)]}' { "log": [ { "commit": "78b7d42f88fa557e49865e8fc18c3190c40f6604", "tree": "295286f1b8ded9dae2af7cdb2137e8ba1c2c40a0", "parents": [ "5e9a6cc90d429538625eaa350742d5be71129635" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 10 10:04:29 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 10 10:04:29 2026 -0400" }, "message": "CVE-2026-31410: Add .vulnerable file\n\nThe root cause of CVE-2026-31410 is commit\ne2f34481b24db2fd634b5edb0a5bd0e4d38cc6e9\n(\"cifsd: add server-side procedures for SMB3\"), authored by Namjae Jeon\non March 16, 2021, and committed by Steve French on May 10, 2021.\n\nThis is the initial commit that introduced the entire ksmbd (then called\n\"cifsd\") SMB3 server implementation into the kernel. The\nFS_OBJECT_ID_INFORMATION case handler in smb2_get_info_filesystem() was\nwritten with the user_passkey leak from its very inception in\nfs/cifsd/smb2pdu.c.\n\nWhen an SMB client queries FS_OBJECT_ID_INFORMATION (a filesystem-level\nquery that should return a unique identifier for the volume), the ksmbd\nserver was instead returning the user\u0027s authentication passkey — the\nNTLM password hash — as the filesystem object ID.\n\nThe vulnerable code in smb2_get_info_filesystem() was:\n\n case FS_OBJECT_ID_INFORMATION:\n if (!user_guest(sess-\u003euser))\n memcpy(info-\u003eobjid, user_passkey(sess-\u003euser), 16);\n else\n memset(info-\u003eobjid, 0, 16);\n\nuser_passkey() (defined in fs/smb/server/mgmt/user_config.h:44) returns\nuser-\u003epasskey, which is the user\u0027s password hash (resp-\u003ehash) allocated\nduring login in ksmbd_alloc_user() (fs/smb/server/mgmt/user_config.c:\n47-50). This is the raw NTLM authentication credential used in\nhmac_md5_init_usingrawkey() for session authentication\n(fs/smb/server/auth.c:83).\n\nThis means any authenticated SMB client could retrieve any other user\u0027s\nNTLM password hash by simply issuing a standard\nFS_OBJECT_ID_INFORMATION query. The 16-byte password hash was sent\ndirectly over the wire in a standard SMB2 QUERY_INFO response, appearing\nas a benign filesystem object ID.\n\nNo subsequent commit ever modified the FS_OBJECT_ID_INFORMATION\nhandling logic between its introduction in e2f34481b24db and the fix in\n3a64125730ca. The code was only moved between directories:\n\n1. fs/cifsd/smb2pdu.c (original, e2f34481b24db)\n2. fs/ksmbd/smb2pdu.c (moved by 1a93084b9a898, \"ksmbd: move fs/cifsd to\n fs/ksmbd\")\n3. fs/smb/server/smb2pdu.c (moved by 38c8a9a520825/29429a1f5871d, \"smb:\n move client and server files to common directory fs/smb\")\n\nThe vulnerable memcpy(info-\u003eobjid, user_passkey(sess-\u003euser), 16) line\nremained completely unchanged through all these renames — it was never\ntouched until the fix.\n\nThe original developer appears to have used the user passkey as a\nconvenient 16-byte unique identifier per session, perhaps not fully\nconsidering that the FS_OBJECT_ID_INFORMATION response is sent in\ncleartext back to the client over the SMB protocol. Per the SMB2\nspecification, the ObjectId in FILE_OBJECTID_BUFFER is supposed to be a\nvolume-specific identifier, not a user credential. This was a design\nmistake from day one — the user\u0027s NTLM password hash was directly\nexposed to any authenticated client that issued this standard filesystem\nquery.\n\nThe fix commit 3a64125730cabc34fccfbc230c2667c2e14f7308 (\"ksmbd: use\nvolume UUID in FS_OBJECT_ID_INFORMATION\") replaces the passkey-based\nobject ID with the actual volume UUID:\n\n case FS_OBJECT_ID_INFORMATION:\n if (path.mnt-\u003emnt_sb-\u003es_uuid_len \u003d\u003d 16)\n memcpy(info-\u003eobjid, path.mnt-\u003emnt_sb-\u003es_uuid.b,\n path.mnt-\u003emnt_sb-\u003es_uuid_len);\n else\n memcpy(info-\u003eobjid, \u0026stfs.f_fsid, sizeof(stfs.f_fsid));\n\nThis uses the filesystem\u0027s superblock UUID (sb-\u003es_uuid) as the primary\nidentifier — which is what a volume object ID is supposed to be. For\nfilesystems that don\u0027t provide a UUID, it falls back to stfs.f_fsid from\nvfs_statfs(). The sess variable is also removed from the function since\nit is no longer needed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "5e9a6cc90d429538625eaa350742d5be71129635", "tree": "6cbbe8b6309270cc83206c3311af68bf3b72186e", "parents": [ "cc5333d79a7d01e3e4469e70df84983b170f2c5a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 10 09:56:15 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 10 09:56:15 2026 -0400" }, "message": "CVE-2026-31409: Add .vulnerable file\n\nThe root cause of CVE-2026-31409 is commit\nf5a544e3bab78142207e0242d22442db85ba1eff\n(\"ksmbd: add support for SMB3 multichannel\"), authored by Namjae Jeon\non June 18, 2021.\n\nThis commit introduced the conn-\u003ebinding field and the entire\nmultichannel binding logic to ksmbd. A key part of multichannel is\nsession binding — allowing a second\nTCP connection to bind to an existing session on a different connection.\n\nThe commit:\n\n1. Added \"bool binding\" to struct ksmbd_conn (connection.h), a\n per-connection flag indicating the connection is currently in the\n process of binding to an existing session.\n\n2. Added a new branch in smb2_sess_setup() (smb2pdu.c) that handles\nSMB2_SESSION_REQ_FLAG_BINDING requests. When a binding request arrives,\nthe code looks up the target session in the global table via\nksmbd_session_lookup_slowpath(sess_id), validates dialect, signing,\nClientGUID, and session state, and if all checks pass, sets\nconn-\u003ebinding \u003d true, then falls through to the authentication logic\n(preauth hash generation, KRB5 or NTLM authentication).\n\n3. Added ksmbd_session_lookup_all() (user_session.c), which first looks\n up a session in the connection\u0027s local session table, and if not\n found and conn-\u003ebinding is true, falls back to the global session\n table via ksmbd_session_lookup_slowpath().\n\nAfter conn-\u003ebinding \u003d true is set, the subsequent code can still fail\nin multiple places: generate_preauth_hash(work) can return -ENOMEM,\nkrb5_authenticate(work) can return -EINVAL, ntlm_negotiate(work,\nnegblob) can fail, and ntlm_authenticate(work) can fail. All of these\nfailures cause a goto out_err. The error handler added by this same\ncommit has no \"conn-\u003ebinding \u003d false\" anywhere in the error path, nor\nanywhere else in the file. The binding field was introduced with the\nability to be set to true but with absolutely no code path that ever\nresets it to false on failure.\n\nWhen conn-\u003ebinding is stuck at true, every subsequent call to\nksmbd_session_lookup_all() on that connection will fall back to the\nglobal sessions table if the session isn\u0027t found in the connection\u0027s\nlocal table. This function is called from check_session_id() (session\nvalidation for all SMB2 commands), smb2_check_user_session() (user\nsession check), smb3_decrypt_req() (finding encryption keys), and\nksmbd_get_encryption_key() (encryption key lookup).\n\nThis means a connection with a stuck binding flag can potentially\naccess sessions belonging to other connections/users through the global\ntable, breaking the session isolation model. An attacker can trigger\nthis by sending a multichannel binding request (SMB2_SESSION_SETUP with\nSMB2_SESSION_REQ_FLAG_BINDING) that passes the initial validation checks\nbut fails during authentication, permanently marking the connection as\nbinding \u003d true. All subsequent session lookups on this connection then\nbypass the per-connection table and search the global table.\n\nThe fix commit 282343cf8a4a5a3603b1cb0e17a7083e4a593b03 (\"ksmbd: unset\nconn-\u003ebinding on failed binding request\") adds the missing conn-\u003ebinding\n\u003d false in the error path at fs/smb/server/smb2pdu.c:1958, ensuring the\nbinding state is properly cleaned up when a binding request fails.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "cc5333d79a7d01e3e4469e70df84983b170f2c5a", "tree": "6a36437f56cdef5446b2a6738afaaa1f2c823cd5", "parents": [ "338e91d1c883fd84d466c9efd37339b4fe5e19b7" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:36:29 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:36:29 2026 +0200" }, "message": "strip the new mbox\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "338e91d1c883fd84d466c9efd37339b4fe5e19b7", "tree": "888befe528fa15515724a81b9c32e298ace20bf2", "parents": [ "7f5df820bd82e7b311af909281bdc81a8a9405f8" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:34:51 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:34:51 2026 +0200" }, "message": "assigned a CVE on request\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "7f5df820bd82e7b311af909281bdc81a8a9405f8", "tree": "7acdd7ca7a1761bc9ee0e8bc92177cfc3751dbe3", "parents": [ "641d08eb72f231653f7b44686952d7dd18fb3f23" ], "author": { "name": "GONG Ruiqi", "email": "gongruiqi1@huawei.com", "time": "Tue Apr 07 21:02:23 2026 +0800" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:31:19 2026 +0200" }, "message": "proposed: Add Ruiqi\u0027s results for v6.19.11\n\nSigned-off-by: GONG Ruiqi \u003cgongruiqi1@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "641d08eb72f231653f7b44686952d7dd18fb3f23", "tree": "c2350c148ea073875162fc418f26b1f8e8c72a83", "parents": [ "bb5f5d988bf24652e7c780efb1978d9a56e068f3" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:30:51 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 12:30:51 2026 +0200" }, "message": "reserve some CVEs for unreported issues\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "bb5f5d988bf24652e7c780efb1978d9a56e068f3", "tree": "9074bff2150c94e513989ca15379029d912880aa", "parents": [ "4b10eefd3686108310ee323dd70a3cc8bc385149" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 10:57:16 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 10 10:57:16 2026 +0200" }, "message": "update cvelistV5\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "4b10eefd3686108310ee323dd70a3cc8bc385149", "tree": "862bb44f3efa6e15cf5c941e607ad2149f7219ae", "parents": [ "7f9cdfd68a274feedf408b31d79eac6cb69be90c" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:07:07 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:07:07 2026 +0200" }, "message": "update cvelistV5\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "7f9cdfd68a274feedf408b31d79eac6cb69be90c", "tree": "6005c22b29e2cfb11e2f09b191d3b44561727933", "parents": [ "8023b8a86736cbec757f80cb97e33e27c9c92319" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:06:53 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:06:53 2026 +0200" }, "message": "strip the new mbox\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "8023b8a86736cbec757f80cb97e33e27c9c92319", "tree": "5b5efb8f2f29f0492b7c7d6ae1d81ad66f4e1b53", "parents": [ "774a11fbc11f86c5d5afc20efe3db6e9c8469b8a" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:06:26 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Wed Apr 08 15:06:34 2026 +0200" }, "message": "assign a cve on request\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "774a11fbc11f86c5d5afc20efe3db6e9c8469b8a", "tree": "75267a0be2ab217bec37787d15f83f3e0115966b", "parents": [ "7ff4563729860f19794c63ed79fe965c3ccce9b9" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 10:01:24 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 10:01:24 2026 +0200" }, "message": "updates based on new stable releases\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "7ff4563729860f19794c63ed79fe965c3ccce9b9", "tree": "b73d9de3b99e470362803da928e19a167126779a", "parents": [ "4d6392bcf8b582fd45f9281b57664034df6a5c21" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:43 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:43 2026 +0200" }, "message": "update cvelistV5\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "4d6392bcf8b582fd45f9281b57664034df6a5c21", "tree": "ca0a4db1a80f2936c15a24bf8c2b97c97152daac", "parents": [ "afee9521c87760f9b12e61943ae789a318dbd571" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:31 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:31 2026 +0200" }, "message": "strip the new mbox files\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "afee9521c87760f9b12e61943ae789a318dbd571", "tree": "0ccdafecb462d86fb01296d36778723187616596", "parents": [ "af1ae1bb963378fd615936d2c727750c9130d8d0" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:10 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:40:10 2026 +0200" }, "message": "assign some cve ids on request\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "af1ae1bb963378fd615936d2c727750c9130d8d0", "tree": "2c4d46749c07c3376d2261c5f13ee05424fac25f", "parents": [ "78b33e9b44eaae03018dba1b5141573eb45b94e5" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:33:38 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:33:38 2026 +0200" }, "message": "strip the new mbox file\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "78b33e9b44eaae03018dba1b5141573eb45b94e5", "tree": "b9c45d47bde1507dd8d965b4adbcaa798e2d28da", "parents": [ "80d5bfae9ead44138368c7d1f1e217d71c3d1464" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:33:15 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 09:33:15 2026 +0200" }, "message": "allocate CVE-2026-31405 on request\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "80d5bfae9ead44138368c7d1f1e217d71c3d1464", "tree": "4e8a70d04a617a8e25a7352db082d1395322a226", "parents": [ "aa84636115ccdb65030c59339d93c4ea72c71a7b" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 08:59:55 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Mon Apr 06 08:59:55 2026 +0200" }, "message": "updates for new .vulnerable files\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "aa84636115ccdb65030c59339d93c4ea72c71a7b", "tree": "575dd61bb83de489c1c7feb676c3eac35979ada3", "parents": [ "7b603ab4a44654018026c7f831a0c8970dc85577" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 13:51:40 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 13:51:40 2026 -0400" }, "message": "Revert non-vulnerable file changes\n\nI ran cve_update to verify the changes, but accidentally commited it.