n assigning the same physical block to two inodes so one user can\n read data written by another on a shared filesystem, constituting\n significant information disclosure.\nI:H -The race corrupts buddy-bitmap/group-descriptor consistency\n and can double-allocate blocks, leading to file-data corruption\n (one file\u0027s writes overwriting another\u0027s) and persistent on-disk\n metadata inconsistency.\nA:H -Detected inconsistency invokes\n ext4_grp_locked_error()/ext4_handle_error(), which aborts the\n journal and remounts the filesystem read-only (or panics the kernel\n with errors\u003dpanic), rendering the filesystem—potentially the root\n filesystem—unavailable.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ad7561724c919b11e8466152d049206ff6c7893c", "tree": "b15d5009ad38687df2764a32f481c00feb2ec982", "parents": [ "6f8c7648999e64acbfe14b3973cf0a3534a6b6f0" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:30:10 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45944: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -The vulnerable setup/teardown paths are reached via local\n IOMMU domain management (VFIO/iommufd device assignment or sysfs\n driver bind/unbind); there is no network or adjacent-network path\n to this code.\nAC:H -Manifesting the torn-entry requires the IOMMU hardware to\n fetch the context entry in a microscopic window between the CPU\n writes and the cache/context-cache invalidation, combined with\n compiler/CPU write reordering — timing conditions the attacker\n cannot reliably control.\nPR:H -Driving an IOMMU context setup/teardown requires\n CAP_SYS_ADMIN-level privilege (VFIO/iommufd assignment or sysfs\n driver unbind), which is not obtainable through user namespaces.\nUI:N -The teardown/setup window is reached purely through IOMMU\n control operations with no victim action required.\nS:C -The IOMMU is the DMA isolation boundary; a torn/stale context\n entry lets a device\u0027s in-flight DMA be mistranslated and escape its\n assigned domain, impacting memory belonging to a different security\n authority (the host or another domain).\nC:H -A device using a stale/torn translation during the window can\n read host memory outside its intended domain across the IOMMU\n boundary, yielding a potential arbitrary device-driven read.\nI:H -The same cross-boundary mistranslation lets the device write\n host memory outside its domain, providing an arbitrary\n device-driven write primitive.\nA:H -The commit documents \"unpredictable behavior or spurious\n faults\"; torn-entry fetches generate DMAR fault storms and\n device/driver malfunction that can hang or crash the system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6f8c7648999e64acbfe14b3973cf0a3534a6b6f0", "tree": "cd5829676e288c7692b8ea29ff3f61e044a0d1cb", "parents": [ "ab31faaaa429e8fe965fe878b8c376b617cd47ac" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:28:42 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:45 2026 -0400" }, "message": "CVE-2026-45945: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -The vulnerable replace path is reached only through local\n IOMMUFD/VFIO ioctls (`/dev/iommu` device PASID domain replacement);\n there is no network or remote-peer path to this code.\nAC:L -Although it is a hardware/software race on the\n 128-bit-chunked entry fetch, the attacker controls both sides —\n driving continuous device DMA (forcing frequent entry fetches)\n while repeatedly issuing the replacement ioctl — so the torn-entry\n window is reliably reachable through repetition.\nPR:L -Triggering domain replacement requires IOMMUFD/VFIO access to\n an assigned device, which is gated by device-file permissions\n rather than an init-namespace root capability check; a confined\n VMM/user granted passthrough suffices.\nUI:N -The replacement and concurrent DMA are entirely\n attacker-driven; no action by another user is needed.\nS:C -The flaw is in the IOMMU DMA-isolation structure, and a torn\n PASID entry can let a device\u0027s DMA escape its assigned domain — an\n IOMMU/DMA boundary bypass that crosses the security authority of\n the affected component.\nC:H -A torn page-table-pointer field can cause the IOMMU to\n translate device DMA through stale/corrupt tables, allowing the\n device to read host or other-domain physical memory across the\n isolation boundary.\nI:H -The same mistranslation gives the device a write primitive\n into memory outside its domain, enabling corruption of\n host/other-domain memory.\nA:H -The commit explicitly notes the torn entry causes\n \"unpredictable behavior or spurious faults,\" which can manifest as\n IOMMU faults, device failures, or kernel crashes.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ab31faaaa429e8fe965fe878b8c376b617cd47ac", "tree": "305421c66bd48391931f5b97ce0c55594ca187da", "parents": [ "c4bc0f1958df84063ed7a28d81e2be1ec37f1ae4" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:19:41 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45959: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable AES-GCM path is reached through the local\n AF_ALG crypto socket interface (socket/bind/sendmsg syscalls),\n explicitly selectable via the \"gcm-aes-ccp\" driver name; there is\n no remote network peer required in the reliable trigger path.\nAC:L -The incorrect cleanup fires on every return from\n ccp_run_aes_gcm_cmd, so a single AES-GCM operation\n deterministically triggers the invalid free with no race, timing,\n or memory-layout condition the attacker must defeat.\nPR:L -Creating an AF_ALG socket and submitting a gcm(aes) request\n requires only a basic unprivileged local account with no\n capability; no root or special privilege is needed.\nUI:N -The attacker submits the crypto request entirely on its own;\n no victim action or separate user interaction is required.\nS:U -The invalid free corrupts and crashes within the kernel\u0027s own\n security authority and crosses no VM, sandbox, or IOMMU boundary.\nC:H -This is an invalid free (memory-corruption class, not a NULL\n deref); per UAF/corruption guidance the allocator\u0027s mishandling of\n the stack pointer can disturb slab state and freed-object contents,\n which can be leveraged toward information disclosure.\nI:H -Feeding kfree a stack address drives the SLUB allocator to\n write freelist pointers / drop refcounts on memory it never owned,\n a corruption primitive that per UAF/double-free guidance can be\n leveraged into a write affecting control flow.\nA:H -The bug deterministically passes a stack address to kfree on\n every invocation, causing an immediate kernel oops/panic (DoS) that\n any unprivileged local user can trigger repeatedly.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c4bc0f1958df84063ed7a28d81e2be1ec37f1ae4", "tree": "68de8f801bd34d541337aa178f01640f139b368e", "parents": [ "c027ff6498775ce2f9c6b5c5277b2be8e6c8f896" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:17:37 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45958: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The vulnerability is reached through the\n EXYNOS_VIDI_CONNECTION DRM ioctl on the local primary device node\n (/dev/dri/cardN); it requires local system access, not network or\n adjacent reachability.\nAC:L -The attacker fully controls the vidi-\u003eedid pointer value\n passed in the ioctl and can reliably trigger the dereference/copy\n on demand; no race or uncontrolled condition is involved.\nPR:L -The ioctl is flagged DRM_AUTH, so the caller must be an\n authenticated DRM client (a local user with access to the DRM\n device node, who can become master on first open); no elevated/root\n privileges are needed.\nUI:N -The attacker issues the ioctl and reads back the connector\n EDID property entirely on their own; no action by another user is\n required.\nS:U -The impact stays within the kernel\u0027s own security authority;\n no crossing of a VM, IOMMU, or sandbox boundary occurs.\nC:H -The user-supplied value is dereferenced as a kernel pointer\n and up to 32 KB is kmemdup\u0027d from any attacker-chosen kernel\n address, then exposed back to userspace via the connector\u0027s EDID\n blob property — an arbitrary kernel-memory read/info-leak primitive.\nI:N -The flaw copies data from the attacker-controlled address into\n a freshly allocated kernel buffer; it provides no primitive to\n write or modify attacker-controlled kernel memory.\nA:H -Supplying an unmapped or invalid kernel address causes the\n direct dereference/kmemdup to fault, producing a kernel oops/panic\n and denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c027ff6498775ce2f9c6b5c5277b2be8e6c8f896", "tree": "c8064f71ccf508fd8d29c05c476ef146ec2d8d93", "parents": [ "72655df07021fab1a5258a4d141011eaf3da0d5c" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:09:40 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45970: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached via a received ARP frame on a\n bond slave; an unprivileged local user can reproduce the entire\n scenario inside a user namespace (`unshare -Urn`) by creating a\n balance-alb bond over veths, injecting ARP locally, and cycling the\n bond up/down, so no network/adjacent position is required.\nAC:L -In the user-namespace scenario the attacker controls both\n sides of the race — the ARP injection (RX side) and the bond\n up/down cycling (free side) — and the upstream report confirms it\n is readily reproducible by repeated cycling, so the race can be won\n reliably.\nPR:L -Triggering the free requires CAP_NET_ADMIN on the bond, but\n this is obtainable by any unprivileged user via a user+network\n namespace (which also grants CAP_NET_RAW for ARP injection), so\n only basic local user privileges are needed.\nUI:N -No victim interaction is required; the attacker drives both\n the packet receipt and the bond teardown themselves.\nS:U -The vulnerability and its impact are confined to the kernel\u0027s\n own security authority; there is no crossing of a VM/IOMMU/sandbox\n boundary.\nC:H -The UAF reads the contents of the freed `rx_hashtbl` object\n (after potential reallocation), which can be leveraged to disclose\n attacker-influenced or adjacent kernel heap data.\nI:H -The UAF writes into the freed/reallocated object, including\n copying 6 attacker-controlled bytes (the ARP source MAC) and\n link-pointer updates, providing a write primitive into reclaimed\n heap memory exploitable for control-flow corruption.\nA:H -The bug causes a KASAN-detected general protection fault /\n kernel oops (as shown in the report), reliably crashing the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "72655df07021fab1a5258a4d141011eaf3da0d5c", "tree": "3999f3f132426829580c5a1bfb0f3d62980f35bc", "parents": [ "88654f6687d6057b18a5365f81b2c4f98b3fc842" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:08:19 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45972: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The flaw is in the in-kernel SMB/CIFS client and is triggered\n entirely by SMB2 responses received over the network (TCP/445) from\n a malicious/compromised server or a network MITM; the attacker is a\n remote network peer.\nAC:L -The server fully controls both sides of the trigger —\n returning EACCES-with-buffer on the first open and success on the\n retry — and the vulnerable retry path is exercised by ordinary\n write-mode opens, so it is reliably triggerable with no\n attacker-uncontrolled condition or race.\nPR:N -The attacker is the remote SMB server (or MITM) and needs no\n authentication or privileges on the victim client; the malicious\n responses are delivered before/independent of any client-side\n credential check.\nUI:N -In the most severe reasonable deployment (a\n persistent/automounted share to a compromised or MITM\u0027d server),\n routine background file opens drive the vulnerable retry with no\n dedicated user action at exploit time.\nS:U -The corruption stays within the kernel\u0027s slab allocator and\n the kernel\u0027s own security authority; no crossing of a VM, sandbox,\n or IOMMU boundary occurs.\nC:H -The use-after-free reads attacker-influenceable\n freed/reallocated buffer contents (hdr-\u003eStatus and symlink\n parsing), and combined with heap grooming a UAF yields arbitrary\n kernel memory disclosure.\nI:H -A controlled double-free plus UAF are classic primitives for\n heap manipulation and arbitrary write, enabling control-flow\n hijacking and kernel code execution.\nA:H -The UAF/double-free corrupts slab state and reliably causes\n kernel oops/panic, fully compromising availability.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "88654f6687d6057b18a5365f81b2c4f98b3fc842", "tree": "aab5198fb43addbdce68b3c621a8aa8738191845", "parents": [ "64218c6891c7e352838d5734b06ba7ce2faa4b70" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:03:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45980: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached through ioctls (AMDXDNA_EXEC_CMD\n and AMDXDNA_DESTROY_HWCTX) on the local /dev/accel/accelN device\n file; there is no network exposure.\nAC:L -This is a race between the DRM scheduler running a queued job\n and the hwctx resource release, and the attacker controls both\n sides (submitting jobs and triggering destroy), so it can be\n reliably reproduced by looping create/submit/destroy cycles.\nPR:L -The relevant ioctls carry flag 0 with no capability or root\n check, and the NPU device is intended for unprivileged user-space\n ML applications, so any local user with device access can trigger\n it without elevated privileges.\nUI:N -The attacking process performs all steps (open, submit,\n destroy) itself; no victim action is required.\nS:U -The use-after-free corrupts kernel heap within the kernel\u0027s\n own security authority and does not cross into a separate VM/IOMMU\n boundary.\nC:H -The freed mailbox channel object can be reclaimed via heap\n spray, giving the attacker control over its contents and enabling\n kernel memory disclosure; per guidance UAF is High.\nI:H -The UAF on the channel object used for DMA/command submission\n enables heap-spray reallocation and controlled writes, providing an\n arbitrary-write/control-flow primitive.\nA:H -The race-induced use-after-free causes kernel oops/panic, as\n explicitly stated in the fix commit (\"use-after-free and crashes\").\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "64218c6891c7e352838d5734b06ba7ce2faa4b70", "tree": "8bebf46c343339642d105e0af5e601b0c948155f", "parents": [ "9df8cec82280382bbbb07b5eb0aef527cf804940" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:01:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45988: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -rxrpc is a UDP/IP network protocol; the vulnerable\n CHALLENGE/RESPONSE handling processes packets received from a\n remote peer (a connecting client, or a malicious/spoofed AFS\n server) over the network.\nAC:L -The bug is gated on a transient `-ENOMEM`/`-EAGAIN` during\n handshake processing, but an attacker can induce the required\n memory pressure by flooding the target with concurrent rxrpc\n handshakes, making the failing `GFP_NOFS` allocation reachable\n repeatably.\nPR:N -The CHALLENGE/RESPONSE packets are processed during the\n security handshake before the connection is secured\n (`RXRPC_CONN_SERVICE_CHALLENGING`), so no authentication or\n credentials are needed to reach the code.\nUI:N -A server processing an incoming RESPONSE, and automated AFS\n clients/daemons processing a CHALLENGE, require no human\n interaction to trigger the fault.