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7b603ab4a44654018026c7f831a0c8970dc85577", "tree": "415796b57853fab8a9bfa4096b696dea18d3d04d", "parents": [ "3ee287c217fc4be77e1d94df4aedafc0dfd5350d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 13:27:00 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 13:27:00 2026 -0400" }, "message": "CVE-2026-31394: Add .vulnerable file\n\nThe fix (commit 672e5229e1ecf) in ieee80211_chan_bw_change()\n(net/mac80211/chan.c) adds a call to get_bss_sdata(sta-\u003esdata) to\nresolve AP_VLAN sdata to its parent AP sdata before accessing link data:\n\n - struct ieee80211_sub_if_data *sdata \u003d sta-\u003esdata;\n + struct ieee80211_sub_if_data *sdata;\n ...\n - for (link_id \u003d 0; link_id \u003c ARRAY_SIZE(sta-\u003esdata-\u003elink);\n link_id++) {\n + sdata \u003d get_bss_sdata(sta-\u003esdata);\n + for (link_id \u003d 0; link_id \u003c ARRAY_SIZE(sdata-\u003elink); link_id++) {\n\nThe crash path is as follows: during CSA (Channel Switch Announcement),\nieee80211_vif_use_reserved_switch() calls\nieee80211_chan_bw_change(local, ctx, true, true) with reserved\u003dtrue. The\nfunction iterates all stations in local-\u003esta_list. For stations on\nAP_VLAN interfaces (e.g., 4-addr WDS clients), sta-\u003esdata points to the\nVLAN sdata, not the parent AP sdata.\nsdata-\u003elink[link_id] retrieves the VLAN\u0027s ieee80211_link_data. The\nVLAN\u0027s link_conf-\u003echanctx_conf passes the chanctx check because\nieee80211_link_vlan_copy_chanctx() (chan.c:2246) copies the parent AP\u0027s\nchanctx_conf pointer to the VLAN\u0027s link_conf. When reserved\u003dtrue, the\ncode executes: new_chandef \u003d \u0026link-\u003ereserved.oper; VLAN interfaces never\nparticipate in chanctx reservations, so link-\u003ereserved.oper is\nzero-initialized -- chan is NULL. This NULL chandef is passed to\n_ieee80211_sta_cur_vht_bw() -\u003e _ieee80211_sta_cap_rx_bw(), which\ndereferences chandef-\u003echan-\u003eband (vht.c:369), causing a NULL pointer\ndereference.\n\nThe root cause is commit b27512368591fc959768df1f7dacf2a96b1bd036\n(\"wifi: mac80211: make ieee80211_chan_bw_change() able to use\nreserved\") by Johannes Berg, dated June 12, 2024.\n\nThis commit introduced the bug by:\n\n1. Changing the link access pattern: it changed from accessing\n sdata-\u003evif.link_conf[link_id] (the bss_conf) to accessing\n sdata-\u003elink[link_id] (the full ieee80211_link_data), to gain access\n to the reserved field within the link structure.\n\n2. Adding the reserved code path: it added the conditional:\n\n if (reserved)\n new_chandef \u003d \u0026link-\u003ereserved.oper;\n else\n new_chandef \u003d \u0026link_conf-\u003echanreq.oper;\n\n where link comes from sdata-\u003elink[link_id] and sdata \u003d sta-\u003esdata\n (without get_bss_sdata()).\n\n3. Failing to handle AP_VLAN: for AP_VLAN stations, sta-\u003esdata is the\nVLAN interface. The VLAN\u0027s link-\u003ereserved.oper is always\nzero-initialized because VLAN interfaces never participate in chanctx\nreservations -- only the parent AP interface does. The commit should\nhave resolved VLAN sdata to parent AP sdata via get_bss_sdata() before\naccessing sdata-\u003elink[link_id].\n\nBefore b27512368591f, the function (as converted for MLO in\nb4f85443c17c7) used sdata-\u003evif.link_conf[link_id] to get the link_conf,\nand called ieee80211_sta_cur_vht_bw(link_sta) without a chandef\nparameter. The old ieee80211_sta_cur_vht_bw internally looked up the\nband from sdata-\u003evif.link_conf[link_id]-\u003echanreq.oper, which was valid\nfor VLAN stations because ieee80211_link_vlan_copy_chanctx() properly\ninitialized the VLAN\u0027s link_conf (including chanreq.oper) from the\nparent AP. There was no access to link-\u003ereserved, so the VLAN\u0027s\nuninitialized reservation data was never touched.\n\nWhile b27512368591f introduced the latent bug, all callers at that\npoint passed reserved\u003dfalse. The very next commit in the same series,\ndd7b1bdb56144 (\"wifi: mac80211: update STA/chandef width during\nswitch\"), was the first to actually call ieee80211_chan_bw_change() with\nreserved\u003dtrue (during ieee80211_vif_use_reserved_switch()), activating\nthe crash path. However, the root cause is b27512368591f because it\nintroduced the fundamentally incorrect code that accesses VLAN link\nreservation data without resolving to the BSS sdata.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "3ee287c217fc4be77e1d94df4aedafc0dfd5350d", "tree": "55d92fe82480dbb7a14569b5687ec0ac4c2e11ae", "parents": [ "9c516250ed26b08eaa82813520eda25c0b25ab94" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:48:34 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:48:34 2026 -0400" }, "message": "CVE-2026-31392: Add .vulnerable file\n\nThe fix (commit 12b4c5d98cd7ca46d5035a57bcd995df614c14e1) by Paulo\nAlcantara adds a strncmp comparison of ses-\u003euser_name against\nctx-\u003eusername in the case Kerberos: branch of match_session() in\nfs/smb/client/connect.c. Before this fix, the Kerberos case only checked\nwhether cred_uid matched, and did not compare the username mount option.\nThis caused two sec\u003dkrb5 mounts to the same server with different\nusername\u003d options (but the same UID) to incorrectly reuse the same SMB\nsession, resulting in the second mount using wrong credentials.\n\nThe root cause is commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2\n(\"cifs: clean up cifs_find_smb_ses (try #2)\") by Jeff Layton, dated\n2010-07-06.\n\nBefore 4ff67b720c02c, the session lookup function cifs_find_smb_ses()\nsimply compared ses-\u003euserName against the provided username string for\nall session types, including Kerberos. Every mount with a different\nusername\u003d option would get its own session:\n\n static struct cifsSesInfo *\n cifs_find_smb_ses(struct TCP_Server_Info *server, char *username)\n {\n ...\n list_for_each(tmp, \u0026server-\u003esmb_ses_list) {\n ses \u003d list_entry(tmp, struct cifsSesInfo, smb_ses_list);\n if (strncmp(ses-\u003euserName, username, MAX_USERNAME_SIZE))\n continue;\n ...\n }\n }\n\nCommit 4ff67b720c02c introduced the bug by refactoring\ncifs_find_smb_ses() to switch on server-\u003esecType. The commit message\nexplicitly states: \"Matching by username for a Kerberos session is\nincorrect.\" The new Kerberos case only checked linux_uid:\n\n switch (server-\u003esecType) {\n case Kerberos:\n if (vol-\u003elinux_uid !\u003d ses-\u003elinux_uid)\n continue;\n break;\n default:\n /* anything else takes username/password */\n if (strncmp(ses-\u003euserName, vol-\u003eusername, MAX_USERNAME_SIZE))\n continue;\n ...\n }\n\nThis was a reasonable design decision at the time -- Kerberos\nauthentication uses tickets, not usernames/passwords, and the UID was\nthought to be sufficient to distinguish sessions.\n\nCommit 37bb04e5a091a5330faef0cc09930326672b7061 (Pavel Shilovsky,\n2011-05-05, \"CIFS: Simplify connection structure search calls\")\nextracted this inline logic into the standalone match_session()\nfunction, preserving the exact same Kerberos-only-checks-cred_uid\nbehavior.\n\nThe assumption broke when the userspace utility cifs.upcall(8) since\ncifs-utils-4.8 added support for using the username\u003d mount option to\nselect specific Kerberos principals from the keytab (/etc/krb5.keytab).\nThis meant that two mounts with sec\u003dkrb5 but different username\u003d values\nare expected to use different principals and therefore need separate SMB\nsessions. But the kernel code in match_session() never compared\nusernames for Kerberos, so it would reuse the first mount\u0027s session for\nthe second mount -- even though a different principal was intended.\n\n4ff67b720c02c is the root cause because it is the commit that removed\nthe username comparison from the Kerberos session matching path. Before\nit, the username was always compared regardless of authentication type,\nand different username\u003d options would always yield separate sessions.\nAfter it, Kerberos sessions were matched solely by UID, creating the\ncondition that the CVE exploits: two mounts with different username\u003d\noptions but the same UID silently reuse the same session with incorrect\ncredentials.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9c516250ed26b08eaa82813520eda25c0b25ab94", "tree": "45728f2928f7103d53f5423e9e28bd0edd104486", "parents": [ "c4faadc57f023f7684601329777aa128854ae6da" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:32:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:32:25 2026 -0400" }, "message": "CVE-2026-23472: Add .vulnerable file\n\nThe fix (commit 455ce986fa356) adds a NULL check for\nstate-\u003eport.xmit_buf in uart_write_room() in\ndrivers/tty/serial/serial_core.c:\n\n if (!state-\u003eport.xmit_buf)\n ret \u003d 0;\n else\n ret \u003d kfifo_avail(\u0026state-\u003eport.xmit_fifo);\n\nThe bug is that uart_write_room() and uart_write() are inconsistent\nwhen the transmit buffer (xmit_buf) is NULL, which happens for\nPORT_UNKNOWN ports that were never fully initialized (because\nuart_port_startup() returns early at \"if (uport-\u003etype \u003d\u003d PORT_UNKNOWN)\nreturn 1;\" without allocating the xmit buffer):\n\n- uart_write_room(): Calls kfifo_avail() without checking xmit_buf.\nAfter INIT_KFIFO(), mask\u003d0, so kfifo_size() \u003d mask + 1 \u003d 1, kfifo_len()\n\u003d in - out \u003d 0, therefore kfifo_avail() \u003d 1. Returns a positive value,\nclaiming space is available.\n\n- uart_write(): Checks \"if (WARN_ON_ONCE(!state-\u003eport.xmit_buf))\" and\n returns 0 when xmit_buf is NULL.\n\nThis causes an infinite loop in any caller using the pattern:\n\n while (tty_write_room(tty) \u003e 0) {\n written \u003d tty-\u003eops-\u003ewrite(...); // always returns 0\n // loop never exits\n }\n\nFor example, caif_serial\u0027s handle_tx() (drivers/net/caif/caif_serial.c)\nuses exactly this pattern, causing system hangs.\n\nThe root cause was introduced in the very first Linux Git commit —\n1da177e4c3f41 (Linux 2.6.12-rc2, 2005-04-16, authored by Linus Torvalds\nas a Git import of Russell King\u0027s serial core code).\n\nIn the original drivers/serial/serial_core.c:\n\n- uart_write() (line 464) HAS a NULL buffer check:\n\n uart_write(struct tty_struct *tty, const unsigned char *buf, int count)\n {\n struct circ_buf *circ \u003d \u0026state-\u003einfo-\u003exmit;\n if (!circ-\u003ebuf) // \u003c--- NULL check present\n return 0;\n ...\n }\n\n- uart_write_room() (line 494) is MISSING a NULL buffer check:\n\n static int uart_write_room(struct tty_struct *tty)\n {\n struct uart_state *state \u003d tty-\u003edriver_data;\n return uart_circ_chars_free(\u0026state-\u003einfo-\u003exmit); // no NULL check\n }\n\nWith xmit.buf \u003d NULL and zero-initialized head\u003d0, tail\u003d0:\nuart_circ_chars_free() \u003d CIRC_SPACE(0, 0, 4096) \u003d CIRC_CNT(0, 1, 4096)\n\u003d ((0 - 1) \u0026 4095) \u003d 4095.\n\nSo the original code returned 4095 from uart_write_room() while\nuart_write() returned 0 — the exact same class of inconsistency that\nproduces infinite loops.\n\nEven in the original code, state-\u003einfo was allocated during uart_open()\n(via kmalloc + memset(0) at line 1464 of the original file), meaning\nstate-\u003einfo-\u003exmit.buf was NULL but the struct was accessible. Then\nuart_startup() returned early for PORT_UNKNOWN (line \"if (port-\u003etype \u003d\u003d\nPORT_UNKNOWN) return 0;\") without ever allocating xmit.buf. Any\nsubsequent call to uart_write_room() would return 4095, while\nuart_write() would return 0.\n\nThe chain of events through refactorings:\n\n- 1da177e4c3f41 (2005-04-16, Linus Torvalds): ROOT CAUSE —\n uart_write_room() calls uart_circ_chars_free(\u0026state-\u003einfo-\u003exmit)\n without NULL check. uart_write() has \"if (!circ-\u003ebuf) return 0;\".\n Inconsistency introduced.\n\n- f751928e0ddf5 (2009-01-02, Alan Cox): Embeds uart_info into uart_state\n (pointer to struct). Changes state-\u003einfo-\u003exmit to state-\u003einfo.xmit.\n No behavioral change — asymmetry preserved.\n\n- ebd2c8f6d2ec4 (2009-09-19, Alan Cox): Kills off uart_info, moves xmit\n to state-\u003exmit. Changes access path only. Asymmetry preserved.\n\n- 9ed19428a51d5 (2016-04-09, Peter Hurley): Adds safe port locking\n wrapper. Changes spin_lock_irqsave to uart_port_lock(). No NULL check\n added.\n\n- 1788cf6a91d9f (2024-04-05, Jiri Slaby): kfifo conversion — converts\n uart_circ_chars_free(\u0026state-\u003exmit) to\n kfifo_avail(\u0026state-\u003eport.xmit_fifo). Explicitly converts\n uart_write()\u0027s \"!circ-\u003ebuf\" check to\n \"WARN_ON_ONCE(!state-\u003eport.xmit_buf)\" but does NOT add an equivalent\n to uart_write_room(). Asymmetry carried forward into new API.\n\n- 455ce986fa356 (2026-02-04, Jiayuan Chen): FIX — Adds\n \"!state-\u003eport.xmit_buf\" check to uart_write_room().\n\nThe root cause is commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\n(\"Linux-2.6.12-rc2\"), which is the initial Git import of the serial\ncore code. From its very inception, uart_write() had a NULL check on the\ntransmit buffer while uart_write_room() did not. This asymmetry was\nfaithfully preserved through every subsequent refactoring — the\nuart_info embedding (2009), the uart_info removal (2009), the safe\nlocking wrappers\n(2016), and the kfifo conversion (2024) — none of which ever added the\nmissing NULL check to uart_write_room(). The kfifo conversion\n(1788cf6a91d9f) is the most practical Fixes: target for backporting\nsince it introduced the current code shape, but the underlying design\nflaw — the inconsistent NULL buffer handling between the two functions —\ntraces all the way back to the original serial core implementation.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c4faadc57f023f7684601329777aa128854ae6da", "tree": "0ddb9618178ce82c9e2151fa4f7ec3430e2f7f5d", "parents": [ "8116413a8d5b528d41763b86dc36583025ee9105" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:06:20 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 12:06:20 2026 -0400" }, "message": "CVE-2026-23468: Add .vulnerable file\n\nThe fix (commit 6270b1a5dab94665d7adce3dc78bc9066ed28bdd) adds a hard\nupper limit of 128K entries (AMDGPU_BO_LIST_MAX_ENTRIES \u003d 128 * 1024) to\nthe amdgpu_bo_create_list_entry_array() function in\ndrivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c. Before the array is\nallocated from user-supplied data, bo_number is checked against this\nlimit, preventing userspace from requesting an arbitrary number of BO\nlist entries via the bo_number field in the drm_amdgpu_bo_list_in\nstruct, which could cause excessive memory allocation (potentially\ngigabytes) and long processing times — a resource exhaustion /\ndenial-of-service attack.\n\nThe amdgpu_bo_create_list_entry_array() function (and its predecessor\ncode inline in amdgpu_bo_list_ioctl()) copies a userspace-provided array\nof drm_amdgpu_bo_list_entry structures into kernel memory. The number of\nentries is taken directly from the userspace-controlled in-\u003ebo_number\nfield. The allocation function (kvmalloc_array / original drm_malloc_ab)\nonly checks for multiplication overflow (i.e., nmemb * size \u003e SIZE_MAX),\nbut does NOT reject merely large-but-valid sizes. For example, bo_number\n\u003d 100,000,000 with sizeof(struct drm_amdgpu_bo_list_entry) \u003d 16 bytes\nwould allocate ~1.6 GB of kernel memory — a valid allocation that\ndoesn\u0027t overflow, but still causes resource exhaustion.\n\nThere are two independent allocation paths triggered by a large\nbo_number:\n1. In amdgpu_bo_create_list_entry_array(): kvmalloc_array(bo_number,\n info_size, GFP_KERNEL) — allocating space for the entry array copied\n from userspace.\n2. In amdgpu_bo_list_create(): kvmalloc(sizeof(list) + num_entries *\n sizeof(entry), GFP_KERNEL) — allocating the actual BO list structure\n with embedded entries.\n\nBoth can be triggered by an unprivileged user through the\nAMDGPU_BO_LIST_OP_CREATE or AMDGPU_BO_LIST_OP_UPDATE ioctl operations,\nor through the CS ioctl\u0027s AMDGPU_CHUNK_ID_BO_HANDLES chunk (added later\nby 964d0fbf6301d).\n\nThe root cause is commit d38ceaf99ed015f2a0b9af3499791bd3a3daae21\n(\"drm/amdgpu: add core driver (v4)\" by Alex Deucher, 2015-04-20). This\ncommit introduced the entire amdgpu driver, including\namdgpu_bo_list_ioctl(). The original code:\n\n info \u003d drm_malloc_ab(args-\u003ein.bo_number,\n sizeof(struct drm_amdgpu_bo_list_entry));\n\ntakes args-\u003ein.bo_number directly from the ioctl userspace input and\npasses it to drm_malloc_ab() without any upper-bound check. The\ndrm_malloc_ab() function (defined in include/drm/drm_mem_util.h) only\nprotected against multiplication overflow:\n\n if (size !\u003d 0 \u0026\u0026 nmemb \u003e SIZE_MAX / size)\n return NULL;\n\nbut would happily call __vmalloc(size * nmemb, ...) for any\nlarge-but-non-overflowing value, enabling resource exhaustion.\n\nThe same pattern existed in amdgpu_bo_list_set() (also in this commit),\nwhich used drm_malloc_ab(num_entries, sizeof(struct\namdgpu_bo_list_entry)) with num_entries originating from userspace.\n\nChain of events:\n1. d38ceaf99ed01 (2015-04-20) — ROOT CAUSE: Introduced\n amdgpu_bo_list_ioctl() accepting arbitrary bo_number from userspace\n with no limit.\n2. 2098105ec65cb (2017-05-17) — Replaced drm_malloc_ab with\n kvmalloc_array (functional equivalent, still no size limit).\n3. 964d0fbf6301d (2018-07-06) — Refactored the copy-from-user logic\n into amdgpu_bo_create_list_entry_array() and added a second entry\n point via the CS ioctl (AMDGPU_CHUNK_ID_BO_HANDLES), widening the\n attack surface.\n4. 920990cb080a (2018-07-30) — Added a multiplication overflow check in\n amdgpu_bo_list_create(), but this only prevents overflow, not large\n allocations.\n5. 6270b1a5dab94 (2026-03-12) — THE FIX: Added\nAMDGPU_BO_LIST_MAX_ENTRIES (128K) limit in\namdgpu_bo_create_list_entry_array(), finally preventing the resource\nexhaustion.\n\nThe root cause is commit d38ceaf99ed015f2a0b9af3499791bd3a3daae21 which\nintroduced the amdgpu BO list ioctl handler that accepted a\nuserspace-controlled bo_number without any reasonable upper-bound\nvalidation. From that very first commit, an unprivileged user with\naccess to the amdgpu DRM device could request allocation of arbitrarily\nlarge kernel memory buffers, leading to resource exhaustion and\npotential denial of service. The vulnerability persisted for over a\ndecade through multiple refactors until the fix imposed a 128K entry\nlimit.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8116413a8d5b528d41763b86dc36583025ee9105", "tree": "fbc66601d1bcdf23c0c52f0ae6935fca4482791f", "parents": [ "e77f40bc7ea7ba0d084a989cc64b05f7bc013ed4" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:42:24 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:42:24 2026 +0200" }, "message": "reject CVE-2026-23320 as it was reverted\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "e77f40bc7ea7ba0d084a989cc64b05f7bc013ed4", "tree": "afcb1a5292b3a8f370310565d0d82c7fc898278e", "parents": [ "ac6f65916b51a8668999d4579db92cf9254c5d80" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:40:33 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:40:33 2026 +0200" }, "message": "update CVE-2026-23333 to point at the correct id\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "ac6f65916b51a8668999d4579db92cf9254c5d80", "tree": "2da7a6753337438187bbe3bc9803664752241544", "parents": [ "e3e3ed02156a46c1b4c7b5d4466d2ded9faf1212" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:32:34 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:32:34 2026 +0200" }, "message": "reject CVE-2025-68812 as it was reverted\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "e3e3ed02156a46c1b4c7b5d4466d2ded9faf1212", "tree": "3a9488ecd2ec95c9b53d8f6b1ee846c90812fe99", "parents": [ "1e78f1d1c416672fc5b78b46d2ad1b4fafe72198" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:29:33 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:29:33 2026 +0200" }, "message": "update CVE-2025-40219\n\nIt was fixed \"properly\" by a later commit, so update it with the correct\ninformation.\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "1e78f1d1c416672fc5b78b46d2ad1b4fafe72198", "tree": "919e50a49882cd3f9a9de4c6ed1f131bdbed2484", "parents": [ "791f7f22e773dbf0eb2a4a25fd6281d1723617ff" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:29:04 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:29:04 2026 +0200" }, "message": "add another \"not revert\" id\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "791f7f22e773dbf0eb2a4a25fd6281d1723617ff", "tree": "01b698e38690c1545e7941a24cf6d61ef0ec972d", "parents": [ "c483026db560ae9bb28bbf5ff8f11c3d3f3ad4d7" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:26:06 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:26:06 2026 +0200" }, "message": "drop an id from greg\u0027s 6.19.10 review\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "c483026db560ae9bb28bbf5ff8f11c3d3f3ad4d7", "tree": "7cbc2a1681a4eb6b08433cba210aac9d79f8ba9e", "parents": [ "ca03971e1ba19e35e8eb4e8d5f5940e90eb738e4" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:24:57 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:24:57 2026 +0200" }, "message": "strip the mbox files\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "ca03971e1ba19e35e8eb4e8d5f5940e90eb738e4", "tree": "a0a66c108eb43b71e33248feaa8d9572be1effd1", "parents": [ "5fe1a9d62aa4817d219e89e49a207270ab521669" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:24:34 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 17:24:34 2026 +0200" }, "message": "assign some 6.19.10 cve ids\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "5fe1a9d62aa4817d219e89e49a207270ab521669", "tree": "2edada67c79971eae95f95ddb1dd0858fbdea664", "parents": [ "3fccd8cf57eaa5e614a41dea2c29ad4a194985da" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:56:53 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 16:03:13 2026 +0200" }, "message": "add 6.19.10 review from greg\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "3fccd8cf57eaa5e614a41dea2c29ad4a194985da", "tree": "a0c2af121b9cdd33ca93ca56b4e592bfd2759174", "parents": [ "2419aba01c3bbedd56c2a05cb57578b5dda0ef37" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:39:08 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:56:26 2026 +0200" }, "message": "mark 6.19.8 review as completed\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "2419aba01c3bbedd56c2a05cb57578b5dda0ef37", "tree": "1821a75551f94029484f54b6b3fb7c7f4e51d8dd", "parents": [ "a71ce04cd0062f6eddd04f11153ce63721ea5823" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 09:46:36 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Fri Apr 03 09:46:36 2026 -0400" }, "message": "sasha: review v6.19.11\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a71ce04cd0062f6eddd04f11153ce63721ea5823", "tree": "912cab1cdcf3e0e32ed01c71695dbc7060cd3025", "parents": [ "29e637546ff63cf50a2a5088e4f0d89c956e8a33" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:37:56 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:37:56 2026 +0200" }, "message": "updates based on new .cvss files\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "29e637546ff63cf50a2a5088e4f0d89c956e8a33", "tree": "cde525c837ea3618bebd4ae0ca1f971a4369d02d", "parents": [ "af9319308b2730a3a46712c52f94d482d1fedec1", "08a4c1d9019e1c89a8cf112444fd83c32c5ca5f9" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:30:56 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:30:56 2026 +0200" }, "message": "Merge branch \u0027sasha-cvss-important\u0027\n\nTake the last chunk of CVSS important marks\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "af9319308b2730a3a46712c52f94d482d1fedec1", "tree": "96cafafa67781a122e2709a556df589c22a7aa37", "parents": [ "041294dddefd93eb8bf63f474ad99babee83b20f" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:30:36 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:30:36 2026 +0200" }, "message": "strip the new mbox files\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "041294dddefd93eb8bf63f474ad99babee83b20f", "tree": "eff2c25964ceec9fa3be704a763b44cfe6c817ef", "parents": [ "1877857563732b8ef09aead95230a81e41667ab0" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:28:42 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:28:42 2026 +0200" }, "message": "mark 6.17.9 review as completed\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "1877857563732b8ef09aead95230a81e41667ab0", "tree": "45e2eb45964c1580960fb8c34523b3daed84b95b", "parents": [ "e5ce2c1cc133e066f4e62b663850b03f54fb95c2" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:28:18 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:28:18 2026 +0200" }, "message": "final bit of 6.19.7 cve ids assigned\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "e5ce2c1cc133e066f4e62b663850b03f54fb95c2", "tree": "576a7929bb295499e01fef6f155fab80531f4576", "parents": [ "c13358f97e5f89e290e30cce1c9ddb5948ed71cf" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:22:50 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:22:50 2026 +0200" }, "message": "update 6.19.7 review from greg\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "c13358f97e5f89e290e30cce1c9ddb5948ed71cf", "tree": "84bc2c1d45425b692dcca6993ff7012fbcfc6322", "parents": [ "801e97216757c9ea64659bf9011de2ec18660c71" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:14:30 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 15:14:30 2026 +0200" }, "message": "mark 6.18.3 review as completed\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "801e97216757c9ea64659bf9011de2ec18660c71", "tree": "d0400c4a79b757093330243d5a833a4836eed539", "parents": [ "55775088885ae6924b98b8cf4438cb7440ef2e00" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 14:46:51 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 14:46:51 2026 +0200" }, "message": "update cvelistV5\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "55775088885ae6924b98b8cf4438cb7440ef2e00", "tree": "e4f1d032a9b56a70f1fe49a010b3d8d97b735867", "parents": [ "45bd8cad78e84e1987c663e0a1e261bd17e07eba" ], "author": { "name": "Allen Pais", "email": "allen.lkml@gmail.com", "time": "Thu Apr 02 18:11:49 2026 +0000" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Fri Apr 03 14:46:34 2026 +0200" }, "message": "proposed: Add Allen\u0027s v6.19.