\nS:U -The corruption and its impact are confined to the kernel\u0027s own\n memory/security authority; no crossing of a VM, IOMMU, or sandbox\n boundary is involved.\nC:H -The CHALLENGE-path refcount underflow frees the\n `rxrpc_connection` while still referenced; a UAF lets an attacker\n reallocate and read controlled freed-object contents, enabling\n kernel memory disclosure.\nI:H -The same use-after-free / refcount-underflow on the connection\n object enables heap grooming and write primitives over the freed\n structure, allowing kernel memory/control-flow corruption.\nA:H -The double-put UAF and the re-decryption of\n partially-decrypted RESPONSE packets reliably oops/panic the kernel\n and abort connections, causing a denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9df8cec82280382bbbb07b5eb0aef527cf804940", "tree": "cf2ac27f565364a07f51037c8c9e32358fbcb0a3", "parents": [ "5bd1fbcebb458b07e672a52fb293cbf643d51476" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 00:00:08 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45984: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The UAF is reached only through the local write() syscall\n path (gfs2_file_write_iter → iomap_file_buffered_write →\n gfs2_iomap_begin) on a locally-mounted GFS2 filesystem; it is not\n exposed to any network protocol.\nAC:L -The bug triggers when the freed dibh page is reclaimed before\n the inline memcpy; this memory-reclaim window is\n attacker-influenceable through memory pressure and by stalling\n copy_from_iter, and per UAF guidance such races are Low.\nPR:L -Triggering only requires writing a small amount of data to a\n stuffed file on an already-mounted GFS2 filesystem, achievable by a\n basic unprivileged local user with write access to any file.\nUI:N -The attacker performs the write themselves; in the normal\n scenario of an already-mounted GFS2 cluster filesystem no separate\n victim action is required.\nS:U -The corruption stays within the kernel\u0027s own memory and\n security authority; no VM, IOMMU, or sandbox boundary is crossed.\nC:H -A use-after-free gives the attacker control over the contents\n of the freed/reallocated page, which per kernel UAF guidance can be\n leveraged toward arbitrary kernel memory disclosure.\nI:H -The UAF performs a memcpy of attacker-controlled file data\n into a freed and potentially reallocated kernel page, enabling\n corruption of adjacent kernel objects and an arbitrary-write\n primitive.\nA:H -Writing into freed memory corrupts kernel state and reliably\n causes an oops/panic, as evidenced by the KASAN use-after-free\n report.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "5bd1fbcebb458b07e672a52fb293cbf643d51476", "tree": "9ff8d4d4e23514edcf7abbb45d1a98d7b5173724", "parents": [ "d43c86f48988ee53b083e96805c465f6534fe687" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:57:26 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45991: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is in mount-time on-disk parsing, reachable locally\n via loop-device mounts or removable-media handling (e.g. udisks2),\n not over any network protocol.\nAC:L -The out-of-bounds write is deterministic for a crafted image\n with repeated partition descriptors at a 32-aligned partnum; no\n race or attacker-uncontrollable condition is involved.\nPR:L -Direct mount needs CAP_SYS_ADMIN, but on typical\n workstations/kiosks an unprivileged local user can get a crafted\n UDF image mounted through privileged auto-mount/udisks2 helpers, so\n low privilege suffices.\nUI:N -The attacker supplies and triggers the mount of their own\n crafted image; no action by a separate victim user is required.\nS:U -The corruption stays within the kernel\u0027s own security\n authority; there is no cross-boundary (VM/IOMMU) escape.\nC:H -A controlled heap out-of-bounds write corrupts adjacent heap\n objects and can be leveraged (e.g. corrupting length/pointer\n fields) into an arbitrary read and information disclosure.\nI:H -The bug is a heap out-of-bounds write of attacker-influenced\n values at attacker-reachable offsets — a write primitive\n exploitable for further corruption and control-flow hijack.\nA:H -Heap metadata/object corruption from the out-of-bounds write\n reliably leads to a kernel oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d43c86f48988ee53b083e96805c465f6534fe687", "tree": "5603e857935f4c9f7cb02869b9f1e4d534a1d6ce", "parents": [ "0c5ebf456cf8c3a053290568a45fcafb6dd9a89f" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:52:31 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-45999: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H\n\nAV:L -EROFS is mounted from a local block device/image file\n (FS_REQUIRES_DEV, not userns-mountable); triggering requires\n locally providing a crafted image and reading from it, with no\n network path.\nAC:L -The attacker fully controls the crafted image (a working\n base64 reproducer is in the commit); the illegal extent reliably\n forces outpages\u003cinpages and the underflow on the first read with no\n race or uncontrolled condition.\nPR:N -Crafting the malicious image requires no privileges or\n account on the target system; the attacker merely supplies the\n image, consistent with the analogous crafted-image CVE-2026-43166\n (PR:N).\nUI:R -A victim or automount service must mount the\n attacker-supplied EROFS image and access the file for the\n decompression path to be reached.\nS:U -The OOB access and resulting crash stay within the kernel\u0027s\n own security authority; no VM/IOMMU/sandbox boundary is crossed.\nC:H -The unsigned underflow produces an unbounded out-of-bounds\n read of the page-pointer array far past its end, and in the\n matching path wild kernel memory can be fed into the decompressed\n output read by userspace — per kernel guidance an unbounded OOB\n read is High.\nI:N -The flaw is strictly a read underflow (\"reads past the\n decompressed_pages array\"); it yields no out-of-bounds write or\n control-flow primitive, matching the analogous OOB-read\n CVE-2026-43166 (I:N).\nA:H -Indexing the array ~32 GB beyond its base dereferences\n unmapped kernel memory, reliably causing a kernel oops/panic and\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "0c5ebf456cf8c3a053290568a45fcafb6dd9a89f", "tree": "4ad946d51ffc8b9db5c9fbc45776d4387d959a21", "parents": [ "6722ada5890ffdd585b3e6abb471f00e8d4b3e7b" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:46:22 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46010: Add CVSS 3.1 score (8.1 HIGH)\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -rxrpc is a UDP-based network protocol; the bug is in\n server-side processing of an RxGK RESPONSE packet received from a\n remote peer, fully reachable over the network.\nAC:H -The vulnerable fall-through is reachable only when the crypto\n decrypt path returns -ENOMEM (a kernel allocation failure); for all\n other errors the code correctly aborts, and an attacker cannot\n reliably force this allocation to fail.\nPR:N -This runs during the RxGK security challenge/response\n handshake, before the peer is authenticated, so no privileges or\n credentials are required.\nUI:N -The server processes incoming RESPONSE packets automatically;\n no victim interaction is needed.\nS:U -Impact is confined to the kernel\u0027s own security authority; no\n VM/IOMMU/sandbox boundary is crossed.\nC:H -Skipping decryption causes the server to accept\n un-authenticated, attacker-supplied ticket data, letting the\n attacker control K0/identity/level and impersonate a principal,\n exposing data served over the authenticated session.\nI:H -The attacker-chosen token sets the connection\u0027s session key,\n security level, and identity without possessing the server key, an\n authentication bypass that lets the attacker establish a session\n with forged integrity-relevant parameters.\nA:H -Operating on un-decrypted cryptographic state corrupts the\n handshake and tears down the connection, and under sustained memory\n pressure an unauthenticated peer can repeatedly disrupt the RxGK\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6722ada5890ffdd585b3e6abb471f00e8d4b3e7b", "tree": "46532e2b9b879929a10d4b8f02215b7c122a9ffa", "parents": [ "e110fbaed00f6f94cb0f3df75eb56221f7774eb5" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:45:07 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46006: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is reached through the DRM_IOCTL_NOUVEAU_GEM_PUSHBUF\n ioctl on the local GPU device/render node; it requires local system\n access, not network or adjacent reachability.\nAC:L -The attacker fully controls the relocation array\n (reloc_bo_offset, data, presumed fields) and can deterministically\n set reloc_bo_offset to 0xFFFFFFFC to wrap the check and force the\n write; there is no race or uncontrolled condition.\nPR:L -NOUVEAU_GEM_PUSHBUF is marked DRM_RENDER_ALLOW, so it is\n accessible to any unprivileged local user holding the render node\n (no root or DRM master required).\nUI:N -The attacking process issues the ioctl itself; no action by\n another user or victim is needed.\nS:U -The out-of-bounds write corrupts kernel memory within the\n kernel\u0027s own security authority and does not cross a\n VM/IOMMU/sandbox boundary.\nC:H -A controlled out-of-bounds kernel write of this kind is a\n memory-corruption primitive that can be leveraged to corrupt\n adjacent structures and ultimately disclose kernel memory.\nI:H -The flaw yields an out-of-bounds write of a largely\n attacker-controlled 32-bit value into kernel address space, an\n arbitrary-write-class primitive enabling control-flow/data\n corruption.\nA:H -The wild write at a fixed ~4 GB offset beyond the buffer\n mapping almost always hits unmapped/foreign memory, causing a\n kernel oops or panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e110fbaed00f6f94cb0f3df75eb56221f7774eb5", "tree": "ee36ded90fcf3ff25931e78ec232ff669782d9f7", "parents": [ "b5572591582b0a0df86907bc0b9d9635b984615a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:42:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46011: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached through the V4L2 video device\n node (/dev/videoN, VFL_TYPE_VIDEO) via ioctls and close(), which\n requires local system access rather than any network or adjacent\n reachability.\nAC:L -This is a use-after-free race, but the attacker controls both\n sides — they queue the encode/decode work via STREAMON/qbuf and\n then close the fd — and can retry the open/queue/close sequence\n indefinitely until they win, so success does not depend on\n conditions outside their control.\nPR:L -Triggering the path requires opening the JPEG codec video\n node and issuing m2m ioctls, which needs local access at\n unprivileged (e.g. video-group / media process) level but not real\n root.\nUI:N -The attacker performs the entire open, queue-work, and close\n sequence themselves; no victim action is required.\nS:U -The UAF corrupts kernel heap memory within the kernel\u0027s own\n security authority with no crossing of a VM/IOMMU/sandbox boundary.\nC:H -After ctx is freed and reclaimed, the worker dereferences\n attacker-influenceable freed memory (pointers, m2m context),\n enabling disclosure of kernel memory contents.\nI:H -The worker writes to the freed object (e.g.\n ctx-\u003etotal_frame_num++) and programs hardware from freed-object\n fields, providing a write primitive amenable to heap spraying and\n control-flow corruption.\nA:H -Use-after-free on the freed context reliably causes kernel\n oops/panic, a clear high availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "b5572591582b0a0df86907bc0b9d9635b984615a", "tree": "32872db61d8752bc1ff2888dd856bb60fbd89839", "parents": [ "7b91ba4ce959cd9f7d14b9a06267d5c953ea2474" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:42:04 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46015: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is reached only through local socket lifecycle\n operations — creating an SO_REUSEPORT group, enabling migration,\n and closing the source listener while accepting/closing the target.\n A remote peer cannot set up the migration group or drive the race,\n so the vector is Local.\nAC:L -The attacker controls both sides of the race (the closing\n listener via inet_csk_listen_stop and the concurrent accept/close\n that drops the listener\u0027s last ref), and the missed-wakeup half is\n deterministic; per guidance an attacker-created race is Low.\nPR:L -Migration must be enabled, requiring CAP_NET_ADMIN to set the\n per-netns net.ipv4.tcp_migrate_req sysctl (or a\n SK_REUSEPORT/migrate BPF prog), all of which an unprivileged user\n obtains in a user namespace via unshare -Urn.\nUI:N -Triggering depends only on the attacker\u0027s own socket\n operations; no action by any other user is required.\nS:U -The use-after-free and its impact are confined to the kernel\u0027s\n own memory/security authority with no crossing of a VM, IOMMU, or\n sandbox boundary.\nC:H -Use-after-free of a SOCK_RCU_FREE listener socket lets\n reallocated/freed memory be read (e.g., via sock_net(nsk)),\n enabling kernel information disclosure.\nI:H -The freed socket is dereferenced for sock_net(nsk) in\n __NET_INC_STATS (a pointer-controlled increment) and\n sk_data_ready(nsk) (a function-pointer call), giving an\n attacker-influenced write/control-flow primitive after heap\n grooming.\nA:H -The use-after-free reliably crashes the kernel, and the\n always-present missed wakeup hangs a listener\u0027s accept/poll/epoll\n waiters indefinitely.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7b91ba4ce959cd9f7d14b9a06267d5c953ea2474", "tree": "870074087c09984721ab61aece6ed57c31f8be7d", "parents": [ "c2886b9f70b80a5cbb02d57fadd3c013380be662" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:34:22 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46024: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The vulnerable code processes a CEPH_MSG_AUTH_REPLY received\n from a remote Ceph monitor over TCP; the libceph client reaches\n monitors across routed networks, so the attacker (rogue monitor or\n MITM) operates remotely.\nAC:L -The attacker fully controls the reply message contents and\n sends protocol\u003d0/result\u003d0 during the negotiation it controls; the\n crash is deterministic with no race or unobservable memory-layout\n dependency.\nPR:N -The crafted reply is processed during the authentication\n handshake before the monitor\u0027s identity is verified, and a remote\n server/MITM needs no privileges on the victim client.\nUI:N -Once a CephFS/RBD client is connected, monitor connections\n and reconnections (and the negotiation state) occur automatically,\n so no user action is required at attack time.\nS:U -The crash occurs within the kernel itself with no crossing of\n a security boundary into another authority such as a hypervisor or\n other VM.\nC:N -A NULL pointer dereference yields no information disclosure;\n no attacker-controlled memory is read or leaked.\nI:N -The NULL dereference does not modify any kernel data and\n provides no write primitive.