[10/11] results\n\nSigned-off-by: Allen Pais \u003capais@linux.microsoft.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "08a4c1d9019e1c89a8cf112444fd83c32c5ca5f9", "tree": "cf8e1f0e3a9c8b478b6d05faae0f9678b0afeb73", "parents": [ "d795a9503dd0e75e0c76b15ab1a72525ffa99638" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:57:59 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23209: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Triggering the vulnerability requires CAP_NET_ADMIN to create\n macvlan interfaces, which is reachable via user namespaces (unshare\n -Urn) by an unprivileged local user. The setup is local even though\n the UAF is triggered by network packets.\nAC:L -The vulnerability is deterministically triggered by a\n straightforward sequence: create a macvlan source with a known-bad\n interface name to cause register_netdevice() failure, then send a\n packet with the matching source MAC. No race condition or special\n conditions needed.\nPR:L -Requires CAP_NET_ADMIN for RTM_NEWLINK netlink operations,\n but this capability is obtainable by any unprivileged user through\n user namespaces (unshare -Urn), as netlink_net_capable checks\n against the network namespace\u0027s user_ns, not init_user_ns.\nUI:N -No user interaction is needed. The attacker sets up the\n vulnerable macvlan configuration and triggers the UAF by sending\n packets on the lower device, all without any victim action.\nS:U -The vulnerability operates within the kernel\u0027s security\n context. While it allows kernel code execution, it does not cross a\n virtualization or sandbox boundary — it is standard kernel\n privilege escalation.\nC:H -The use-after-free in macvlan_forward_source() dereferences a\n freed macvlan_dev structure. An attacker can reclaim the freed\n memory via heap spraying, enabling arbitrary kernel memory reads\n through controlled object contents.\nI:H -The UAF accesses and writes to the freed macvlan_dev structure\n (e.g., macvlan_count_rx updates statistics). With heap spraying to\n reclaim the freed object, this provides arbitrary write primitives\n that can be leveraged for code execution.\nA:H -The use-after-free causes dereferencing of freed memory, which\n reliably causes kernel crashes (oops/panic) when the freed memory\n is reclaimed for other purposes. The reproducer in the commit\n message demonstrates a reliable crash.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d795a9503dd0e75e0c76b15ab1a72525ffa99638", "tree": "35ebd4c42de105c49a67cab422eb6931bb92b870", "parents": [ "410fc5379ec3773873de51243fcd1c91c2958c68" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:03:33 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23204: Add CVSS 3.1 score (7.1 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H\n\nAV:L -Exploiting this vulnerability requires local access to create\n a network namespace and configure tc u32 filters via netlink\n (RTM_NEWTFILTER). This is not remotely reachable.\nAC:L -The attacker fully controls the filter configuration (key\n offsets) and can reliably trigger the OOB read by sending any\n packet through the configured qdisc. No race condition or special\n conditions needed.\nPR:L -Requires CAP_NET_ADMIN to configure tc filters, but this\n capability is obtainable via user namespaces (unshare -Urn) since\n netlink_net_capable checks ns_capable against the netns user_ns.\nUI:N -No user interaction is required. The attacker configures the\n filter and sends packets themselves within their network namespace.\nS:U -The vulnerability operates within the kernel\u0027s security\n domain. There is no crossing of security boundaries such as VM\n escape or sandbox escape.\nC:H -The out-of-bounds read allows reading arbitrary adjacent slab\n memory with attacker-controlled offsets. The classification result\n can serve as a side-channel oracle to leak kernel memory contents\n byte-by-byte.\nI:N -This is strictly an out-of-bounds read vulnerability. The read\n data is used only for comparison in the classifier; no write\n primitive exists in this code path.\nA:H -Accessing out-of-bounds slab memory with a sufficiently large\n negative offset can hit unmapped pages, causing a kernel oops/crash\n as confirmed by the KASAN slab-out-of-bounds report.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "410fc5379ec3773873de51243fcd1c91c2958c68", "tree": "9829491eca8fc8468aa8468fee2d696730997d20", "parents": [ "55f51564306efefdc845ca58e3b5f2d986ba22ca" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:08:55 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23198: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via the KVM_IRQFD ioctl on a\n KVM VM file descriptor, which requires local access to the system\n and /dev/kvm.\nAC:L -The bug is deterministic - deassigning an irqfd always\n clobbers irq_entry.type, causing the bypass cleanup to be skipped.\n The attacker controls both the assign and deassign operations, so\n no uncontrollable conditions exist.\nPR:L -Access to /dev/kvm is typically available to unprivileged\n users who are members of the kvm group or in configurations where\n KVM is broadly accessible; real root privileges are not required.\nUI:N -No user interaction is needed; the attacker can trigger the\n vulnerability entirely through their own ioctl calls on a KVM VM\n they created.\nS:U -The vulnerability affects the host kernel from a host-side\n user operating KVM. It does not cross a guest-to-host security\n boundary; the attacker is already on the host.\nC:H -The use-after-free on the irqfd structure allows an attacker\n to read contents of freed and potentially reallocated memory,\n providing an arbitrary read primitive through heap manipulation.\nI:H -The use-after-free and list corruption (ir_list) enable heap\n spraying into the freed irqfd structure, giving arbitrary write\n primitives and potential code execution via control flow hijacking.\nA:H -The bug directly causes NULL pointer dereferences and list\n corruption BUGs, resulting in kernel oops/panic as demonstrated in\n the commit message\u0027s crash traces.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "55f51564306efefdc845ca58e3b5f2d986ba22ca", "tree": "c885522a381fa30f068359ddfba37beb88c01cad", "parents": [ "f506c84766d537223855f3f2f1994249c02bbd88" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:13:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23195: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through local DRM device\n ioctls (GPU buffer allocation/deallocation) combined with cgroup\n device memory accounting. No network or adjacent access path exists.\nAC:H -An unprivileged attacker can hold GPU memory charges, but\n triggering the UAF requires a device removal event (module unload,\n device unbind) which is beyond the unprivileged attacker\u0027s control.\n The attacker cannot independently cause region unregistration.\nPR:L -An unprivileged local user with DRM device access (e.g.,\n /dev/dri/renderD128, commonly accessible to video group users) can\n allocate GPU buffers that hold cgroup charge references, setting up\n the UAF condition exploitable when device removal occurs.\nUI:N -No user interaction is required. The attacker\u0027s process holds\n GPU allocations, and the UAF triggers automatically when the device\n is removed and cleanup runs.\nS:U -The vulnerability stays within the kernel\u0027s security\n authority. There is no crossing of a security boundary such as VM\n escape or IOMMU bypass.\nC:H -The UAF dereferences the parent pointer chain in freed\n page_counter structures, reading from freed/reallocated memory. An\n attacker who heap-sprays the freed kmalloc-512 slot can leak kernel\n data through the pointer-following behavior.\nI:H -The page_counter_uncharge performs atomic_long_sub_return on\n freed memory at a known offset, providing a controlled write\n primitive. Following the parent chain can cause writes at multiple\n attacker-influenced locations via heap spray.\nA:H -The KASAN report confirms a kernel crash\n (slab-use-after-free). The write to freed memory causes a kernel\n oops that crashes the system.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f506c84766d537223855f3f2f1994249c02bbd88", "tree": "575e429bec763120215003714f4b15180f207947", "parents": [ "f7aa12a6b11205e74f7a66ea3745ef390ca5b019" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:14:54 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23193: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -The iSCSI target is a network-facing service listening on TCP\n port 3260. An authenticated remote initiator can trigger session\n logout or reinstatement flows that reach the vulnerable function.\nAC:L -The race condition is inherent in the code path — whenever\n session_usage_count reaches 0 with a waiter, the UAF occurs\n deterministically because complete() wakes the waiter before\n spin_unlock_bh(). The attacker triggers this by initiating session\n logout, and the bug fires reliably.\nPR:L -An iSCSI initiator must authenticate (via CHAP or ACL) before\n establishing a session. Only authenticated sessions can trigger\n logout/reinstatement paths that call\n iscsit_dec_session_usage_count().\nUI:N -No user interaction is required. The attacker directly\n connects to the iSCSI target service, authenticates, and triggers\n session logout or reinstatement.\nS:U -The vulnerability affects the kernel within the same security\n authority. There is no crossing of a VM boundary or sandbox escape.\nC:H -This is a use-after-free on a kernel heap object\n (iscsit_session structure). UAFs allow an attacker to control freed\n object contents via heap spraying, potentially enabling arbitrary\n kernel memory reads.\nI:H -The use-after-free on the session structure enables heap\n spraying attacks that can achieve arbitrary write primitives and\n control flow hijacking in kernel context.\nA:H -The use-after-free causes a KASAN slab-use-after-free (as\n reported), which results in a kernel crash/oops, causing complete\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f7aa12a6b11205e74f7a66ea3745ef390ca5b019", "tree": "3e9cfca45aed9954b13a1b4cff7951833fb6c0fe", "parents": [ "d112342696686e0c6cb1b84ec8562238f929b76a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:15:58 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23191: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in the ALSA aloop PCM driver, accessed\n through local sound device files (/dev/snd/pcmC*D*p and\n /dev/snd/pcmC*D*c). No network or adjacent access path exists.\nAC:L -The attacker fully controls both sides of the race condition\n — they can concurrently trigger PCM start on one substream while\n closing the paired substream. The race is reliably winnable by the\n attacker, as confirmed by syzbot reproducibility.\nPR:L -Accessing ALSA PCM device files requires a local unprivileged\n user with audio group membership or equivalent permissions, which\n is standard on desktop Linux and Android. The snd-aloop module must\n be loaded, but no root/admin privileges are required to trigger the\n bug once available.\nUI:N -No user interaction is required. The attacker can open,\n trigger, and close PCM substreams entirely on their own.\nS:U -The vulnerability and its impact remain within the kernel\u0027s\n security authority. There is no crossing of a security boundary\n such as a VM escape or sandbox escape.\nC:H -This is a use-after-free vulnerability where freed\n loopback_pcm and runtime structures are dereferenced. An attacker\n can reclaim the freed memory with controlled data, enabling\n arbitrary kernel memory reads.\nI:H -The UAF allows the attacker to reclaim freed heap objects via\n heap spraying, providing arbitrary write primitives and potential\n control flow hijacking through corrupted function pointers in the\n loopback_pcm or runtime structures.\nA:H -The use-after-free reliably causes kernel crashes (oops/panic)\n when the freed memory is accessed, as demonstrated by the syzbot\n fuzzer report.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d112342696686e0c6cb1b84ec8562238f929b76a", "tree": "8cf3de193d639f1e9c72aefe6c1918182c14201d", "parents": [ "28d7dc8d2c445ff6890f3445c5a6876eb75b7d89" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:16:06 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23192: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through local operations:\n creating a tun device, manipulating carrier state via netlink\n (RTM_SETLINK/IFLA_CARRIER), and deleting the device. All require\n local system access via syscalls/netlink.\nAC:L -The attacker controls both sides of the race - they fire the\n linkwatch event by changing carrier state AND initiate device\n deletion. The reproducer shows reliable triggering with a simple\n sleep. The attacker creates and controls the race condition.\nPR:L -Creating tun devices and manipulating carrier state requires\n CAP_NET_ADMIN, but this capability is available in user namespaces\n via unshare -Urn (ns_capable check in tun.c:2757), making this\n reachable by unprivileged local users.\nUI:N -No user interaction is needed. The attacker autonomously\n creates the device, manipulates carrier state, and triggers the\n race to cause the UAF.\nS:U -The vulnerability results in kernel memory corruption within\n the same security authority (the kernel). There is no crossing of a\n virtualization or sandbox boundary.\nC:H -This is a use-after-free on a net_device structure. The freed\n memory can be reclaimed and filled with attacker-controlled data\n via heap spraying, enabling arbitrary kernel memory reads through\n the stale pointer.\nI:H -The UAF on the net_device structure allows heap spraying to\n place attacker-controlled data in the freed allocation. This\n enables write primitives and potential control flow hijacking\n through the stale device pointer operations.\nA:H -The UAF reliably causes a kernel crash/oops as demonstrated by\n the KASAN report. Accessing freed memory in netdev_unlock_ops\n triggers an immediate kernel crash.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "28d7dc8d2c445ff6890f3445c5a6876eb75b7d89", "tree": "ce75b8bbe706ed21b17f9084d41a2a0d0920a0be", "parents": [ "4e21bc7adc9271ce49aa42e1f4ee63c302257bc2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:22:23 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23184: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Binder is accessed via /dev/binder device file through\n ioctl(BINDER_WRITE_READ), requiring local system access. It is not\n reachable over the network.\nAC:L -The attacker controls both sides of the race: they freeze the\n target via BINDER_FREEZE (no privilege check), send the oneway\n transaction, then thaw the target to trigger the free. This makes\n the race reliably triggerable.\nPR:L -Any unprivileged process that can open /dev/binder can\n trigger this. On Android, any app has binder access. No special\n capabilities or root privileges are required.\nUI:N -No user interaction is needed. The attacker can trigger the\n entire sequence (freeze, send transaction, thaw) programmatically\n without any victim action.\nS:U -This is a standard kernel UAF exploitable for privilege\n escalation within the same security authority (kernel). No VM\n escape or sandbox boundary crossing is involved.\nC:H -The UAF allows reading freed kernel heap memory. With heap\n spraying to control the freed object\u0027s contents, an attacker can\n achieve arbitrary kernel memory reads.\nI:H -The UAF enables heap spraying the freed binder_transaction\n object, giving the attacker write primitives and control flow\n hijacking capability in the kernel.\nA:H -As demonstrated by the KASAN report, accessing freed memory\n causes a kernel crash. The UAF reliably triggers a kernel\n oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "4e21bc7adc9271ce49aa42e1f4ee63c302257bc2", "tree": "40b16a29712a4f48718e0ae8cd2722fa644ddf04", "parents": [ "484e9e76bc0367d7e37dbf443b5ef3211dda3224" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:23:27 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23185: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability requires local access to manage WiFi\n interfaces — freeing the vif (via interface removal or\n drv_change_interface) needs CAP_NET_ADMIN operations that an\n adjacent WiFi attacker cannot trigger remotely.\nAC:L -A local attacker controls both sides: they can trigger MLO\n link activation (scheduling the 5-second delayed work) and then\n immediately change/remove the interface before the work fires. The\n 5-second window is generous and fully attacker-controlled.\nPR:L -WiFi connection management is available to unprivileged users\n through NetworkManager, and various automatic interface management\n paths (driver restart, hardware events) could trigger the vif free\n without explicit root action.\nUI:N -No user interaction is required — the attacker can trigger\n the entire sequence (WiFi connection, link activation,\n disconnection, interface change) programmatically.\nS:U -The vulnerability and its impact are both within the kernel\u0027s\n WiFi driver subsystem — no security boundary is crossed.\nC:H -The use-after-free allows reading freed memory that may be\n reallocated with sensitive data, providing arbitrary kernel memory\n read primitives through heap spraying techniques.\nI:H -The use-after-free enables heap spraying to control the freed\n mld_vif object, providing write primitives and potential control\n flow hijacking for arbitrary code execution in kernel context.\nA:H -The use-after-free will cause a kernel crash (oops/panic) when\n the delayed work accesses the freed mld_vif structure through\n container_of.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "484e9e76bc0367d7e37dbf443b5ef3211dda3224", "tree": "16d88ddf7bc55aed45c6e91cbbf278e4db5f3931", "parents": [ "43c1516dd8e0abc68b92ee227f3feea37a94c467" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:27:50 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23180: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in a hardware IRQ handler for NXP DPAA2\n Ethernet switch hardware. The if_id comes from MC firmware via\n hardware registers, requiring at minimum local access to the system\n running this hardware. Not remotely triggerable via network packets.\nAC:H -The attacker cannot control the if_id value returned by the\n MC firmware in the IRQ status register. Triggering an out-of-bounds\n if_id requires a firmware bug or hardware anomaly, which are\n conditions beyond the attacker\u0027s control.\nPR:L -While the IRQ fires from hardware events, a local user on a\n system with DPAA2 hardware could potentially trigger link state\n change events. No special privileges beyond basic local access are\n required to cause network interface events.\nUI:N -No user interaction is required. The IRQ handler fires\n automatically in response to hardware events without any user\n action.\nS:U -The vulnerability affects the kernel in its own security\n context. There is no crossing of security boundaries such as VM\n escape or IOMMU bypass.\nC:H -The OOB read on the heap-allocated ports pointer array (up to\n 64K entries beyond bounds) reads arbitrary kernel heap memory. The\n dereferenced pointer then accesses further arbitrary memory,\n potentially disclosing kernel data.\nI:H -The OOB-read pointer is dereferenced and used to call\n functions that modify port state (link state update, MAC address\n set, MAC connect/disconnect). If the OOB-read pointer happens to\n point to attacker-influenced memory, this could enable arbitrary\n writes.\nA:H -Dereferencing a garbage pointer read from OOB heap memory will\n almost certainly cause a kernel crash (oops or panic), resulting in\n complete denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "43c1516dd8e0abc68b92ee227f3feea37a94c467", "tree": "ebf7f6ebc473062e2f219056fd6586f3e6ad47b4", "parents": [ "7d905f150991b1a9c03d2e42c257b3c0986d124d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:31:05 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23178: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through the hidraw ioctl\n interface (/dev/hidrawN), requiring local system access to open the\n device file and issue an ioctl. I2C-HID devices are locally\n attached hardware (touchpads, touchscreens).\nAC:L -The attacker simply opens a hidraw device and issues a\n HIDIOCGFEATURE/HIDIOCGINPUT ioctl with a large size parameter. No\n race condition, special memory layout, or non-default configuration\n is needed to trigger the overflow.\nPR:L -While hidraw devices default to 0600 root:root, on desktop\n Linux systems with systemd/logind, udev uaccess rules grant some\n hidraw device access to the physically logged-in user without root\n privileges. On shared workstations or kiosks, a non-root user could\n trigger this.\nUI:N -No user interaction is required. The attacker opens the\n hidraw device file and issues the ioctl directly.\nS:U -The vulnerability is in the kernel and the impact (heap\n corruption) affects the kernel itself. No security boundary\n crossing (like VM escape) occurs.\nC:H -This is a heap buffer overflow of up to ~16KB past the\n allocated buffer. Heap corruption of this magnitude can be\n leveraged to read adjacent kernel heap objects, potentially\n disclosing sensitive kernel memory.\nI:H -The out-of-bounds write corrupts adjacent kernel heap objects.\n While the overflow content comes from the I2C device rather than\n being directly attacker-controlled, a 16KB heap overflow can\n corrupt critical kernel data structures, potentially enabling code\n execution through heap grooming techniques.\nA:H -A heap buffer overflow of up to ~16KB will corrupt adjacent\n kernel heap objects, reliably causing kernel crashes (oops/panic)\n from corrupted metadata or invalid pointer dereferences.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "7d905f150991b1a9c03d2e42c257b3c0986d124d", "tree": "3c0a623d95067dd889d68323124fb3d4122859cd", "parents": [ "517b25930d11769396ac2c9e5d869bc17b7ffd61" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:36:34 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23175: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via the\n setsockopt(IPV6_ADD_MEMBERSHIP) syscall, requiring local access to\n the system with a CPSW Ethernet interface.\nAC:H -While the WARN_ONCE is deterministic, the actual exploitable\n UAF requires a race between the attacker\u0027s multicast join and\n concurrent VLAN modification (vlan_vid_del), which requires\n CAP_NET_ADMIN privileges the attacker does not control.\nPR:L -Any unprivileged local user can create an IPv6 socket and\n call setsockopt with IPV6_ADD_MEMBERSHIP — no capability or\n privilege checks exist along the call path.\nUI:N -No user interaction is required; the attacker triggers the\n vulnerability entirely through their own socket operations.\nS:U -The vulnerability stays within the kernel security context;\n there is no crossing of a security boundary such as VM escape or\n IOMMU bypass.\nC:H -If the race condition is won, the use-after-free on the\n vlan_info structure allows reading freed/reallocated memory,\n potentially exposing arbitrary kernel memory contents.\nI:H -A use-after-free on the vlan_info structure enables heap\n spraying to control the freed object\u0027s contents, providing\n arbitrary write primitives for control flow hijacking.\nA:H -The use-after-free causes a kernel crash (oops/panic) when\n accessing freed memory, and even the WARN_ONCE alone causes a panic\n on systems with panic_on_warn enabled (common in\n embedded/industrial CPSW deployments).\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "517b25930d11769396ac2c9e5d869bc17b7ffd61", "tree": "7e547dd3b99c921899e63452f5f7f097fbd7e2ff", "parents": [ "a3b003709f0d9aca66bdbc207639160a78700c19" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:40:46 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23172: Add CVSS 3.1 score (8.4 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in a PCIe WWAN modem driver (t7xx). Data\n originates from the local modem device via DMA. While the modem\n could theoretically be compromised over cellular, the immediate\n attack vector is the local PCIe device interface, not a network\n protocol stack.