\nA:H -Dereferencing the NULL ac-\u003eops triggers a kernel oops/panic,\n crashing the system — a remote denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c2886b9f70b80a5cbb02d57fadd3c013380be662", "tree": "ef85172b4eff7479e1272017812c547f35912c6e", "parents": [ "86205ba3e7311978a5de2306429698f70f9a5f3d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:31:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46031: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The deadlock is in a wired Ethernet NIC driver whose IRQ\n handler is driven by received network packets (RX interrupts) and\n elicited host responses (TX); routed traffic from a remote source\n reaches this path, making it remotely reachable.\nAC:L -The attacker controls both sides of the triggering condition\n by generating sustained bidirectional traffic (sending packets to\n cause RX, eliciting responses to cause TX/queue-wake); under load\n the structural deadlock manifests reliably, and the non-RT path\n occurs with default config.\nPR:N -Triggering requires only network traffic to/from the device\n with no authentication or local credentials.\nUI:N -No victim interaction is needed; the deadlock arises\n automatically from concurrent RX/TX processing.\nS:U -The deadlock is confined to the kernel that owns the driver;\n no security boundary is crossed.\nC:N -A lock-recursion deadlock discloses no memory or information.\nI:N -The bug only hangs execution; it provides no data modification\n or write primitive.\nA:H -The self-deadlock hangs the IRQ thread/CPU (hard spinlock\n lockup on non-RT, blocked rtmutex on RT), rendering the system or\n its network path unresponsive.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "86205ba3e7311978a5de2306429698f70f9a5f3d", "tree": "df5b3f8735877a62be1a44bdcf6b60ad04e434ab", "parents": [ "18f1777df78d8a1039a074227811f5218e06d46a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:31:39 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46027: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The SMC CLC handshake runs over a TCP connection; a remote\n peer (a malicious client connecting to a listening SMC server, or a\n malicious server) triggers the dereference by sending a crafted\n DECLINE message, so the code is reachable purely over the network.\nAC:L -The attacker reliably crafts a DECLINE message with the\n SMC_FIRST_CONTACT_MASK bit set; the lgr\u003d\u003dNULL condition is the\n default early-handshake state (the first message the server\n processes), so there is no race or condition outside attacker\n control.\nPR:N -On the server-side listen path the dereference occurs while\n processing the very first handshake message, before any\n authentication, so an unauthenticated remote peer requires no\n privileges.\nUI:N -A server with an AF_SMC listening socket processes the\n malicious handshake passively in a work queue with no local user\n action required.\nS:U -The crash is confined to the kernel\u0027s own security scope; no\n boundary (VM/IOMMU/sandbox) is crossed.\nC:N -This is a NULL pointer dereference with no information\n disclosure — no kernel memory contents are read or leaked.\nI:N -The write is to NULL plus a small fixed bitfield offset on a\n never-initialized pointer (not a controllable/dangling pointer), so\n it only crashes and provides no exploitable write primitive.\nA:H -Dereferencing the NULL lgr pointer causes a kernel oops/panic,\n taking down the system in a remotely-triggerable, unauthenticated\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "18f1777df78d8a1039a074227811f5218e06d46a", "tree": "bb3b30482daa0970a0c75c991340ff040f726307", "parents": [ "8a33d4048e1ac6468df2adf1c08d1dcb06fa358a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:31:14 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:44 2026 -0400" }, "message": "CVE-2026-46037: Add CVSS 3.1 score (8.2 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H\n\nAV:N -The vulnerable code is reached by processing an inbound ICMP\n Extended Echo Request packet in the IPv4 ICMP receive path\n (icmp_rcv → icmp_echo → icmp_reply → icmp_glue_bits), so any remote\n host on the network can trigger it.\nAC:L -In the assumed worst-case deployment (RFC 8335 probe\n responses enabled), a single crafted ICMP Extended Echo Request\n with the L-bit set deterministically drives the reply type to 43\n and triggers the fixed out-of-bounds read; no race or\n attacker-uncontrollable condition is involved.\nPR:N -Sending an ICMP packet requires no authentication or\n privileges on the target; the path runs entirely in packet receive\n before any credential check.\nUI:N -The target only needs to receive the attacker\u0027s packet; no\n victim action is required.\nS:U -The out-of-bounds access stays within the kernel\u0027s own memory\n and security authority, with no crossing of a VM/IOMMU/sandbox\n boundary.\nC:L -An out-of-bounds read of kernel .rodata occurs, but it is\n strictly bounded to a fixed 2-byte field at a constant offset and\n is not disclosed to the attacker, fitting a small bounded read\n rather than arbitrary disclosure.\nI:N -The bug performs only a read; there is no out-of-bounds write\n or attacker-meaningful modification of kernel data.\nA:H -The out-of-bounds array access can crash the kernel (e.g.,\n KASAN/panic_on_warn configurations) via a single unauthenticated,\n repeatable remote packet, yielding a denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8a33d4048e1ac6468df2adf1c08d1dcb06fa358a", "tree": "76c7f6c318189097c7d271639a28c008a1247818", "parents": [ "ec8e70f74100ef6374f7ff5194bf13cb842978e6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:28:54 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46029: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The only callers reaching NMI-context kmalloc_nolock() are\n local BPF programs (perf events) or in-kernel module code; there is\n no remote/network path to this allocator routine.\nAC:H -The bug only manifests on rare non-default uniprocessor\n (!CONFIG_SMP) kernels, and additionally requires the NMI to fire\n during the narrow window in which the interrupted context holds\n n-\u003elist_lock — both conditions are beyond the attacker\u0027s control.\nPR:L -Running code in NMI context that calls kmalloc_nolock()\n requires attaching a BPF program to a hardware perf event\n (CAP_BPF/CAP_PERFMON), which are sub-root capabilities delegable to\n confined tracing/profiling service accounts rather than full root.\nUI:N -Triggering the NMI-context allocation requires no action from\n any other user or victim.\nS:U -The slab-state corruption stays within the kernel\u0027s own\n security authority; no cross-boundary (VM/IOMMU) escape is involved.\nC:H -Re-entrant slab list/freelist corruption is a powerful\n primitive that can produce overlapping allocations and be leveraged\n for kernel memory disclosure.\nI:H -Corruption of SLUB partial-list/freelist metadata is a\n well-known basis for arbitrary-write primitives and control-flow\n hijacking.\nA:H -The corrupted slab state (or the DEBUG_SPINLOCK BUG) leads to\n kernel oops/panic, a full availability loss.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ec8e70f74100ef6374f7ff5194bf13cb842978e6", "tree": "10426b0d1caf9f57288529f42696421f28071340", "parents": [ "90826a43f9d66ca378a02000148102ea757e85a8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:25:52 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46039: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The bug is triggered by a crafted RxRPC RESPONSE packet\n received over UDP and parsed by the in-kernel rxgk server-side\n handshake (`rxgk_verify_response`); no local access is needed.\nAC:L -The integer overflow is deterministic for fixed `ticket_len`\n values (0xFFFFFFFD–0xFFFFFFFF), and all packet fields including the\n enumerable kvno/enctype used for the server-key lookup are\n attacker-controlled, so the attacker reliably triggers the OOB.\nPR:N -The RESPONSE packet is processed during the security\n handshake before the client is authenticated; the attacker needs no\n credentials, only a kvno/enctype matching a server key (a public,\n guessable identifier).\nUI:N -The rxrpc service processes incoming RESPONSE packets\n automatically with no victim interaction.\nS:U -The corruption is confined to the kernel\u0027s own memory within\n the same security authority; no VM/IOMMU boundary is crossed.\nC:H -The truncated negative length yields a ~4 GB scatterlist\n entry, causing an enormous out-of-bounds read of adjacent kernel\n memory during AEAD decryption, well beyond a few bounded bytes.\nI:H -The AEAD decrypt is in-place (src\u003d\u003ddst scatterlist), so\n plaintext is written back across the oversized region, corrupting\n adjacent kernel heap memory (out-of-bounds write) before the fault.\nA:H -Reading/writing a ~4 GB region from a small skb buffer\n reliably hits unmapped memory, producing a kernel oops/panic\n (remote, unauthenticated DoS).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "90826a43f9d66ca378a02000148102ea757e85a8", "tree": "e29e887b8a251709a1b521314d3ee053944e2979", "parents": [ "7cf43aee2310521f6eb46f6226ac8c3326cda0e4" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:25:41 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46036: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is reached only via ioctl(VFIO_DEVICE_SET_IRQS) on a\n local /dev/vfio device file; there is no network or\n adjacent-network exposure.\nAC:L -This is an attacker-controlled race — the attacker issues\n concurrent enable/trigger and disable SET_IRQS ioctls from two\n threads on the same fd, controlling both sides, and the\n unserialized core dispatch lets them run in parallel and be\n hammered until won.\nPR:L -VFIO\u0027s threat model hands the device fd to unprivileged\n userspace (VM/passthrough processes), so an attacker only needs\n access to an already-bound vfio-cdx device fd, not init-namespace\n root; when uncertain, the higher-severity L is chosen.\nUI:N -Triggering the race requires only the attacker\u0027s own\n concurrent ioctls; no victim action is needed.\nS:U -The use-after-free corrupts the kernel\u0027s own cdx_irqs\n management array within the kernel security authority and does not\n cross an IOMMU/VM boundary.\nC:H -Use-after-free of a heap array whose freed contents are read\n back (including pointers) allows the attacker to reallocate the\n slab with controlled data and disclose kernel memory.\nI:H -The freed array\u0027s entries (a dereferenced/callable eventfd_ctx\n pointer and pointers passed to kfree/free_irq) enable\n heap-spray-based arbitrary write and control-flow hijacking.\nA:H -The use-after-free reliably causes kernel oops/panic when the\n freed cdx_irqs array is accessed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7cf43aee2310521f6eb46f6226ac8c3326cda0e4", "tree": "e9411951ac517c56c7b32e37a3a4ab18a39582d5", "parents": [ "c62c95e6ebe20298cc93c4da724a1a72edea8245" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:23:28 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46043: Add CVSS 3.1 score (9.1 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n\nAV:N -The vulnerable code processes RoCEv2 packets received over\n UDP/IP (port 4791) from a remote peer; `pkt-\u003epaylen` is derived\n directly from the attacker-controlled UDP length header field.\nAC:L -A single crafted packet with `paylen` at the header-size\n boundary and a non-zero BTH pad deterministically underflows\n `payload_size()`; the resulting ~2⁶⁴-byte read reliably runs off\n the buffer with no race or unknowable memory layout required.\nPR:N -A remote, unauthenticated attacker triggers it; via the\n multicast path `hdr_check()` returns success with no QP, so\n `rxe_icrc_check()` performs the OOB read with no established\n connection or credentials.\nUI:N -The packet is processed automatically in the receive path on\n arrival; no victim action is required.\nS:U -The fault and its impact are confined to the kernel\u0027s own\n memory/security scope; there is no crossing of a VM, IOMMU, or\n sandbox boundary.\nC:H -The integer underflow produces an unbounded out-of-bounds read\n length passed to the CRC/copy routines; per the rubric an unbounded\n OOB read is High confidentiality impact.\nI:N -The underflow is used purely as a read length; the downstream\n copy/write consumers are guarded by length checks and a negative\n truncated length makes the copy a no-op, so no memory is modified.\nA:H -The near-2⁶⁴-byte out-of-bounds read in `rxe_crc32()` walks\n off the skb buffer into unmapped memory, causing a kernel\n oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c62c95e6ebe20298cc93c4da724a1a72edea8245", "tree": "8704006c98334a201b11a3618da0ca46dc81363b", "parents": [ "0d61e68dbac2be21b44cb44e07b500bc0fcfa4e8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:17:49 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46054: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAV:L -The flaw is reached only via the local\n `mmap(2)`/`mprotect(2)` syscalls on a file residing on a stacked\n filesystem (overlayfs); there is no network-facing path.\nAC:L -A confined process reliably triggers the missing backing-file\n check on every mmap/mprotect of an overlayfs file; there is no\n race, timing, or memory-layout condition outside the attacker\u0027s\n control.\nPR:L -Exploitation requires a local, low-privileged (typically\n SELinux-confined) process; overlayfs is `FS_USERNS_MOUNT`, so even\n an unprivileged user can set up the overlay and reach these paths.\nUI:N -The attacking process performs mmap/mprotect itself; no\n action by any other user is needed.\nS:U -Both the vulnerable component (kernel/SELinux LSM) and the\n impacted resources (files governed by the same kernel/SELinux\n authority) lie within one security scope; there is no\n VM/IOMMU/hypervisor boundary crossing.\nC:H -The missing backing-file check bypasses the mounter-credential\n `FILE__READ` gate, allowing a confined process to mmap and read the\n full contents of attacker-chosen backing files that SELinux policy\n was meant to protect.\nI:H -The bypass also defeats `FILE__WRITE`, `FILE__EXECUTE`,\n `PROCESS__EXECMEM`, and `FILE__EXECMOD` enforcement, letting a\n confined process modify shared-mapped backing files and execute\n code/modified content that policy explicitly forbids — a direct,\n serious integrity violation.\nA:N -The defect is a missing permission check with no memory\n corruption, crash, hang, or resource exhaustion; availability is\n unaffected.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "0d61e68dbac2be21b44cb44e07b500bc0fcfa4e8", "tree": "e0612e9bdc5dc1aff4740179dfb89160f7e756fd", "parents": [ "1744d1bb33aaaac2f39537e0766066156394b6c8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:17:08 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46052: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -Ceph is a network filesystem client; the vulnerable\n `ceph_finish_lookup()` path is driven directly by remote MDS reply\n data (-ENOENT with no trace), so a malicious/compromised MDS or\n on-path attacker injecting crafted replies can drive the buggy\n `d_add()` on a hashed negative dentry. Processing remote-peer data\n places this at Network.\nAC:L -The corruption arose naturally in production from an ordinary\n `newfstatat`, showing the precondition (a reused already-hashed\n negative dentry) is reliably reachable; an attacker controlling MDS\n replies/lease grants can deterministically set up the cached\n negative dentry and re-lookup with no race outside their control.\nPR:N -A network attacker who controls or impersonates the MDS (or\n MITMs the unauthenticated msgr path) needs no privileges or\n credentials on the victim client to feed the -ENOENT-no-trace\n replies that trigger the vulnerable code.\nUI:N -On an established Ceph mount, path lookups/stats occur\n continuously as part of normal operation, so no specific victim\n action is required at exploit time.\nS:U -The corruption and resulting hang are entirely within the\n kernel\u0027s own dcache; no security boundary (VM, IOMMU, sandbox) is\n crossed.\nC:N -The bug creates a self-referential cycle in an hlist_bl hash\n bucket and leaks no memory contents; there is no out-of-bounds or\n use-after-free read primitive.\nI:N -The only state altered is an internal dcache list pointer\n forming a loop; this provides no attacker-controllable write\n primitive and modifies no user or security-relevant data.\nA:H -`__d_lookup()` spins forever on the corrupted bucket,\n producing RCU stalls and a hung/softlocked CPU — a kernel-level\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "1744d1bb33aaaac2f39537e0766066156394b6c8", "tree": "984328a7b754e97b211c64ac0fdeaaacd0b94b00", "parents": [ "e37f64c5848ac99e2a9f61518405c1be860ce30c" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:14:18 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46053: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is triggered through the local `setsockopt(SOL_RDS,\n RDS_GET_MR/RDS_GET_MR_FOR_DEST)` syscall on an RDS socket\n (MR-registration control plane); it is not reachable from a remote\n peer\u0027s network packets.\nAC:L -Once an RDMA-capable RDS socket is bound, the double-free is\n 100% deterministic and the attacker fully controls the trigger by\n supplying a bad `cookie_addr` so `put_user()` faults; there is no\n race or attacker-uncontrolled condition.\nPR:L -Creating an AF_RDS socket has no capability check (module\n auto-loads) and `can_do_mlock()` passes for normal users by\n default, so any unprivileged local user on a host with RDMA\n hardware can reach the path.\nUI:N -The attacker triggers the entire sequence with its own\n syscalls; no action by another user or victim is required.\nS:U -The double-free corrupts the kernel slab/page allocator within\n the kernel\u0027s own security authority and does not cross a\n virtualization or IOMMU boundary.\nC:H -The double-free of the `sg` slab object and the page-refcount\n underflow yield use-after-free/cross-object primitives that can be\n groomed into arbitrary kernel-memory reads, enabling significant\n information disclosure.\nI:H -A double `kfree()` corrupts the SLUB freelist and the\n page-refcount underflow allows reuse of an in-use physical page,\n both classic primitives for arbitrary kernel write and privilege\n escalation.\nA:H -The double-free and page-refcount underflow readily cause heap\n corruption, freelist poisoning, and kernel panic/oops.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e37f64c5848ac99e2a9f61518405c1be860ce30c", "tree": "c3000317b0875a908b77c7fc8162559c02dcfe2d", "parents": [ "456c746e536e10b78aed9e15245eb4615edb8e77" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:13:20 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46055: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The vulnerability is reached through the local `mount(2)`\n syscall; there is no network-facing path to AppArmor mount\n mediation.\nAC:L -Every confined directory mount deterministically overwrites\n the terminator, and the trailing byte from a non-zeroed kmalloc\n buffer is reliably non-zero (and groomable), so the OOB read is\n reliably triggered.\nPR:L -Mount requires CAP_SYS_ADMIN, but only namespace-relative —\n an unprivileged user obtains it via `unshare -Urm`; confinement by\n a mount-mediating profile is the common Ubuntu/snap default (the\n actual reporter was unprivileged snap-update-ns).\nUI:N -The attacker performs the directory bind/remount themselves;\n no action by any other user is required.\nS:U -The out-of-bounds access stays within the kernel\u0027s own memory\n and does not cross into another security authority.\nC:H -Out-of-bounds read of unbounded length (DFA walks until a NUL\n is found), and the unterminated path is logged via `audit_mount`,\n leaking adjacent kernel heap contents to the user.\nI:N -The defect is purely a read overrun; the `/` and\n missing-terminator writes are in-bounds, so no out-of-bounds data\n modification occurs.\nA:H -The demonstrated behavior is a KASAN slab-out-of-bounds oops;\n on KASAN/hardened kernels it is a guaranteed crash and can fault\n when the buffer abuts an unmapped page.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "456c746e536e10b78aed9e15245eb4615edb8e77", "tree": "80a506d9ab7c4037972c8751429c6865df02a136", "parents": [ "ea94a03d203081fde3b15888a01aef21dfc93c8b" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:11:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46056: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:A -The vulnerable handlers process HCI Secure Simple Pairing\n events (User Passkey Notify / Keypress Notify) driven by a remote\n Bluetooth peer during SSP pairing, so the attacker must be within\n Bluetooth radio range (adjacent), matching kernel guidance that\n Bluetooth \u003d Adjacent.\nAC:L -This is a use-after-free where a remote peer drives the\n passkey/keypress events while connection teardown frees the conn\n from a concurrent context; the attacker influences both sides of\n the race and can retry, and UAF bugs are scored AC:L unless the\n race is uncontrollable.\nPR:N -The code path is reached by a remote Bluetooth device\n participating in the SSP pairing handshake, requiring no\n credentials or privileges on the target system.\nUI:N -The handlers execute automatically when the controller\n forwards the SSP passkey/keypress HCI events during the pairing\n protocol exchange; no local user action is required to reach the\n vulnerable code.\nS:U -The corruption is confined to kernel memory within the same\n security authority; there is no crossing of a VM, IOMMU, or sandbox\n boundary.\nC:H -The use-after-free reads fields (dst, type, dst_type, passkey)\n from a freed and potentially reallocated hci_conn object, which can\n disclose attacker-controlled or sensitive kernel heap contents.\nI:H -The handlers write to the freed object (passkey_notify and\n passkey_entered fields), giving a UAF write into reallocated heap\n memory that can be leveraged for heap grooming and control-flow\n corruption.\nA:H -A use-after-free on the hci_conn structure readily causes\n kernel oops/panic, yielding high availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ea94a03d203081fde3b15888a01aef21dfc93c8b", "tree": "3003af78195dc84637924161e8ad0329d71c9675", "parents": [ "d7b6eaf66b4168e68eb6acf7f16f0271b94a9f06" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:11:06 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46058: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The amphion VPU is a V4L2 mem2mem device reached only through\n a local `/dev/videoN` device file via open/ioctl/close; there is no\n network or remote path to this code.\nAC:L -The flaw is a race the attacker fully controls by running one\n thread that streams/queues buffers (scheduling a job) and another\n that closes the fd (triggering release); it can be retried in a\n loop until won.\nPR:L -Exploitation requires a local unprivileged user with access\n to the V4L2 device node (typically granted via the video group or\n logged-in session ACL); no root is needed.\nUI:N -The attacker performs all steps (open, stream, concurrent\n close) itself; no action by any other user is required.\nS:U -The vulnerability and its impact are confined to the kernel\u0027s\n own security authority with no crossing of a VM/IOMMU/sandbox\n boundary.\nC:H -The freed `m2m_ctx` is dereferenced after `kfree`\n (use-after-free per the fix), and a UAF over a slab object the\n attacker can groom/reallocate is treated as enabling arbitrary read\n of freed contents.\nI:H -The use-after-free on the freed context permits heap\n grooming/reallocation of the object that is then dereferenced,\n providing a write/control primitive consistent with kernel UAF\n integrity impact.\nA:H -The race reliably faults on an invalid pointer in\n `v4l2_m2m_try_run`, producing a kernel oops/panic and denial of\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d7b6eaf66b4168e68eb6acf7f16f0271b94a9f06", "tree": "ac9ba75f4dc7cac2967e82ff4fa2fc04dfa4b4d0", "parents": [ "3c0ee5ff8de3c9b4209a0242f9483d629503c5ee" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:07:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46065: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable fault handlers are reached by mmap\u0027ing\n /dev/fbN and accessing the mapping — a local operation requiring no\n network. Device removal (the precondition) can be non-physical (VM\n host-driven removal, sysfs unbind, module unload), so Local is the\n most severe defensible vector over Physical.\nAC:L -Once the device is removed while a mapping is active, any\n access deterministically hits the freed defio state/video pages —\n no race must be won to trigger it. In a kiosk/embedded scenario\n with a removable display the attacker controls both the mapping and\n the removal, and heap reclaim is attacker-influenced.\nPR:L -Exploitation requires only a local user with access to the\n framebuffer device, which is granted to the logged-in/console user,\n video-group members, Android apps, and is often world-accessible on\n embedded/kiosk systems. No root or init-namespace privilege is\n needed.\nUI:N -The attacker performs all steps themselves — map the\n framebuffer, cause/await removal, then access the mapping — with no\n separate victim action required.\nS:U -The use-after-free corrupts kernel memory within the same\n security authority; even in the VM-framebuffer case the impact\n stays inside the guest kernel and does not cross into the\n hypervisor.\nC:H -The fault handler returns freed-and-reclaimed video pages and\n the freed pagerefs array to userspace, allowing disclosure of\n arbitrary reallocated kernel/user memory — a use-after-free read\n primitive.\nI:H -The write-fault path writes a page pointer and offset into the\n kvfree\u0027d pagerefs array and exposes freed/reallocated pages for\n writing, giving a use-after-free write primitive usable for\n control-flow hijacking via heap spraying.\nA:H -Accessing the mapping after teardown uses a destroyed mutex,\n freed pagerefs, and hits BUG_ON(!info-\u003efbdefio-\u003emapping), reliably\n causing an oops/panic; any use-after-free crashes the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "3c0ee5ff8de3c9b4209a0242f9483d629503c5ee", "tree": "2617aebe48d34d38b4971a3bec104d54a2cfbdfe", "parents": [ "58f3b39cea3bafd9c52c96de5639dadb3c7d0406" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:05:51 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46062: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered by parsing a crafted NTFS\n data-run during mount/file access; NTFS3 is a local block-backed\n filesystem (not network-reachable), so the attacker supplies a\n malicious image/removable media that is mounted locally.\nAC:L -The integer overflow is deterministically controlled by the\n on-disk runlist values the attacker crafts; no race or\n attacker-uncontrollable condition is involved.\nPR:N -The attacker only needs to craft the malicious filesystem\n image and requires no privileges on the target; a victim with mount\n capability performs the mount (captured under UI).\nUI:R -Exploitation requires a victim to mount/access the\n attacker-supplied malicious NTFS volume (e.g., inserting removable\n media or mounting a provided image).\nS:U -The out-of-bounds access stays within the kernel\u0027s own\n security authority; there is no cross-boundary escape (no VM/IOMMU\n boundary crossed).\nC:H -The bypassed boundary check allows out-of-volume LCN ranges,\n enabling reads of arbitrary on-disk data bypassing access checks\n and out-of-bounds memory reads, per the sibling fix\u0027s own impact\n description.\nI:H -The same out-of-bounds cluster ranges permit destruction of\n arbitrary on-disk data and corruption of in-memory\n bitmap/free-space accounting, giving an attacker-controlled write\n primitive.\nA:H -Out-of-bounds cluster/bitmap access from a bypassed boundary\n check readily causes kernel oops/panic or filesystem corruption,\n denying service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "58f3b39cea3bafd9c52c96de5639dadb3c7d0406", "tree": "809b1c8d88bfc977db64943cb9e368c2925177fe", "parents": [ "e943ebaceaf4aceb8513aaedca758fbc6e4aebc6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:02:12 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46070: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The malicious input is the on-disk journal metadata processed\n during local MD array assembly/start; it is not a network-facing\n service. Even when the journal sits on remote storage, the\n vulnerable recovery code runs locally against a block device, so\n the vector is Local.\nAC:L -A crafted journal block deterministically triggers the OOB\n read on every assembly; the required CRC is fully\n attacker-computable from the publicly-stored array UUID, and there\n is no race or uncontrolled condition.\nPR:L -Exploitation only requires planting crafted bytes on the\n journal block device (e.g. disk-group/device write access), after\n which routine or boot-time auto-assembly processes it; this is a\n low-privilege primitive rather than full init-namespace root.\nUI:N -Array assembly/journal recovery runs automatically at boot or\n device hot-plug, so no human interaction is needed once the\n corrupted journal is in place.\nS:U -The OOB read stays within the kernel\u0027s own memory and security\n authority; no VM, IOMMU, or sandbox boundary is crossed.\nC:H -The flaw is a large, unbounded out-of-bounds read of adjacent\n kernel memory (FLUSH count up to ~500M entries), which per scoring\n guidance for unbounded OOB reads is treated as a high\n confidentiality impact.\nI:N -The fix adds only read-bounds validation; the vulnerability\n provides no out-of-bounds write or corruption primitive against\n system data, so there is no integrity impact.\nA:H -OOB access to unmapped memory (or the int overflow / BUG_ON in\n the read path) causes a kernel oops/panic, crashing the host during\n array assembly.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e943ebaceaf4aceb8513aaedca758fbc6e4aebc6", "tree": "a3c8aba567c18e3cd3bb05c4d827e56f62f2fa2e", "parents": [ "215db7764a20ca660dfbb261c6925eed87804816" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 23:01:57 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46076: Add CVSS 3.1 score (7.9 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H\n\nAV:L -The path is reached by executing a VMMCALL instruction from\n within a nested (L2) guest running under KVM on AMD SVM; this is\n local execution against the hypervisor, not reachable via network,\n adjacent network, or physical interface.\nAC:L -Triggering is deterministic — once the nested setup exists\n (L1 does not intercept VMMCALL, e.g. relying on L0\u0027s Hyper-V direct\n L2 TLB-flush handling), a single VMMCALL in L2 reliably reaches\n L0\u0027s hypercall handler with no race or attacker-uncontrolled\n timing, mirroring sibling CVE-2026-43133.\nPR:L -The attacker must control a guest and run guest kernel-level\n (CPL0) code in the nested guest to set up and issue the hypercall;\n this is low privilege relative to the host and requires no real\n init-namespace root.