\nAC:L -Once the modem firmware is compromised, triggering the\n overflow is straightforward — simply send a packet with more than\n MAX_SKB_FRAGS (17) fragment PIT entries. No race conditions,\n special timing, or non-default configuration required.\nPR:N -No OS-level privileges or authentication are needed. The\n modem device sends DMA data autonomously without any credential\n check from the kernel; the entire RX path from IRQ through NAPI\n poll to the vulnerable function has zero privilege gates.\nUI:N -No user interaction is required. The vulnerability is\n triggered automatically during packet reception when the modem\u0027s\n NAPI poll processes incoming DMA data.\nS:U -The impact stays within the kernel\u0027s security authority. There\n is no crossing of a virtualization, sandbox, or IOMMU boundary.\nC:H -The heap buffer overflow past the frags[] array (last field in\n skb_shared_info) corrupts adjacent slab objects with\n attacker-influenced content (page pointers and sizes), potentially\n enabling arbitrary kernel memory reads.\nI:H -The overflow writes attacker-controlled skb_frag_t entries\n (page pointers, offsets, sizes) past the slab allocation boundary,\n corrupting adjacent kernel objects including potentially slab\n freelist pointers, enabling arbitrary write primitives and code\n execution.\nA:H -Corrupting slab metadata or adjacent kernel objects will\n almost certainly cause a kernel crash or panic, as confirmed by the\n analogous mt76 CVE which explicitly noted freelist pointer\n corruption.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a3b003709f0d9aca66bdbc207639160a78700c19", "tree": "d5c8e1c5a5870e0318ed882063b11a5cd908109b", "parents": [ "8cefbcfc2c784ff125684f00dd47c6e2d282eeaf" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:42:32 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23171: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via local netlink operations\n (ip link set ... master) which requires CAP_NET_ADMIN. This is a\n local attack vector through syscalls/ioctls, not remotely reachable\n via network packets.\nAC:L -The attacker controls both sides of the race — they trigger\n the enslave operation and the packet transmit concurrently. The\n commit confirms it is \"very easy to reproduce\" and crashes \"almost\n immediately.\" The attacker creates and controls the race conditions.\nPR:L -Requires CAP_NET_ADMIN, but this capability is obtainable by\n an unprivileged local user through user namespaces (unshare -Urn).\n Bond interfaces, dummy devices, and XDP programs can all be created\n within a user/network namespace.\nUI:N -No user interaction is required. The attacker can set up the\n bond device, XDP program, dummy slave, and trigger the race\n entirely on their own.\nS:U -The vulnerability affects the kernel within its own security\n scope. There is no crossing of security boundaries such as VM\n escape or IOMMU bypass.\nC:H -This is a use-after-free where the freed slave struct is\n accessed through the transmit array. An attacker can reallocate the\n freed memory with controlled content via heap spray, potentially\n reading arbitrary kernel memory through the slave struct\u0027s pointer\n fields.\nI:H -The use-after-free gives the attacker control over the freed\n slave object\u0027s contents through heap spraying. The Tx path\n dereferences pointers from the slave struct (e.g., slave-\u003edev),\n enabling arbitrary write primitives and potential code execution.\nA:H -The vulnerability causes an immediate kernel oops/crash as\n demonstrated in the commit message, with access to wild memory\n addresses. This is trivially reproducible for a denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8cefbcfc2c784ff125684f00dd47c6e2d282eeaf", "tree": "e25cc8b48d95240bc989e0ab4ae80d64001a65ab", "parents": [ "cf20da190687b4f77287cca4927c0bb2b304194d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:44:05 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23169: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability requires a local attacker to send a netlink\n MPTCP_PM_CMD_FLUSH_ADDRS command, which requires CAP_NET_ADMIN\n (accessible via user namespaces but still local access). The RCU\n reader side can be triggered by network MPTCP connections, but the\n flush side requires local netlink access.\nAC:L -The attacker controls both sides of the race — they can issue\n the netlink flush command while simultaneously establishing MPTCP\n connections that trigger RCU list traversal. Since the attacker\n creates and controls the race condition, complexity is low.\nPR:L -The flush_addrs netlink operation uses GENL_UNS_ADMIN_PERM,\n which checks CAP_NET_ADMIN in the user namespace via\n netlink_ns_capable(). An unprivileged user can obtain this\n capability through user namespaces (unshare -Urn).\nUI:N -No user interaction is required. The attacker can trigger\n both the netlink flush and the MPTCP connection processing\n independently without any victim action.\nS:U -The vulnerability exists within the kernel and impacts the\n same security context. There is no crossing of a virtualization or\n sandbox boundary.\nC:H -This is a use-after-free / list corruption bug where RCU\n readers access freed mptcp_pm_addr_entry structures. UAF gives the\n attacker control over freed object contents via heap spraying,\n enabling arbitrary kernel memory reads.\nI:H -The use-after-free on mptcp_pm_addr_entry structures (which\n contain function-relevant pointers and a socket pointer) can be\n exploited via heap spraying to achieve arbitrary write primitives\n and potentially control flow hijacking.\nA:H -The corrupted list pointers and use-after-free reliably cause\n kernel crashes (oops/panic) as reported by syzbot, providing a\n straightforward denial-of-service vector.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "cf20da190687b4f77287cca4927c0bb2b304194d", "tree": "73fd443f018fe9ffbcae4b63c16b23adc8e0faad", "parents": [ "9ad7ef4b5ff6e3fae135340707ca1cd4d0abd0df" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 11:51:22 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23161: Add CVSS 3.1 score (7.3 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\n\nAV:L -The vulnerability is in shmem/tmpfs truncation code,\n reachable through local syscalls (ftruncate, fallocate, truncate)\n on tmpfs or memfd files. No network path exists.\nAC:L -The attacker controls both sides of the race — one thread\n performs truncation while another triggers large folio swap-out\n that changes the entry order. The race is repeatable and the\n attacker creates the conditions.\nPR:L -Any unprivileged local user can create shmem/tmpfs files via\n memfd_create() or /dev/shm and perform truncate/fallocate\n operations on them. No special privileges required.\nUI:N -No user interaction is needed. The attacker independently\n creates the race condition by performing concurrent operations on\n their own shmem files.\nS:U -The vulnerability operates within the kernel\u0027s own security\n authority. There is no crossing of a virtualization or sandbox\n boundary.\nC:L -Freed swap entries could be reused by other processes, and\n subsequent swapin of the original file pages could read stale or\n foreign data, but this is an indirect and limited information leak\n path.\nI:H -The bug causes truncation to erase data beyond the intended\n border by freeing swap entries that shouldn\u0027t be freed, directly\n corrupting file data integrity.\nA:H -The commit author directly observed kernel panics and swapoff\n hangs during stress testing. The incorrect swap entry freeing\n causes crashes and system hangs.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9ad7ef4b5ff6e3fae135340707ca1cd4d0abd0df", "tree": "baec4f48e1c8ec22621d212b170d8492c5ea19af", "parents": [ "a5ce7723ba6e96cc6dcf4a0e81407d42f8ca7eab" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:19:30 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23148: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The nvmet (NVMe target) subsystem is reachable over the\n network via nvmet-tcp on TCP port 4420, allowing a remote NVMe-oF\n initiator to send I/O commands that trigger the vulnerable bio\n completion path.\nAC:L -The attacker controls both sides of the race by sending\n concurrent I/O commands at high queue depth over nvmet-tcp; the\n race between bio completion and request re-submission via the\n workqueue is reliably triggerable under load, as confirmed by the\n real crash trace in the commit message.\nPR:N -NVMe-oF over TCP does not require authentication by default;\n DH-HMAC-CHAP auth is optional and commonly not configured, and the\n hostnqn in the connect command is an unauthenticated string that\n can be spoofed.\nUI:N -No user interaction is required; the attacker autonomously\n sends NVMe I/O commands over the network to trigger the race\n condition.\nS:U -The vulnerability crashes the kernel within the same security\n authority; there is no crossing of security boundaries such as VM\n escape or sandbox bypass.\nC:N -The immediate impact is a NULL pointer dereference crash; no\n information is disclosed to the attacker as the kernel panics\n without leaking memory contents back over the network.\nI:N -The bug results in a kernel crash via NULL dereference, not\n data modification; the bio_uninit zeroing of fields on the live bio\n does not give the attacker a write primitive that could modify\n persistent data.\nA:H -The NULL pointer dereference in blk_cgroup_bio_start causes a\n kernel oops/panic, completely crashing the system and denying\n service to all users; this is remotely triggerable and repeatable.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a5ce7723ba6e96cc6dcf4a0e81407d42f8ca7eab", "tree": "dd923dbe38d03b4aa2ea256544982568fe181941", "parents": [ "ee76c8557ce7b32e813e2a7e725bb38abdde530a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:21:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23139: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The vulnerability is triggered by network packets hitting\n connlimit rules (xt_connlimit, nft_connlimit) or OVS zone limits. A\n remote unauthenticated attacker can send a flood of packets to\n trigger the unbounded list growth.\nAC:L -The attacker fully controls the packet rate needed to bypass\n GC. The nf_conncount module is only loaded when connlimit is in\n use, so its deployment inherently implies connlimit rules exist.\n Exploitation is completely reliable.\nPR:N -No authentication or privileges are needed to send network\n packets that match connlimit rules. The attack is in the packet\n processing path, not the rule configuration path.\nUI:N -No user interaction is required. The attacker autonomously\n sends packets to trigger the vulnerability.\nS:U -The impact (kernel memory exhaustion) stays within the\n kernel\u0027s security boundary. No cross-boundary impact such as VM\n escape.\nC:N -This is a resource exhaustion bug where stale connections are\n never garbage collected. No information is disclosed to the\n attacker.\nI:N -No data modification or memory corruption occurs. The list\n simply grows unboundedly but the entries themselves are well-formed.\nA:H -The connection list grows infinitely, exhausting kernel slab\n memory via unbounded GFP_ATOMIC allocations. This leads to OOM\n conditions, system instability, and potential kernel panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ee76c8557ce7b32e813e2a7e725bb38abdde530a", "tree": "fb1b23ff31a412087166daa4c9877e445fd19315", "parents": [ "305e43fbbb2c6aa6e9e4d508d1e1039fd4f60746" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:23:04 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23136: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -The Ceph OSD client communicates with OSD servers over TCP. A\n network-level attacker who can disrupt the TCP connection (RST\n injection) or a malicious/compromised OSD server can trigger the\n fault during a sparse read operation remotely.\nAC:L -Sparse reads are a normal part of CephFS/RBD operation. An\n attacker who can disrupt TCP connections can repeatedly do so until\n one coincides with a sparse read. A malicious OSD server knows\n exactly when sparse reads are in progress and can reliably trigger\n the fault.\nPR:N -The attack requires disrupting the TCP connection between\n client and OSD, which does not require any Ceph authentication\n credentials. TCP RST injection or network-level connection\n disruption bypasses CephX authentication entirely.\nUI:N -No user interaction is required. The sparse read operations\n occur as part of normal CephFS/RBD I/O, and the connection fault is\n triggered by the attacker without any victim action.\nS:U -The impact is confined to the kernel\u0027s Ceph client losing\n access to the OSD. There is no cross-boundary impact such as VM\n escape or sandbox escape.