\nUI:N -Exploitation is triggered solely by guest instruction\n execution (VMMCALL); no host-side or victim user action is required.\nS:C -The bug is in KVM\u0027s enforcement of the nested-virtualization\n boundary: L2\u0027s VMMCALL is serviced by L0 as if it were L1 instead\n of #UD\u0027ing, so an L2 guest\u0027s action reaches and affects\n L1/L0-maintained state outside the L2 guest\u0027s own security\n authority.\nC:L -The improperly-handled hypercalls cause L0 to read L1-context\n memory (guest-physical addresses supplied by L2 are interpreted in\n the L1/host-maintained address space) and inspect the vCPU\u0027s\n Hyper-V state — a bounded cross-domain exposure, not an arbitrary\n host read primitive.\nI:L -L2 can drive L0 hypercalls that modify L1/host-maintained\n state (inject IPIs into the VM\u0027s vCPUs, post SynIC messages/signal\n events, request GPA-range operations), a bounded cross-domain state\n modification rather than an arbitrary write or code-execution\n primitive.\nA:H -L2 can repeatedly issue these hypercalls to force TLB flushes,\n inject IPIs, and corrupt the L1 hypervisor\u0027s Hyper-V messaging\n state, destabilizing or hanging the affected nested-virtualization\n workload at will — a complete loss of availability for that\n workload.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "215db7764a20ca660dfbb261c6925eed87804816", "tree": "9c671790c79260556e26264000a3b4e2f6de1046", "parents": [ "df0b2d060c756dc3dc309f5e8ee1e3bdc932d0a1" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:53:37 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46078: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H\n\nAV:L -The flaw is triggered by parsing a maliciously crafted EROFS\n filesystem image during a directory read; the data is processed\n locally after the image is presented (file/loop/removable media),\n with no network reachability for the readdir path.\nAC:L -An attacker fully controls the on-disk `nameoff` field of the\n trailing dirent in the crafted image, so the unsigned underflow and\n resulting out-of-bounds `strnlen` are reproduced deterministically\n every time the directory is read.\nPR:N -Once the crafted image is mounted, triggering the bug\n requires only an ordinary directory listing (getdents/readdir),\n which needs no special privileges; this matches the sibling\n crafted-image EROFS CVE-2026-43166.\nUI:R -EROFS lacks FS_USERNS_MOUNT and requires CAP_SYS_ADMIN to\n mount, so a separate user/automounter must mount the\n attacker-supplied image before the vulnerable readdir path can\n execute.\nS:U -The out-of-bounds access stays within the kernel\u0027s own memory\n and security authority; there is no crossing of a VM, IOMMU, or\n sandbox boundary.\nC:H -The underflowed length drives an unbounded `strnlen` that\n reads kernel memory far past the directory-block buffer; per the\n OOB-read guidance this unbounded read is High.\nI:N -The defect is strictly a read (strnlen over adjacent memory);\n no out-of-bounds write, use-after-free, or type confusion occurs,\n so no data can be modified.\nA:H -Scanning up to ~4 GB past the buffer readily walks into\n unmapped memory, producing a kernel oops/panic and denial of\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "df0b2d060c756dc3dc309f5e8ee1e3bdc932d0a1", "tree": "69619c45f0bb1de1753cdecd39231f08a05f4c69", "parents": [ "de244c7bd7a4f1d13492e39c64b910e91c091d50" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:52:14 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46085: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -rxrpc is the UDP-based AFS RPC protocol; the vulnerable code\n processes DATA packets received from a remote network peer, and AFS\n cells routinely traverse the internet.\nAC:L -The attacker fully controls the DATA payload length (UDP\n datagram size minus headers) and can reliably set it to a\n non-multiple of 8; the rxkad checksum does not cover the data\n length, so the misaligned packet reliably reaches the crypto path.\nPR:N -An on-path attacker modifying an in-flight packet, or a\n malicious server the victim client connects to, needs no\n credentials or privileges on the target system since the 16-bit\n checksum gate is independent of the data length.\nUI:N -Received DATA packets are decrypted/verified automatically\n during normal call processing; tampering with packets of an\n existing connection requires no victim action.\nS:U -The triggered WARN/panic is contained within the kernel\u0027s own\n security authority and crosses no privilege or virtualization\n boundary.\nC:N -The bug only causes a crypto error path to WARN; no kernel\n memory is read or disclosed to the remote attacker.\nI:N -No memory is corrupted or modified—the misaligned length is\n rejected by the cipher, so there is no write primitive or data\n tampering.\nA:H -The remotely-triggerable WARN_ON_ONCE causes a kernel panic on\n the common panic_on_warn configuration, yielding a full denial of\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "de244c7bd7a4f1d13492e39c64b910e91c091d50", "tree": "08d7418f58fe682a48c9234800c6d4acae4b644e", "parents": [ "7cec9ed36fac304a3fd184490ee77134a3116067" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:51:37 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:43 2026 -0400" }, "message": "CVE-2026-46081: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The only affected callers reaching the buggy chain path use\n the virtual-DMA interface from local contexts (UBIFS filesystem\n I/O); all network-facing acomp users (IPComp) use scatterlists and\n skip the vulnerable path, so there is no remote vector.\nAC:L -Within an affected configuration (async hardware accelerator\n bound to the compressor), ordinary compress/decompress operations\n deterministically take the async completion path and corrupt\n memory; there is no race to win or attacker-uncontrolled state\n required to trigger it.\nPR:L -Triggering requires only local read/write access to a\n UBIFS-backed file, which an ordinary unprivileged user has on\n systems where UBIFS holds user-accessible data; no elevated\n capability is needed.\nUI:N -The attacker triggers (de)compression through their own file\n operations; no action by another user is required.\nS:U -The corruption is confined to kernel memory within the same\n security authority; no VM, IOMMU, or sandbox boundary is crossed.\nC:H -Casting the chain pointer to a request struct causes\n out-of-bounds reads and dereferences at wrong offsets, and this\n memory corruption can be leveraged for kernel information\n disclosure.\nI:H -The bug performs out-of-bounds writes (e.g. via\n acomp_request_set_src_dma at the wrong offset) and calls a function\n pointer fetched from a wrong offset, providing a\n control-flow-hijack and arbitrary-write primitive.\nA:H -The wrong-offset dereference produces a confirmed general\n protection fault / kernel panic in IRQ/tasklet context, crashing\n the system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7cec9ed36fac304a3fd184490ee77134a3116067", "tree": "93944f08c721cd30f630828426a2efce9431c591", "parents": [ "c1fe1fb6457d8cc9d131fef67b8e2822e4242360" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:42:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46090: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached only through local ALSA PCM\n device files (/dev/snd/pcmC*D*) via open/ioctl syscalls; there is\n no remote or network-facing path to the aloop trigger callback.\nAC:L -The attacker controls both sides of the race by opening both\n loopback substreams and repeatedly triggering playback START while\n concurrently closing the capture stream; syzbot reproduces it\n readily, so no condition is outside attacker control.\nPR:L -Exploitation requires only access to /dev/snd PCM nodes,\n which an unprivileged local user obtains via the audio group or\n udev session ACLs on systems where snd-aloop is loaded; no real\n root is needed.\nUI:N -The attacker performs all open/trigger/close operations\n themselves; no victim action is required.\nS:U -The use-after-free and its impact are confined within the\n kernel\u0027s own security authority; there is no crossing of a VM,\n IOMMU, or sandbox boundary.\nC:H -The UAF on the freed snd_pcm_runtime heap object lets an\n attacker reclaim it via heap spraying and read\n attacker-influenced/adjacent kernel memory, yielding high\n confidentiality impact.\nI:H -Re-entering snd_pcm_stop()/the trigger op on a freed,\n attacker-reclaimable object enables a write/control-flow primitive\n via heap spraying, giving high integrity impact.\nA:H -The use-after-free dereferences freed kernel memory, reliably\n causing an oops/kernel panic and thus high availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c1fe1fb6457d8cc9d131fef67b8e2822e4242360", "tree": "0ae71e85a8c07dd475de2b33b17b7fc6376a11ec", "parents": [ "41ae74793fe2c9598de08f60a8482971659bca39" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:41:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46093: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable race is in core MM internals (vmap pool decay)\n reached only via local memory-management activity — inducing\n vmalloc/vfree churn (purge path) and memory pressure (shrinker\n path). No network-delivered data reaches the vulnerable function.\nAC:L -An unprivileged attacker controls both sides: one thread\n forces direct reclaim (shrinker→decay) while another drives\n vmalloc/vfree churn past the lazy-free threshold (purge→decay), and\n both can loop indefinitely to repeatedly attempt and win the narrow\n race.\nPR:L -Any unprivileged local process can allocate/free memory and\n induce reclaim; no capabilities or root are required to drive\n either racing path.\nUI:N -The race is triggered entirely by the attacker\u0027s own memory\n activity; no victim action is needed.\nS:U -The corruption stays within the kernel\u0027s own memory-management\n structures and does not cross into another security authority (no\n VM/IOMMU boundary escape).\nC:H -The data race corrupts the vmap pool linked list and free-area\n tree metadata; per kernel guidance, allocator memory corruption can\n be leveraged to read freed/adjacent kernel memory.\nI:H -Concurrent unserialized list_replace_init plus double-merge of\n vmap_area objects into the global free tree corrupts kernel\n free-list/tree state, a write/corruption primitive over allocator\n metadata.\nA:H -Corrupted lists and inconsistent len accounting (and the\n documented leaks) cause kernel crashes/oops and resource exhaustion\n when the corrupted pool is subsequently traversed or reused.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "41ae74793fe2c9598de08f60a8482971659bca39", "tree": "8e74eebea35542104c0fc5f5037cc757e3add4dd", "parents": [ "de6206ee99f4f1d6ea394f7774c9ed888eb20af8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:40:06 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46100: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The refcount leak is set up by a local mmap() syscall on a\n file in a mounted AFS volume; although AFS is a network filesystem,\n the vulnerable code path is reached via a local syscall, not via\n remote packet processing.\nAC:L -A local user reliably forces the leaking path by mmap\u0027ing\n adjacent compatible regions to cause a VMA merge after\n .mmap_prepare; the merge and the subsequent fileserver-driven\n open_mmaps traversal are repeatable and within the attacker\u0027s\n control.\nPR:L -Exploitation requires only an unprivileged local account able\n to open and mmap a readable file on the AFS mount; no elevated\n capabilities are needed.\nUI:N -The attacker performs the mmap themselves; no action by\n another user is required (the AFS mount is environmental setup, not\n interaction).\nS:U -The corrupted vnode and the impacted callback-break code are\n all within the kernel\u0027s own security authority; no boundary such as\n VM/IOMMU is crossed.\nC:H -The leaked refcount leaves a freed afs_vnode linked on\n open_mmaps, and a subsequent callback-break traversal yields a\n use-after-free whose freed slab object can be controlled to enable\n arbitrary kernel memory disclosure.\nI:H -The use-after-free on the afs_vnode (afs_inode_cachep) permits\n heap spraying of attacker-controlled contents, providing a write\n primitive and potential control-flow hijack.\nA:H -The dangling list entry causes kernel oops/panic on the next\n callback-break traversal, and sustained triggering also leaks\n vnodes, so availability is fully impacted.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "de6206ee99f4f1d6ea394f7774c9ed888eb20af8", "tree": "9f936313e1f5c9e773be91e5146496e61e722c7a", "parents": [ "61d2a4ee1a83760bd8601264985c675da780d32b" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:37:43 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46099: Add CVSS 3.1 score (8.1 HIGH)\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The seg6/RPL lwtunnel input handlers run on the IPv6 packet\n receive/forward path (lwtunnel_input → seg6_input/rpl_input); a\n remote attacker sending IPv6 packets matching a configured\n SRv6/RPL-encap route reaches the vulnerable code.\nAC:H -The UAF manifests only on PREEMPT_RT kernels built without\n PREEMPT_RT_NEEDS_BH_LOCK (a rare, non-default configuration) and\n additionally requires winning a tight race against a\n higher-priority task\u0027s concurrent FIB lookup plus a sernum bump on\n a shared nexthop — conditions outside the attacker\u0027s control.\nPR:N -The triggering packets require no privileges; the SRv6/RPL\n route configuration is an environmental precondition (CAP_NET_ADMIN\n to set up), not a privilege the network attacker must hold.\nUI:N -The bug is triggered purely by inbound packet processing in\n softirq context; no victim interaction is needed.\nS:U -The use-after-free is confined to kernel route/dst objects\n within the kernel\u0027s own security authority; no boundary (VM/IOMMU)\n is crossed.\nC:H -The freed rt6_info/dst object is read back (rt6_get_cookie/dst\n dereferences) and can be reallocated with attacker-influenced heap\n content, enabling kernel memory disclosure.\nI:H -A use-after-free on a route object allows heap-spray\n reallocation and write/control primitives via the dangling dst that\n is subsequently used for routing decisions.\nA:H -dst_hold() on the dead object triggers a WARN and the\n use-after-free of a freed route can cause an oops/panic, crashing\n the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "61d2a4ee1a83760bd8601264985c675da780d32b", "tree": "492eb4b60f723c2a8c2916596a2f0584551a6402", "parents": [ "8e2fdceae743f4d674ab7a993f2234a1cf7e893a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:36:10 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46102: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The strparser parses data received from a remote TCP peer\n (espintcp ESP-in-TCP framing, sockmap framed protocols); the leak\n is driven by a remote peer sending a partial length-prefixed frame\n that never completes.\nAC:L -The attacker reliably sends an incomplete framed message and\n simply lets the message-assembly timer expire; this trigger is\n fully under the attacker\u0027s control.\nPR:N -The framing parse (length-prefix read) occurs at the stream\n layer before any authentication of the payload, so a remote peer\n needs no privileges on the target to send partial frames and\n trigger the leak.\nUI:N -No victim interaction is required; the leak is triggered\n solely by the attacker\u0027s network data and the timeout firing.\nS:U -The leaked skb is kernel memory within the same security\n authority; no security boundary is crossed.\nC:N -The leaked partial-message skb is orphaned, not exposed to the\n attacker; the bug discloses no information.\nI:N -Nothing is overwritten or modified; the parser is stopped and\n the dangling pointer is never reused, so there is no integrity\n impact.\nA:H -Each abort leaks a partial message (up to sk_rcvbuf) and the\n commit notes it can be triggered repeatedly to exhaust memory,\n leading to kernel-wide memory exhaustion / OOM denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8e2fdceae743f4d674ab7a993f2234a1cf7e893a", "tree": "914f1e732fdde8341d8c423db57ec251758afa09", "parents": [ "e8fde33034836f99ad57c45780cd2b9f9d8a9e61" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:34:40 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46113: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -Exploitation requires executing code inside a guest VM that\n takes shadow-paging page faults on the host CPU; there is no\n network protocol involved, so the vulnerable host MMU code is\n reached via local guest execution.\nAC:L -The guest deterministically controls its page-table contents\n and vCPU scheduling to create the mis-GFN\u0027d rmap, and the commit\n confirms the condition \"only happens in response to a guest write\";\n the attacker can also drive the memslot-delete and rmap-walk\n triggers (BAR reprogramming, balloon/MADV_DONTNEED), so no\n condition lies beyond attacker control.\nPR:L -From the host\u0027s (vulnerable component\u0027s) perspective the\n attacker only needs the low privilege of running a guest VM,\n consistent with how guest-to-host KVM bugs are scored in this tree;\n full host-root is not required.\nUI:N -The malicious guest triggers the UAF autonomously through its\n own memory accesses and page-table edits with no action required\n from any host operator.\nS:C -A guest-context attacker corrupts host-kernel memory, crossing\n the VM/hypervisor security boundary into the host\u0027s authority\n (VM-escape class), exactly as other KVM guest-to-host issues are\n scored.\nC:H -The use-after-free leaves a stale rmap pointing at a freed\n kvm_mmu_page whose contents the attacker can reclaim/spray,\n yielding an arbitrary host-kernel read primitive.\nI:H -The stale rmap walk operates (drop_spte/write-protect/etc.) on\n attacker-reclaimed freed memory, providing a\n write/control-flow-hijack primitive in the host kernel — i.e. full\n host integrity compromise.\nA:H -Dereferencing the freed kvm_mmu_page during dirty logging or\n MMU-notifier invalidation reliably crashes/panics the host kernel,\n taking down the hypervisor and all co-resident guests.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e8fde33034836f99ad57c45780cd2b9f9d8a9e61", "tree": "a70c9b1b67406ce3954b71ecd38a06218f8379f9", "parents": [ "3617495e5f3f5f3704ba6a3cb739f7a3df031137" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:34:29 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46105: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is a SCSI/NVMe storage HBA driver with no\n network exposure; the overflow is reached by issuing block I/O to\n an NVMe device behind the controller, requiring local access to the\n affected system.\nAC:L -On an affected configuration (an NVMe drive reporting MDTS \u003e\n 2 MiB behind the HBA), the uncapped max_hw_sectors lets a single \u003e2\n MiB I/O reach the driver, so the attacker reliably overflows the\n fixed 512-entry PRP buffer with no race or uncontrolled condition.\nPR:L -An ordinary unprivileged local user with read/write access to\n a file or block device on the NVMe drive can issue a large O_DIRECT\n request that the block layer submits as one oversized I/O; no root\n or special capability is needed.\nUI:N -The attacker triggers the overflow directly by submitting\n their own large I/O; no action by another user is required.\nS:U -The corruption is confined to kernel memory within the same\n security authority; there is no VM/IOMMU/sandbox boundary crossing.\nC:H -The out-of-bounds write corrupts the contiguous DMA pool\n holding PRP descriptors for other in-flight commands, and such\n memory corruption of DMA address lists can be leveraged to\n misdirect DMA and disclose memory contents.\nI:H -This is an out-of-bounds/heap write past the fixed PRP DMA\n buffer, corrupting adjacent kernel DMA-pool memory with\n attacker-influenced (page-address) data — classic memory-corruption\n integrity impact.\nA:H -Overrunning the fixed PRP buffer corrupts kernel memory and\n leads to a kernel oops/panic, as documented in the fix (\"may lead\n to a kernel oops\").\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "3617495e5f3f5f3704ba6a3cb739f7a3df031137", "tree": "d4e4733d892625e0e71e7b0d6e72b0344d16180b", "parents": [ "3c5f0d51aa1e8ae1ecc2df1791bdac9ad022d540" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:33:15 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46107: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is in the device-mapper thin-provisioning\n metadata layer, reached only via local block I/O (discard/TRIM) to\n a thin volume or local device-mapper ioctls — there is no\n network-facing path.\nAC:L -The bug arises during ordinary snapshot+removal workflows; an\n attacker controlling the operations (snapshots plus repeated\n removals/discards) reliably produces a single-entry internal node\n over a shared child, with no condition beyond their control.\nPR:L -Although pool/snapshot setup needs CAP_SYS_ADMIN, the\n triggering removal is reachable through discard/TRIM I/O on a\n snapshotted thin volume — e.g. an unprivileged user deleting files\n on a discard-mounted fs or a delegated volume in a\n multi-tenant/container deployment.\nUI:N -The attacker triggers the corruption directly through their\n own discard/removal operations; no action by a separate victim is\n required.\nS:U -The corruption stays within the kernel\u0027s storage subsystem and\n the affected thin pool; it does not cross into a different security\n authority such as a hypervisor or IOMMU boundary.\nC:H -The refcount underflow prematurely frees still-referenced\n blocks that get reallocated, so reads through the surviving\n snapshot reference can disclose whole reallocated blocks of\n unrelated (potentially other tenants\u0027) data.\nI:H -Double-allocated blocks and corrupted btree/space-map metadata\n allow modification of data belonging to other thin\n volumes/snapshots and corruption of pool metadata structures.\nA:H -The underflow produces \"unable to decrement block\" errors that\n abort the metadata transaction and force the pool read-only/fail,\n and corrupted metadata can crash the kernel on subsequent\n validation.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "3c5f0d51aa1e8ae1ecc2df1791bdac9ad022d540", "tree": "b0527257eb1fae2f17e7347af51bab433d3b50cc", "parents": [ "fb170f5c9e460cee7058c7fccf2930368cd366e7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:30:32 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46111: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The UAF is reached only through a local ISO socket connect()\n syscall (BTPROTO_ISO → iso_connect_bis → hci_connect_bis); BIG\n broadcast setup is locally initiated and requires no Bluetooth peer\n or over-the-air frame, so the attacker needs local system access.\nAC:L -This is a use-after-free where the attacker controls both\n sides of the race — initiating the async create_big work via\n connect() and freeing the conn (e.g., closing the socket) — and can\n retry at will, so the condition is within attacker control.\nPR:L -Creating and connecting an ISO socket requires no capability\n check (iso_sock_create/bt_sock_create perform none), so any\n unprivileged local user can reach the path on systems where the\n ISO/BIS feature is enabled.\nUI:N -The attacker performs all steps (open socket, connect, race a\n teardown); no victim interaction is required.\nS:U -The use-after-free is contained within the kernel\u0027s own\n memory/security authority and does not cross into another security\n boundary such as a VM or IOMMU domain.\nC:H -A UAF of the hci_conn object gives the attacker control over\n the freed object\u0027s contents, enabling kernel-memory disclosure\n (e.g., leaking pointers/data placed in the reclaimed allocation).\nI:H -The freed hci_conn is dereferenced and written via\n hci_connect_cfm() and hci_conn_del() (including list_del_rcu on\n conn_hash), so heap grooming of the freed slab yields an\n arbitrary-write/control-flow primitive.\nA:H -Dereferencing and deleting a freed hci_conn reliably causes\n memory corruption leading to a kernel oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "fb170f5c9e460cee7058c7fccf2930368cd366e7", "tree": "69e5d0bfa6a0a1accf9d98d44fc452e1bec0c8b0", "parents": [ "f837d68b4cd0cffa645779555902b4fb141be732" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:29:08 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46110: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The vulnerable code is the Ethernet MAC driver\u0027s network\n receive (NAPI) path, driven entirely by incoming frames; stmmac is\n widely used on internet-facing routers/gateways/embedded SoCs,\n where a remote attacker flooding traffic drives the RX ring\n exhaustion and memory pressure that trigger the crash.\nAC:L -The triggering condition (RX buffer allocation failure under\n memory pressure plus sustained frame reception) is something the\n attacker can materially induce by flooding a memory-constrained\n device, so it is reliably reachable rather than a layout the\n attacker cannot influence.\nPR:N -Triggering only requires sending/flooding network frames to\n the interface; no authentication or local privilege is needed.\nUI:N -The crash occurs autonomously in the kernel RX path as frames\n are received; no victim action is required.\nS:U -The fault is a NULL dereference within the kernel itself,\n affecting only the kernel\u0027s own security authority with no\n cross-boundary impact.\nC:N -The bug is a dereference of a NULL buffer pointer with no data\n read back to the attacker, so there is no information disclosure.\nI:N -A NULL pointer dereference provides no memory-write or\n data-modification primitive.\nA:H -Dereferencing the NULL buf-\u003epage causes a kernel oops/panic,\n crashing the system and denying availability.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f837d68b4cd0cffa645779555902b4fb141be732", "tree": "66a479d058a4cdea5d2a762ac99437d636dec5d4", "parents": [ "fdf4af4702e25c738fb3fdc5bb5ef4133851b478" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:28:19 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46123: Add CVSS 3.1 score (7.7 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The malicious value is the virtqueue used-buffer length\n supplied by the local virtio backend (host VMM / device-emulation\n process), reached over the virtio bus rather than the network stack\n or physical contact; virtio_bt exists only as a paravirtualized\n transport inside VM guests.\nAC:L -The backend fully and deterministically controls the reported\n `len`; choosing a value above tailroom reliably panics the guest\n and a value in (1000, tailroom] reliably exposes uninitialized\n heap, with no uncontrolled conditions.\nPR:N -The attacking device backend authenticates nothing and holds\n no privileges within the victim guest kernel, exactly as\n malicious-peripheral (USB) device bugs are scored PR:N in this tree.\nUI:N -The backend autonomously posts a crafted RX completion as\n soon as the device is opened; no guest-side user action is required.\nS:U -Both the vulnerable component and the impacted resources\n (guest kernel heap disclosure and guest kernel panic) reside within\n the guest kernel\u0027s security authority, so no scope boundary is\n crossed by the impact.\nC:H -An oversized `len` causes ~700 bytes of uninitialized kernel\n heap to be injected into the HCI receive path (observable via HCI\n monitor/raw sockets); this is an unbounded info leak, well beyond a\n few bytes.\nI:N -The bug only advances skb length/tail pointers and never\n grants an out-of-bounds write, UAF, or other primitive to modify\n kernel data beyond what a device can already do legitimately.\nA:H -A `len` exceeding skb tailroom drives `skb_put()` into\n `skb_over_panic()` → `BUG()`, giving the backend a reliable,\n repeatable guest kernel panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "fdf4af4702e25c738fb3fdc5bb5ef4133851b478", "tree": "cda0a0166a4a5ae285bd705c644c44b3003529d4", "parents": [ "55ae58650630379ed0862b2bf77451dec59e8768" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:27:59 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46115: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -Reachable via remotely-initiated NVMe-oF\n (nvmet-tcp/nvmet-rdma) I/O on a P2PDMA-backed namespace; remote\n read/write commands drive the block-layer merge/SG-mapping path\n (`biovec_phys_mergeable`) over P2P buffers on the target.\nAC:L -Adjacent chunks of multi-chunk P2P/zone-device memory are\n physically contiguous, so the missing pgmap check makes the bad\n coalesce occur deterministically once such memory backs the I/O;\n repeated/large I/O reliably straddles a pgmap boundary.\nPR:N -NVMe-oF targets are commonly deployed without in-band\n cryptographic authentication, so a connected (unauthenticated)\n initiator can issue the I/O that reaches the vulnerable path.\nUI:N -Exploitation requires only that the attacker issue normal I/O\n commands; no victim/administrator interaction is needed.\nS:U -The corruption stays within the kernel\u0027s own block/DMA\n handling and adjacent device memory; it does not cross into a\n separately-managed security authority such as a VM host.\nC:H -A misdirected DMA on a read maps the spillover pages to the\n wrong pgmap\u0027s bus address, so data from unrelated device memory can\n be returned to the attacker — an arbitrary-read/disclosure-class\n primitive.\nI:H -A misdirected DMA on a write transfers data to the wrong\n physical/device address, corrupting unrelated device or host memory\n — an out-of-bounds write primitive.\nA:H -Wrong/invalid DMA bus addresses cause IOMMU faults, device\n errors, and kernel oops/hangs, crashing the I/O path or the system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "55ae58650630379ed0862b2bf77451dec59e8768", "tree": "058b4d130354bb6491d18ead8aab8c26e625fa92", "parents": [ "52fae9bb9ef07f7a0b85da1606407d300477ea64" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:27:03 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46114: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\nAV:N -The rxe (Soft RoCE) responder processes RoCE v2 packets\n received over UDP/IP (port 4791) via rxe_udp_encap_recv(); a remote\n initiator crafts the malformed zero-length ATOMIC_WRITE PDU, so the\n vulnerable code is reachable across an L3-routable network.\nAC:L -A single protocol-valid-but-zero-length ATOMIC_WRITE packet\n deterministically reaches the unchecked 8-byte dereference; there\n is no race and no memory layout the attacker must win, making\n triggering fully reliable.\nPR:N -The attacker is a remote RDMA peer with no operating-system\n credentials on the target; completing the normal RC connection and\n using an advertised rkey is analogous to a network handshake, not\n OS privileges, so the worst-case network-facing RDMA service\n requires no privileges.