\nC:N -The vulnerability causes a data parsing mismatch that is\n caught by validation checks, returning clean errors. No information\n disclosure occurs — the stale state causes misinterpretation of\n reply framing, not exposure of memory contents.\nI:N -No data modification or memory corruption occurs. The\n validation checks in the sparse read state machine detect the\n mismatch and return -EREMOTEIO before any data is written to\n incorrect locations.\nA:H -The OSD connection enters an infinite, unrecoverable error\n loop where every retry fails with the same stale state mismatch.\n All CephFS/RBD I/O to the affected OSD hangs or fails indefinitely,\n causing persistent denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "305e43fbbb2c6aa6e9e4d508d1e1039fd4f60746", "tree": "89418fd1a1a244a1b7fd932cf9fd45ddb387bcbd", "parents": [ "90574ec916b4223cffd044a8d87702c3e394586a" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:32:25 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23112: Add CVSS 3.1 score (9.8 CRITICAL)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:N -nvmet-tcp is an NVMe over TCP target driver that listens on a\n TCP port and processes incoming network connections. A remote\n attacker can send crafted NVMe-TCP PDUs to trigger this\n vulnerability.\nAC:L -The attacker can reliably trigger the out-of-bounds access by\n sending crafted H2C data PDUs with manipulated data_length values\n that cause sg_idx to exceed sg_cnt. No race condition or special\n conditions beyond attacker control are required.\nPR:N -The nvmet-tcp target accepts TCP connections and processes\n NVMe-TCP protocol PDUs. The vulnerable code path is reached after\n the initial connection request (icreq) which requires no\n authentication — the attacker just needs network access to the\n listening port.\nUI:N -No user interaction is needed. The attacker sends network\n packets directly to the NVMe-TCP target port.\nS:U -The vulnerability affects the kernel processing NVMe-TCP\n requests. Impact stays within the same security authority (the\n kernel/system running the nvmet-tcp target).\nC:H -The out-of-bounds scatterlist read accesses adjacent slab\n memory, reading page pointers, offsets, and lengths from arbitrary\n kernel memory. This constitutes an information disclosure primitive\n and the constructed iovec could expose kernel memory contents.\nI:H -The OOB scatterlist entries are used to build a bio_vec for\n ITER_DEST (receive direction), meaning attacker-supplied network\n data is written to kernel pages determined by the OOB sg entries.\n This provides a potential arbitrary write primitive to kernel\n memory.\nA:H -The commit message explicitly states the bug leads to GPF\n (General Protection Fault) and KASAN violations, which cause kernel\n crashes. A remote attacker can reliably crash the kernel.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "90574ec916b4223cffd044a8d87702c3e394586a", "tree": "b3f05223d908e3d1b984b6e1f2cbe03be15ed0c9", "parents": [ "8f90501dfafa44eed0238a27bb5ac411ba7deef8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:32:46 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23111: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -nftables is accessed via nfnetlink socket (netlink),\n requiring local system access. This is a local attack vector via\n syscall/netlink interface.\nAC:L -The attacker fully controls the exploitation: they create the\n nftables rules with catchall map elements and NFT_GOTO verdicts,\n trigger repeated DELSET abort cycles to decrement chain-\u003euse to\n zero, then issue DELCHAIN. No race condition or special conditions\n beyond attacker control are needed.\nPR:L -nftables requires CAP_NET_ADMIN, but this capability is\n obtainable by an unprivileged user via user namespaces (unshare\n -Urn) since nfnetlink uses netlink_net_capable() which checks\n per-namespace capabilities. The commit message explicitly confirms\n exploitability from unprivileged users.\nUI:N -No user interaction is required. The attacker creates the\n nftables configuration, triggers the abort, and exploits the UAF\n entirely on their own.\nS:U -This is a standard local privilege escalation within the\n kernel. There is no crossing of virtualization or sandbox\n boundaries (no VM escape or IOMMU bypass).\nC:H -The use-after-free on the nft_chain structure allows the\n attacker to reclaim the freed memory with controlled data,\n providing arbitrary kernel memory read primitives. This is a\n well-known exploitation technique in nftables UAF bugs.\nI:H -The UAF enables heap spraying the freed chain object to gain\n arbitrary kernel memory write primitives, leading to full code\n execution in kernel context (local privilege escalation to root).\nA:H -The use-after-free will cause kernel crashes (oops/panic) when\n the dangling reference to the freed chain is accessed, and the\n attacker can trigger this reliably.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8f90501dfafa44eed0238a27bb5ac411ba7deef8", "tree": "6d36f0b1bdb5e2d8d04819efe084aa513a6182e0", "parents": [ "52d3e1094f309f421dfe12e00779c2a13aa365df" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:37:08 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23105: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -QFQ qdisc configuration is done via tc/netlink (RTM_NEWQDISC,\n RTM_NEWTCLASS) which requires local system access through netlink\n sockets. This is not remotely reachable.\nAC:L -The attacker fully controls the conditions needed to trigger\n the desync between child qdisc qlen and class active state. As\n demonstrated in the related commit (c1d73b1480235), an attacker can\n create two QFQ qdiscs sharing a child qdisc and manipulate packet\n flow to create the exact state inconsistency needed.\nPR:L -TC/qdisc operations require CAP_NET_ADMIN, which is checked\n via netlink_net_capable() against the network namespace\u0027s user_ns.\n An unprivileged user can obtain CAP_NET_ADMIN in a user+network\n namespace via unshare -Urn.\nUI:N -No user interaction is required. The attacker can set up the\n QFQ qdiscs, enqueue packets, and trigger the vulnerable code path\n entirely autonomously.\nS:U -The vulnerability affects the kernel within its own security\n authority. There is no crossing of security boundaries such as VM\n escape or IOMMU bypass.\nC:H -The state desync can lead to a use-after-free when a class\n remains linked to a freed aggregate\u0027s active list (path 2: qlen\n manipulated to 0 while class is still active, skipping deactivation\n before aggregate destruction). UAF enables the attacker to control\n freed object contents and achieve arbitrary memory read.\nI:H -The same use-after-free condition allows heap spraying to\n replace the freed aggregate structure, giving the attacker\n arbitrary write primitives and potential control flow hijacking\n through corrupted function pointers or list operations.\nA:H -Both exploit paths lead to kernel crashes: path 1 causes a\n NULL pointer dereference in qfq_deactivate_agg/qfq_slot_remove when\n deactivating an already-inactive aggregate, and path 2\u0027s UAF causes\n crashes when accessing freed memory. The related commit\n (c1d73b1480235) demonstrates a concrete kernel panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "52d3e1094f309f421dfe12e00779c2a13aa365df", "tree": "7871b812af74b68ea759e2ae99dfe9e4c982fd34", "parents": [ "8dc235373c3836f214a1800d46481e768c8403d6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:37:38 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:56 2026 -0400" }, "message": "CVE-2026-23103: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Creating and managing ipvlan devices requires local access\n via netlink/rtnetlink syscalls. This is not remotely reachable.\nAC:L -The attacker controls both sides of the race by creating\n multiple ipvlan devices on the same port and triggering concurrent\n open/address-change operations. The race is reliably reproducible\n with retries.\nPR:L -ipvlan creation requires CAP_NET_ADMIN, which is obtainable\n via user namespaces (unshare -Urn) on a veth device. The ns_capable\n check on the physical device\u0027s user_ns is satisfied when both are\n in the user\u0027s namespace.\nUI:N -No user interaction is needed. The attacker can create ipvlan\n devices and trigger the race entirely on their own.\nS:U -This is a standard kernel privilege escalation vulnerability\n with no security boundary crossing (no VM escape, no IOMMU bypass).\nC:H -The race leads to a use-after-free in the per-port hash table\n used on the packet data path. The dangling pointer allows reading\n freed/reallocated memory contents during hash table lookups.\nI:H -The UAF in the hash table allows an attacker to reallocate the\n freed ipvl_addr structure with controlled data, enabling heap\n spraying and potential code execution through corrupted hash table\n entries.\nA:H -The dangling pointer in the hash table will cause a kernel\n crash when the freed memory is accessed during packet processing,\n leading to a kernel oops or panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "8dc235373c3836f214a1800d46481e768c8403d6", "tree": "58ecbef62b61b38a4cb794ac9476d6fbfd081828", "parents": [ "d3bc95112642108ae33642e98d550aad7702e110" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:41:01 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23095: Add CVSS 3.1 score (7.5 HIGH)\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\nAV:N -GUE processes incoming UDP packets from the network. Once a\n GUE tunnel is configured (its intended purpose in datacenter/cloud\n deployments), any remote attacker can send crafted UDP packets to\n the GUE port to trigger the leak.\nAC:L -The attacker simply sends a UDP packet with a GUE header\n containing proto_ctype\u003d0. No race conditions, no special timing,\n and no conditions beyond the attacker\u0027s control once the GUE tunnel\n endpoint exists.\nPR:N -No authentication or privileges are needed to send UDP\n packets to a GUE tunnel endpoint. The vulnerability is in the\n packet receive path which processes all incoming packets without\n any authentication gate.\nUI:N -No user interaction is required. The vulnerability is\n triggered purely by receiving a crafted network packet.\nS:U -The vulnerability affects kernel memory within the same\n security authority. No scope boundary (VM, sandbox, IOMMU) is\n crossed.\nC:N -This is a pure memory leak — the skb is not freed but no\n memory contents are disclosed to the attacker. There is no\n information disclosure path.\nI:N -This is a memory leak, not a memory corruption. No kernel data\n structures are modified or corrupted; the skb simply becomes\n unreachable and is never freed.\nA:H -The attacker can repeatedly send crafted GUE packets over the\n network at high rate, each leaking ~240 bytes of kernel memory.\n This amplifiable, remotely-triggered leak can exhaust kernel memory\n causing OOM conditions and system-wide denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d3bc95112642108ae33642e98d550aad7702e110", "tree": "ee73394f03a0b46ae953bab9c6a292565fcd0182", "parents": [ "f529b698a38a049bff720e3732d2e10aecc8b97d" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 12:41:19 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23098: Add CVSS 3.1 score (8.8 HIGH)\n\nCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nAV:A -AX.25 is a link-layer protocol reachable via radio links or\n BPQ Ethernet (same LAN segment). NET/ROM runs on top of AX.25 and\n while it provides routing across hops, the entry point requires\n adjacency to the AX.25 network.\nAC:L -The double-free triggers deterministically when\n ax25_send_frame() returns NULL due to the neighbor device lacking\n AX.25 configuration. Syzbot reproduced this reliably, and no race\n condition or special memory layout is required.\nPR:N -No authentication or privilege checks exist on the AX.25\n receive path. Any station on the AX.25 network can send frames that\n are processed through the vulnerable code path without credentials.\nUI:N -The vulnerability triggers during normal packet processing\n when a NET/ROM routing frame is received. No victim action is\n required.\nS:U -This is a standard kernel memory corruption bug that does not\n cross security boundaries like VM or IOMMU isolation.\nC:H -A double-free on sk_buff gives the attacker control over freed\n heap objects, enabling arbitrary memory read through heap spraying\n techniques.\nI:H -The double-free enables heap corruption and arbitrary write\n primitives through slab allocator manipulation, potentially leading\n to kernel code execution.\nA:H -The double-free causes immediate kernel memory corruption\n leading to a crash, panic, or oops, providing reliable denial of\n service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f529b698a38a049bff720e3732d2e10aecc8b97d", "tree": "e38c242e3508985918028db7514b4daf7a8766ab", "parents": [ "f901f2836d9a11327ca7d44409d6a32e9eec9f07" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 13:18:20 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23077: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via the mremap() syscall,\n which requires local access to the system. There is no network or\n adjacent network path to reach this code.