\nUI:N -The responder processes the incoming packet automatically as\n part of normal QP servicing; no action by any local user or victim\n is required.\nS:U -The disclosed kernel memory is written into a memory region\n within the same kernel/RDMA security authority; no privilege or\n trust boundary (VM, IOMMU, sandbox) is crossed.\nC:H -Each probe leaks 4 bytes of adjacent kernel slab (skb head\n tailroom) into the attacker\u0027s MR, and the probe is repeatable\n indefinitely, streaming out kernel strings and partial direct-map\n pointer words — a serious, KASLR-defeating kernel memory\n disclosure, not a single strictly bounded read.\nI:N -The 8-byte write targets the attacker\u0027s own MR within a range\n validated by mr_check_range(); no kernel structure or out-of-bounds\n region is modified, so there is no integrity impact on the target.\nA:N -The 8-byte over-read stays within the allocated skb head\n buffer (tailroom) and the write stays within the validated MR, so\n the operation completes cleanly with no oops, panic, or hang — the\n author reproduced it as a clean leak, not a crash.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "52fae9bb9ef07f7a0b85da1606407d300477ea64", "tree": "edf50cdb14e7550615cc1689f3a8f71fa0f6fb25", "parents": [ "c8376a04f6ca2b28c37ee1757a516acd6dc5d0a7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:26:51 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46112: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is reached through the local RDMA uverbs character\n device (ibv_create_qp), a control-plane operation; it cannot be\n triggered by a remote peer sending RDMA packets.\nAC:L -The attacker can reliably force the error-unwind path (e.g.,\n a faulting ib_copy_to_udata output buffer) and controls both sides\n of the race by running concurrent QP create/destroy and CQ-poll\n operations on the same device/CQs.\nPR:L -Creating a QP requires access to the RDMA verbs device but no\n CAP/root; an unprivileged local user with RDMA access (common in\n HPC/cloud/container deployments) can reach the code.\nUI:N -The attacker triggers QP creation and the error path directly\n with no action required from any other user.\nS:U -Corruption stays within the kernel\u0027s own memory/security\n authority; no crossing of a VM, IOMMU, or sandbox boundary.\nC:H -Unlocked list_del causes linked-list corruption that can be\n leveraged into use-after-free and arbitrary kernel-memory\n disclosure; per guidance memory corruption exploitable for info\n leak is High.\nI:H -Racing list_del/list_add writes attacker-influenced pointer\n values into neighbor nodes, a memory-corruption write primitive\n that can be escalated to control-flow hijack; High.\nA:H -List corruption and the resulting use-after-free reliably\n oops/panic the kernel, a full denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c8376a04f6ca2b28c37ee1757a516acd6dc5d0a7", "tree": "dd02ed5220d6cc0613f0d69af2553629074ddda5", "parents": [ "440d9d39fa46d2bfcbb3b6fa2e965316a17e5ae2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:25:06 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46116: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The xfrm_state lifecycle is reached through the NETLINK_XFRM\n and PF_KEY socket interfaces (local syscalls); the freed object and\n the race are set up by the attacker\u0027s local state-management\n operations, not by remote packets.\nAC:L -Although it is a race/double-free, the attacker controls all\n racing actors (concurrent DELSA/ALLOCSPI/FLUSHSA threads plus\n namespace teardown they trigger) and can repeat indefinitely;\n syzkaller hit it ~100 times per hour, so a targeted trigger is\n reliable.\nPR:L -All xfrm operations require CAP_NET_ADMIN, but the check is\n against the netns user namespace, so an unprivileged user obtains\n it via `unshare -Urn` and exercises the per-netns xfrm_state path.\nUI:N -The attacker performs all state creation, deletion and\n namespace teardown itself; no victim action is required.\nS:U -The corruption is confined to the kernel\u0027s own slab memory\n within the same security authority; it is not a hypervisor or IOMMU\n boundary crossing.\nC:H -The slab-use-after-free gives the attacker control over freed\n xfrm_state contents and read-UAF sites\n (xfrm_alloc_spi/__xfrm_state_lookup), enabling arbitrary kernel\n memory disclosure.\nI:H -The UAF/OOB writes an attacker-influenced 8-byte list pointer\n into freed/adjacent slab memory, providing a heap write primitive\n leveragable for arbitrary write and control-flow hijack.\nA:H -The slab-use-after-free and out-of-bounds writes corrupt\n kernel hash chains, reliably causing oops/panic and bringing the\n kernel down.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "440d9d39fa46d2bfcbb3b6fa2e965316a17e5ae2", "tree": "5c0c3f6c4bdbe8f001074e28ff82a812a301af6d", "parents": [ "4db65af74329b4fcbb5dca874dd14fed1025e072" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:23:55 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46117: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The bug is reached through the RDMA userspace verbs interface\n (/dev/infiniband/uverbs\u003cN\u003e) by issuing a create-QP command locally;\n it is not exposed to network peers.\nAC:L -The condition is created entirely by the attacker (building\n an RWQ indirection table whose WQs share one CQ) and is\n deterministically triggered on the second loop iteration; there is\n no race or uncontrolled state.\nPR:L -Triggering only requires an unprivileged local process with\n access to the RDMA verbs device — the normal configuration on\n RDMA-enabled hosts — and no CAP_* check exists on the create-QP\n path.\nUI:N -The attacker performs all steps via its own verbs calls; no\n action by another user is required.\nS:U -The corruption stays within the kernel\u0027s own memory/security\n authority and does not cross a VM/IOMMU/sandbox boundary.\nC:H -The overwrite leaks/dangles objects in cq_table[], and a\n use-after-free on these IRQ-dispatched structures can be leveraged\n to read kernel memory contents.\nI:H -The driver \"goes on to corrupt the kernel,\" leaving dangling\n function-pointer/context entries in a table called from interrupt\n context, providing a write/control-flow corruption primitive.\nA:H -The user-triggerable WARN_ON panics the system when\n panic_on_warn is set, and the subsequent kernel state corruption\n causes oopses/crashes regardless.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "4db65af74329b4fcbb5dca874dd14fed1025e072", "tree": "035e339e1a23a275c311e5712e0a7db7c7cd3ec0", "parents": [ "a4ad7762378ca83f038529d73968db84110718dc" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:23:02 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46120: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached only via local netlink\n operations (RTM_NEWLINK changelink, IFLA_NET_NS_FD device\n migration, and netns teardown), not from any remote packet path;\n this is a local attack surface.\nAC:L -The attacker deterministically performs every step (create\n erspan tunnel, migrate it to another netns, issue changelink,\n destroy the original netns) with no race or memory-layout condition\n outside their control.\nPR:L -The path nominally needs CAP_NET_ADMIN, but the fix commit\n explicitly states it is reachable from an unprivileged user\n namespace via `unshare --user --map-root-user --net`, so only a\n basic local user is required.\nUI:N -The entire sequence is driven by the attacker\u0027s own process;\n no action by any other user is needed.\nS:U -The use-after-free and resulting crash are confined to the\n kernel\u0027s own structures within the same security authority; no\n boundary such as VM/IOMMU is crossed.\nC:H -The stale hash entry yields a slab-use-after-free on the\n ip6_tnl/net_device object; reallocating the freed slab with\n attacker-controlled data enables reading kernel memory contents,\n treated as High.\nI:H -The use-after-free permits heap grooming and writes through\n the dangling pointer (e.g., the rcu list manipulation in\n unregister), providing an arbitrary-write/control-flow primitive,\n scored High.\nA:H -Exploitation reliably produces a KASAN slab-use-after-free\n followed by a kernel BUG (LIST_POISON1) in\n unregister_netdevice_many_notify(), crashing the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a4ad7762378ca83f038529d73968db84110718dc", "tree": "b5f0c954e087cdeba1fa5d9d077dfc070f80c2d0", "parents": [ "62b88adeb239f0ac4373fec590139e87a5b30803" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:22:10 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:42 2026 -0400" }, "message": "CVE-2026-46119: Add CVSS 3.1 score (9.1 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n\nAV:N -The bug is in libceph\u0027s in-kernel Ceph client (CephFS/RBD),\n triggered by processing a CEPH_MSG_AUTH_REPLY received over TCP\n from a Ceph monitor; a malicious monitor or network MITM supplies\n the malicious data, making it remotely exploitable.\nAC:L -The attacker fully controls the s32 `result` field in the\n reply and can reliably set it above 4096; no race or specific\n uncontrollable memory layout is required to trigger the\n out-of-bounds read.\nPR:N -The vulnerable code runs during the msgr1 auth handshake,\n before the peer is authenticated and over an unencrypted channel,\n so a malicious/MITM monitor needs no credentials on the victim\n system.\nUI:N -Once a Ceph mount/RBD map exists, the client connects and\n re-authenticates to monitors automatically (including on connection\n faults), so no per-exploit victim action is required.\nS:U -The out-of-bounds read and resulting crash occur entirely\n within the kernel\u0027s own security authority with no crossing of a\n security boundary.\nC:H -Kernel heap memory beyond the 4096-byte front buffer (up to\n ~2GB) is read and transmitted over the network to the attacker, an\n unbounded information disclosure that can leak pointers, keys, and\n other message data.\nI:N -The attacker-controlled value only sets a length field used to\n read and send data; no kernel memory is written or corrupted and\n there is no control-flow hijack primitive.\nA:H -Setting `result` to a large positive value makes the send path\n read past mapped memory, causing a kernel oops/crash.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "62b88adeb239f0ac4373fec590139e87a5b30803", "tree": "f8e255bdcf77cccea909f72a00f03816bae20db6", "parents": [ "5f1edc07e7b6c8d51cd1b568dbcffa224c3c2b95" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:20:54 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46124: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\nAV:N -The vulnerable code is reached when nfsd decodes an\n attacker-supplied NFS file handle (exportfs_decode_fh →\n isofs_fh_to_dentry), so a remote NFS client triggers it over the\n network (TCP/UDP 2049).\nAC:L -The attacker fully controls the block field in the file\n handle and the read is deterministic; no race or uncontrollable\n memory layout is involved.\nPR:N -The decode runs before per-user permission checks, and the\n realistic deployment (a read-only ISO exported to a subnet via\n default AUTH_SYS) lets any permitted network peer craft handles\n without credentials.\nUI:N -The NFS server processes the crafted request automatically;\n no victim action is required at attack time beyond the pre-existing\n export.\nS:U -The impact stays within the kernel filesystem/NFS security\n authority; no cross-authority boundary (VM, IOMMU, sandbox) is\n crossed.\nC:H -An out-of-bounds (cross-partition) read of arbitrary in-range\n blocks on the backing device is disclosed to the NFS client as\n inode metadata, and is not bounded to a few bytes since the\n attacker can probe blocks across the device.\nI:N -isofs is mounted strictly read-only and the commit confirms no\n memory-safety violation, so the attacker cannot modify any data or\n kernel memory.\nA:N -Out-of-range reads return NULL cleanly via the EIO path and\n in-range parsing is bounded; the commit and maintainer explicitly\n confirm no crash, hang, or memory-safety fault.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "5f1edc07e7b6c8d51cd1b568dbcffa224c3c2b95", "tree": "47e094b9f6e5ff8364a8379bc4e13844693c4fad", "parents": [ "43768b9f219e7d1bf746329aa3d86e543c5ca6d6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:19:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46125: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:A -The bug is in mac80211 station-side MLME, triggered by a\n malicious/rogue AP that the station attempts an MLO association\n with; WiFi requires the attacker to be within radio range (same\n wireless segment).\nAC:L -A rogue AP can reliably let authentication create the station\n and then craft association/channel parameters that fail connection\n prep on the MLO path, repeatably; the required\n CONFIG_MAC80211_DEBUGFS is commonly enabled.\nPR:N -802.11 authentication/association management frames are\n processed before any credential proof (4-way handshake/SAE), so a\n rogue AP reaches this path without holding any credentials on the\n victim.\nUI:N -Stations auto-reconnect to saved networks, so an attacker\n spoofing a known SSID drives the connection (and the failing MLO\n assoc) with no user action.\nS:U -The corruption stays within the kernel\u0027s own memory/security\n authority with no boundary crossing such as VM or IOMMU escape.\nC:H -A use-after-free over the freed station/link-debugfs objects\n can be leveraged for attacker-controlled reads of kernel memory.\nI:H -The use-after-free/double-free enables heap grooming and write\n primitives that can corrupt adjacent kernel state and hijack\n control flow.\nA:H -The use-after-free/double-free reliably causes kernel\n oops/panic, a full denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "43768b9f219e7d1bf746329aa3d86e543c5ca6d6", "tree": "a8bf67e101c43e2bb047e76fac0e603d6e5c76bd", "parents": [ "73a49db5094ae06ba5a4b475fedede3b3675ccae" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:16:56 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46129: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reachable only during a btrfs mount\n (btrfs_fill_super → open_ctree → btrfs_init_space_info →\n create_space_info); it requires presenting a device/image and\n initiating a mount locally, with no network path.\nAC:L -The failure point is kobject_init_and_add() returning an\n allocation error; per guidance memory pressure is\n attacker-influenceable, and an attacker can repeatedly retry mounts\n under induced pressure to hit it.\nPR:L -On typical desktops/kiosks an unprivileged user can mount\n attacker-supplied removable media or loop images via\n udisks2/autofs, so no real root in the init namespace is strictly\n required to initiate the triggering mount.\nUI:N -The attacker performs the mount of their own crafted image\n themselves, so no separate victim action is required.\nS:U -The double free corrupts kernel heap state within the kernel\u0027s\n own security authority with no crossing into another security\n domain (no VM/IOMMU boundary).\nC:H -A double free is memory corruption that can be leveraged via\n reallocation of the freed slot into an attacker-controlled object,\n enabling kernel memory disclosure.\nI:H -Double-free corruption of the heap allocator can be groomed\n into a write primitive / control-flow hijack, so integrity impact\n is High.\nA:H -A double free reliably corrupts allocator metadata and causes\n kernel oops/panic, yielding a High availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "73a49db5094ae06ba5a4b475fedede3b3675ccae", "tree": "2a0822369fef15b2f72524fd077fedc62dba2664", "parents": [ "4f773faa179b84eaa5a5a1f659fa8eb03b04a5d2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:13:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46137: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The vulnerable timer is part of the MPTCP network stack\n (net/mptcp); it is kept firing by a remote peer withholding\n ADD_ADDR echoes, and the racing conn_list modifications are driven\n by remote MP_JOIN/RST traffic, so an unauthenticated remote peer\n can reach and trigger it over the network.\nAC:L -The remote attacker controls both sides of the race — it\n drives the ADD_ADDR retransmit timer (by not echoing) and the\n concurrent subflow add/remove (MP_JOIN and RST), and can repeat\n this across many subflows/connections to reliably hit the unlocked\n conn_list iteration.\nPR:N -Exploitation only requires being a remote MPTCP peer of a\n server that advertises addresses; no credentials or privileges on\n the target are needed.\nUI:N -No action by any local user is required; the attacker drives\n the entire condition via network protocol behavior.\nS:U -The corruption stays within the kernel\u0027s own security\n authority; no crossing of a VM/sandbox/IOMMU boundary.\nC:H -The softirq timer iterates conn_list and reads subflow/ssk\n fields concurrently with subflow free, a use-after-free read of\n freed (potentially reallocated) memory, which per kernel scoring\n gives high confidentiality impact.\nI:H -Racing list_for_each_entry against list_del plus subflow free\n is a use-after-free/list-corruption condition; once the freed\n object is reallocated it can be leveraged for memory-integrity\n compromise, scored high for UAF-class races.\nA:H -The list-traversal-vs-deletion race can follow\n poisoned/dangling list pointers or dereference a freed subflow,\n causing a kernel oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "4f773faa179b84eaa5a5a1f659fa8eb03b04a5d2", "tree": "1c13da41bd847931acb8c21d85577bfeca244546", "parents": [ "67888e43601c60b61bc81c298bbf1fe61539aefd" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:13:05 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46133: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The vulnerable code processes RoCEv2 packets encapsulated in\n routable UDP/IP (port 4791); a remote attacker sends a single\n crafted UDP packet to the host running a Soft RoCE device, with no\n L2 adjacency required.\nAC:L -A single 48-byte packet with opcode 0xff and\n QPN\u003dIB_MULTICAST_QPN deterministically triggers the underflowed\n length and OOB read; there is no race and no attacker-uncontrolled\n memory-layout dependency.\nPR:N -The OOB read occurs during ICRC validation before any QP\n lookup, connection, or credential check; the commit confirms it\n requires \"no QP, no connection, and no authentication.\"\nUI:N -Exploitation requires only that the attacker send a packet;\n no victim action is needed.\nS:U -The out-of-bounds read and resulting crash occur within the\n kernel\u0027s own security authority; no boundary (VM/IOMMU/sandbox) is\n crossed.\nC:N -The out-of-bounds bytes are fed into an internal CRC32\n comparison and are never returned to or observable by the attacker,\n so no information is disclosed.\nI:N -The vulnerability is a read-only out-of-bounds access; no\n kernel memory is modified.\nA:H -The underflowed length drives crc32 across far out-of-bounds\n memory; subsequent packets fault on unmapped pages and panic the\n kernel, a reliable remote denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "67888e43601c60b61bc81c298bbf1fe61539aefd", "tree": "3f96e54b19a96ded0800eebcceda9818629d67d8", "parents": [ "08e7ac6c47f368f51e22a33f1e7cfbe65696f0f6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:12:14 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46135: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The bug is in the NVMe-over-TCP target driver, which\n processes PDUs from remote network peers on a listening TCP port\n (default 4420); the race is triggered by sending an ICReq and\n closing the connection — purely remote network operations.\nAC:L -The attacker controls both sides of the race (sends the\n ICReq, then immediately closes the connection) and can open\n unlimited connections to reliably win the timing window between\n softirq teardown and io_work processing, so success does not depend\n on conditions beyond the attacker\u0027s control.\nPR:N -The ICReq is the first PDU of the NVMe/TCP connection\n handshake and is handled entirely pre-authentication; an\n unauthenticated remote attacker need only connect and send an\n ICReq, with no credentials required in the default non-TLS\n configuration.\nUI:N -The attacker initiates the connection and triggers the race\n entirely on their own; no action from any local user or victim is\n required.\nS:U -The corruption is confined to the kernel\u0027s own memory and\n security authority; there is no crossing of a VM, IOMMU, or sandbox\n boundary.\nC:H -The double kref_put produces a use-after-free of the queue\n object, and per kernel UAF guidance this gives the attacker control\n over freed object contents, enabling arbitrary kernel memory\n disclosure.\nI:H -The use-after-free / double-free enables heap spraying to\n reclaim the freed allocation, providing a write primitive and\n potential control-flow hijack, so integrity impact is high.\nA:H -The refcount underflow and resulting use-after-free reliably\n cause kernel oops/panic, taking down the target system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "08e7ac6c47f368f51e22a33f1e7cfbe65696f0f6", "tree": "0b25865397b1f9cc1994901082325af96b6b1906", "parents": [ "f1056c5ca762e404bd65c741b90516e40238e0d7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:09:53 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46138: Add CVSS 3.1 score (8.1 HIGH)\n\nCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\n\nAV:A -The vulnerable handler is in the Bluetooth ISO/BIS stack; per\n kernel CNA convention Bluetooth subsystem bugs are reachable by an\n attacker within Bluetooth radio range, i.e. the adjacent vector.\nAC:L -An event with num_bis\u003d0 (or fewer bis_handle entries than\n bound connections) deterministically triggers the OOB read and the\n infinite loop; the OOB heap values reliably exceed\n HCI_CONN_HANDLE_MAX, so no uncontrolled condition is required.\nPR:N -Exploitation requires no privileges or credentials on the\n target host; the malformed BIG-complete event is processed without\n any authentication gate.\nUI:N -No victim interaction is needed at exploit time — the device\n merely has to be operating as a BIS broadcaster, which is a\n configuration state, not a per-attack user action.\nS:U -The OOB read and the hang are confined to the kernel\u0027s own\n security authority; no boundary such as a VM/hypervisor or IOMMU is\n crossed.\nC:H -The loop reads the bis_handle[] flex array out of bounds into\n adjacent heap memory (up to ~512 bytes), well beyond a few bounded\n bytes, which under kernel guidance is scored High.\nI:N -The bug path performs only an out-of-bounds read and a\n spinning lookup; there is no out-of-bounds write or memory\n corruption that modifies kernel state.\nA:H -The OOB values keep the connection in BT_BOUND, producing an\n infinite loop while hci_dev_lock is held, which hangs the HCI\n device and causes a denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f1056c5ca762e404bd65c741b90516e40238e0d7", "tree": "536c37be6ff3b25858b845c4b0a9bbce321a384f", "parents": [ "67fc20ef63cd081f9a51d3cbd97f3ee50a902620" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:09:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46145: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable code is reached only by issuing RDMA verbs to\n the local /dev/infiniband/uverbs* character device;\n `rx_hash_key_len` arrives via `ib_copy_from_udata` from a local\n process, with no remote network path.\nAC:L -The attacker directly controls `rx_hash_key_len` in the uAPI\n struct and can set it arbitrarily large to trigger the overflow on\n every call; there is no race or condition outside the attacker\u0027s\n control.\nPR:L -Reaching the raw-packet QP path requires CAP_NET_RAW, but\n that is a narrow, non-root capability (not the \"real root/admin\"\n bar for High) and is routinely granted to unprivileged\n networking/RDMA applications such as DPDK workloads.\nUI:N -The overflow is triggered entirely by the attacker\u0027s own\n QP-creation request; no action by any other user is required.\nS:U -The corruption is of the kernel\u0027s own heap allocation within\n the same kernel security authority; no crossing into a separate\n scope (VM/IOMMU) occurs.\nC:H -The memcpy over-reads the 40-byte stack source by an unbounded\n amount and the heap overflow can be leveraged to disclose adjacent\n kernel memory, so confidentiality impact is High.\nI:H -An attacker-controlled-length memcpy writes past a 40-byte\n heap field, giving a heap out-of-bounds write that corrupts\n adjacent kernel objects and is exploitable toward arbitrary\n write/control-flow hijack.\nA:H -A large `rx_hash_key_len` corrupts the kernel heap and/or\n faults reading unmapped stack/heap pages, reliably causing a kernel\n panic/oops.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "67fc20ef63cd081f9a51d3cbd97f3ee50a902620", "tree": "fa29d7546de8e5c742c38d72014de6a94bcc96ad", "parents": [ "71d0022b37e77a7f677a6d6d5072711e22bc1cdc" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:04:52 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46150: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\nAV:L -The vulnerable code runs in the context of a local file\n operation (open/read/exec) that triggers the fanotify permission\n event; the attacker bypasses the control by performing local file\n ops plus churning a local inotify watch. The fully-controllable,\n reliable attack is local (a remote file-server scenario would lose\n attacker control of the race).\nAC:L -The attacker controls both sides of the race — the lifecycle\n of the unrelated (unprivileged inotify) mark and the retried file\n operation — and each open() is a fresh permission event, so with\n unlimited retries the bypass is reliably reachable.\nPR:L -Exploitation only needs an unprivileged local account:\n creating an inotify watch on the parent directory and\n opening/executing the target file require no capabilities (the\n privileged CAP_SYS_ADMIN fanotify group is the victim control, not\n the attacker).\nUI:N -The attacker performs all actions (inotify churn plus\n repeated file access) with no interaction from any other user.\nS:U -The flaw and its impact are both mediated entirely within the\n kernel\u0027s own access-control path; no boundary to a\n separately-managed security authority (VM, IOMMU) is crossed.\nC:H -Bypassing FAN_ACCESS_PERM/FAN_OPEN_PERM lets read access to\n files the policy (AV/sandbox/EDR) would deny proceed; via targeted\n retries the attacker can force disclosure of chosen protected\n files, approaching total loss of confidentiality of protected\n resources.\nI:H -Bypassing FAN_OPEN_PERM/FAN_OPEN_EXEC_PERM lets writes to\n protected files and execution of binaries the policy would block\n proceed, allowing modification of protected resources and execution\n of disallowed code.\nA:N -The bug is fail-open (it only allows operations that should be\n blocked); it causes no crash, hang, or resource exhaustion, so\n availability is unaffected.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "71d0022b37e77a7f677a6d6d5072711e22bc1cdc", "tree": "e3377d3cab25a18ddcbf31298cb0af59bb400fc6", "parents": [ "aa0f2a9d6da239123732dbff54d0702b219e5d9d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:03:57 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46149: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -The vulnerability is triggered by reading a configfs/sysfs\n attribute file (target/.../alua/tg_pt_gps/\u003cgrp\u003e/members); there is\n no network-reachable path and the formatted IQN comes from local\n admin config, so it requires local system access.\nAC:L -Given a target configured with a sufficiently long iSCSI IQN\n (the vulnerable configuration), simply reading the file\n deterministically triggers the out-of-bounds read/fortify_panic\n with no race or memory-layout dependency.\nPR:L -The members attribute is CONFIGFS_ATTR_RO (mode 0444,\n world-readable) with no capability check in the show path, so any\n unprivileged local user who can read the globally-mounted configfs\n file triggers it.\nUI:N -Exploitation is a single read() of the file with no\n victim/user interaction required.\nS:U -The impact (stack info leak / panic) stays within the kernel\u0027s\n own security authority with no crossing of a trust boundary such as\n a VM or IOMMU.\nC:H -The memcpy reads past the 256-byte stack buffer and copies\n adjacent kernel stack contents (potential pointers/canary) into the\n userspace-readable sysfs page, an out-of-bounds read disclosing\n kernel memory.\nI:N -The destination page write is bounded by the PAGE_SIZE check,\n so no kernel memory is modified; the bug is a read-only overflow\n providing no write primitive.\nA:H -With CONFIG_FORTIFY_SOURCE enabled, the over-read memcpy\n triggers fortify_panic(), causing a kernel panic (denial of\n service).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "aa0f2a9d6da239123732dbff54d0702b219e5d9d", "tree": "b498333883f734d2dcb030de357503a2c5e74ecc", "parents": [ "626f65e779bb5dd0035f80bb2bb798f11657c4c7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu May 28 22:01:17 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri May 29 07:24:41 2026 -0400" }, "message": "CVE-2026-46154: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerable setters are reached only by writing cgroup CPU\n control files (cpu.weight/idle/max) via the local\n filesystem/syscall interface; there is no network-reachable path.\nAC:H -The UAF requires a full scheduler disable→RCU-free→enable\n cycle to land within the window after the naked scx_root load; the\n unprivileged attacker reliably controls only the cgroup-write side,\n not the privileged scheduler-swap timing, so success cannot be\n achieved at will.\nPR:L -cpu.weight/cpu.idle/cpu.max are delegatable in cgroup v2, so\n an unprivileged user in a delegated subtree (common in\n container/systemd setups) can repeatedly invoke the setters that\n perform the stale dereference.\nUI:N -Triggering the setter requires only programmatic writes to\n cgroup files; no victim interaction is involved.\nS:U -The freed object and the corrupted control flow are both\n within the kernel\u0027s own security authority; no VM/IOMMU/sandbox\n boundary is crossed.\nC:H -The UAF reads the freed scx_sched (has_op bitmap and ops\n pointers); a reallocated, attacker-shaped object enables disclosure\n of freed/controlled kernel memory.\nI:H -The bug culminates in an indirect call through\n sch-\u003eops.cgroup_*() on freed memory; heap-spraying the freed\n scx_sched yields a control-flow-hijack/arbitrary-write primitive.\nA:H -Dereferencing and calling through a freed scx_sched reliably\n causes an oops/panic, taking down the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" } ], "next": "626f65e779bb5dd0035f80bb2bb798f11657c4c7" }