\nAC:L -The attacker can deterministically set up the required VMA\n layout (faulted VMA adjacent to unfaulted VMA) and trigger the bug\n with mremap(MREMAP_DONTUNMAP). Syzbot found this automatically,\n confirming reliable reproducibility.\nPR:L -The mremap() syscall is available to any unprivileged local\n user. No special capabilities or root privileges are required to\n trigger this vulnerability.\nUI:N -No user interaction is required. The attacker can trigger the\n vulnerability entirely through their own syscall sequence.\nS:U -This is a standard kernel memory corruption vulnerability. It\n does not cross security boundaries like VM escape or IOMMU bypass.\nC:H -The use-after-free on anon_vma gives the attacker control over\n freed object contents via heap spraying, enabling arbitrary kernel\n memory reads through the dangling folio references.\nI:H -The use-after-free enables heap spraying where\n attacker-controlled data replaces the freed anon_vma, providing\n arbitrary write primitives and potential control flow hijacking\n through corrupted kernel structures.\nA:H -The use-after-free causes kernel crashes when the dangling\n anon_vma pointers are accessed, leading to kernel oops or panic.\n Syzbot confirmed crashes from this bug.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f901f2836d9a11327ca7d44409d6a32e9eec9f07", "tree": "56a3c92c6ba446c051ce632bea00abbd1f335c38", "parents": [ "6e220505637a59f35251f4e8053f9b9ee5ca1bfa" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 13:27:52 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23074: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -This vulnerability is exploited via tc/netlink (RTM_NEWQDISC)\n to configure qdiscs, which requires local access through the\n netlink socket interface.\nAC:L -The attacker controls the entire setup: creating the QFQ root\n with teql child, sending packets, and triggering the class change\n after netem delay. All sides of the race are attacker-controlled,\n making exploitation reliable.\nPR:L -Configuring qdiscs requires CAP_NET_ADMIN, but\n netlink_net_capable() checks against the network namespace\u0027s\n user_ns, so an unprivileged user can obtain this capability via\n user namespaces (unshare -Urn).\nUI:N -No user interaction is required; the attacker sets up the\n qdisc hierarchy, sends packets, and triggers the UAF entirely on\n their own.\nS:U -The vulnerability results in kernel memory corruption within\n the same security context (kernel space). There is no crossing of a\n virtualization or sandbox boundary.\nC:H -The use-after-free allows the attacker to control freed object\n contents via heap spraying, enabling arbitrary kernel memory reads.\nI:H -The use-after-free enables heap spraying and arbitrary write\n primitives, which can be leveraged for control flow hijacking and\n kernel code execution.\nA:H -The use-after-free causes kernel crashes (accessing dangling\n pointers) and can result in kernel panics, providing high\n availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "6e220505637a59f35251f4e8053f9b9ee5ca1bfa", "tree": "ce76c0337f61f2affb752d83b9e1d0654acd4c10", "parents": [ "268bcd28120d991473e9080cfc0b07cfe6a46ad4" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 13:37:01 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23066: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via the recvmsg() syscall on a\n local AF_RXRPC socket. The attacker must create a local socket and\n call recvmsg() with specific flags (MSG_DONTWAIT, MSG_PEEK).\nAC:L -The attacker controls both sides of the race condition — they\n can have one thread hold the call\u0027s user_mutex while another thread\n calls recvmsg() with MSG_DONTWAIT, reliably triggering the\n unconditional requeue and list corruption.\nPR:L -No capability checks exist in rxrpc_create(). Any\n unprivileged local user can create an AF_RXRPC socket and trigger\n the bug through recvmsg() with specific flags.\nUI:N -No user interaction is required. The attacker can trigger the\n vulnerability entirely on their own by opening a socket and calling\n recvmsg() from multiple threads.\nS:U -The vulnerability affects the kernel within the same security\n authority. No security boundary (VM, sandbox) is crossed.\nC:H -The use-after-free allows reading freed and potentially\n reallocated memory, providing arbitrary memory read primitives\n through heap spraying techniques.\nI:H -The use-after-free and list corruption allow arbitrary write\n primitives via heap spraying, enabling control flow hijacking and\n arbitrary code execution in kernel context.\nA:H -List corruption and use-after-free reliably cause kernel\n crashes (oops/panic), and refcount underruns lead to premature\n object destruction causing further crashes.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "268bcd28120d991473e9080cfc0b07cfe6a46ad4", "tree": "b8bab018dc198cae1007e33379aa6a2ced7c302e", "parents": [ "72c9ffa5a6481e637506c6c4a3d598ae83d583fd" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:55:59 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 14:58:55 2026 -0400" }, "message": "CVE-2026-23013: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in a PCI device driver (Marvell Octeon\n EP VF) triggered via ndo_open when bringing up the network\n interface locally. It is not reachable remotely via network packets.\nAC:H -Exploitation requires request_irq() to fail partway through\n the loop (some IRQs allocated, then one fails), which depends on\n system resource conditions the attacker cannot reliably control.\nPR:L -Bringing up a VF network interface requires CAP_NET_ADMIN. In\n SR-IOV/container environments, VFs are commonly assigned to\n containers where users have CAP_NET_ADMIN via network namespaces,\n making this reachable without real root.\nUI:N -No user interaction is required; the attacker directly brings\n up the network interface.\nS:U -The vulnerability impacts the kernel within the same security\n authority; no security boundary (VM, sandbox) is crossed.\nC:H -The use-after-free in the IRQ handler allows reading freed\n ioq_vector memory, which could be reallocated with\n attacker-controlled content, enabling arbitrary kernel memory\n disclosure.\nI:H -The use-after-free allows the IRQ handler to operate on\n attacker-controlled data via heap spraying the freed ioq_vector,\n potentially enabling control flow hijacking and code execution.\nA:H -The use-after-free will crash the kernel when the interrupt\n handler dereferences freed/corrupted memory, causing an oops or\n panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "45bd8cad78e84e1987c663e0a1e261bd17e07eba", "tree": "032203ba25f579cd98b72ce0fa200a67379b6431", "parents": [ "bad70478a0c6f93acbc5381c8ee36ccba7a64d65" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Apr 02 16:45:03 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Apr 02 16:45:03 2026 +0200" }, "message": "update cvelistV5\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "bad70478a0c6f93acbc5381c8ee36ccba7a64d65", "tree": "f5a5aed06954923b6b811ce85910947031b2a92d", "parents": [ "72c9ffa5a6481e637506c6c4a3d598ae83d583fd" ], "author": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Apr 02 16:44:47 2026 +0200" }, "committer": { "name": "Greg Kroah-Hartman", "email": "gregkh@linuxfoundation.org", "time": "Thu Apr 02 16:44:47 2026 +0200" }, "message": "update records based on new cvss scores\n\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n" }, { "commit": "72c9ffa5a6481e637506c6c4a3d598ae83d583fd", "tree": "0e92f4c678e32b31c73b2a13740137b8a377ca72", "parents": [ "79b4135c42c2351290ef51638dcce876e24de3f6" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:30:02 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-31788: Add CVSS 3.1 score (8.2 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\nAV:L -The attacker must have local access to the Xen guest VM to\n open /dev/xen/privcmd and issue ioctls. This is a local device file\n accessed via ioctl.\nAC:L -The attacker can reliably open /dev/xen/privcmd and issue\n arbitrary hypercalls via IOCTL_PRIVCMD_HYPERCALL. No special\n conditions or race timing required.\nPR:H -The /dev/xen/privcmd device is typically restricted to root\n access. The attacker needs root privileges within the Xen guest VM,\n and this cannot be obtained through user namespaces since it\n requires real access to the Xen device node.\nUI:N -No user interaction is required. The root attacker in the\n guest VM can directly open the device and issue hypercalls without\n any victim action.\nS:C -This vulnerability allows bypassing Secure Boot/Lockdown\n protections. A root user who should be constrained by Secure Boot\n from modifying kernel memory can use privcmd hypercalls to cross\n that security boundary and modify kernel memory, defeating the\n Lockdown security model.\nC:H -Arbitrary hypercalls can be used to read kernel memory\n contents in the guest, providing full confidentiality compromise of\n kernel data that Secure Boot/Lockdown is designed to protect.\nI:H -The commit explicitly states the vulnerability allows \"a root\n user process to modify e.g. kernel memory contents.\" Arbitrary\n hypercalls enable writing to kernel memory, providing full\n integrity compromise.\nA:H -With the ability to issue arbitrary hypercalls and modify\n kernel memory, the attacker can crash the guest kernel or cause\n denial of service trivially.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "79b4135c42c2351290ef51638dcce876e24de3f6", "tree": "48cf4192973a9bb2fedb0c6b856047a0a4efb49d", "parents": [ "342a33c31bf36572c07b86f3cb1a028f5454ad02" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:36:56 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23411: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in apparmorfs, a local filesystem\n interface at /sys/kernel/security/apparmor/. Exploitation requires\n local system access to perform filesystem operations (open, read,\n mkdir, rmdir).\nAC:L -The attacker controls both sides of the race — they can\n concurrently open/read apparmorfs files and remove\n profiles/namespaces. Per kernel guidance, race conditions where the\n attacker controls both sides are AC:L.\nPR:L -In container environments with AppArmor namespaces (LXD, some\n Kubernetes), container root (effectively low-privileged from host\n perspective) has matching AA namespace levels and can manage\n AppArmor policy within its namespace with default\n unprivileged_userns_apparmor_policy\u003d1.\nUI:N -No user interaction is needed. The attacker triggers both the\n file access and the profile/namespace removal concurrently without\n requiring any victim action.\nS:U -This is a standard kernel privilege escalation via\n use-after-free in the AppArmor subsystem. The vulnerability and\n impact are within the same security authority (kernel space).\nC:H -The use-after-free gives the attacker control over freed\n object contents through heap spraying, enabling arbitrary kernel\n memory reads.\nI:H -The use-after-free enables heap spraying to control freed\n objects, providing arbitrary write primitives and potential control\n flow hijacking for kernel code execution.\nA:H -The use-after-free causes kernel crashes (accessing\n freed/corrupted memory leads to oops or panic) even without full\n exploitation.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "342a33c31bf36572c07b86f3cb1a028f5454ad02", "tree": "df2191c908d94fa7903bdb8b448895b15bcf4497", "parents": [ "a88ba385837116bd22227c0fc5fca236696d52be" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:39:35 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23410: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is in AppArmor\u0027s securityfs interface,\n which is only accessible locally via filesystem operations\n (open/read on /sys/kernel/security/apparmor/ rawdata files). No\n network or adjacent attack vector exists.\nAC:L -The attacker controls both sides of the race — they can open\n rawdata files and simultaneously remove profiles in their own\n namespace. The race can be retried indefinitely, making\n exploitation reliable.\nPR:L -With default unprivileged_userns_apparmor_policy\u003d1, an\n unprivileged local user can create a user namespace, obtain\n CAP_MAC_ADMIN within it, load/remove profiles, and trigger the race\n without real root privileges.\nUI:N -No user interaction is required. The attacker can trigger\n both sides of the race (opening rawdata files and removing\n profiles) entirely autonomously.\nS:U -This is a standard kernel privilege escalation within the same\n security authority (kernel context). No VM escape, IOMMU bypass, or\n sandbox boundary crossing is involved.\nC:H -The use-after-free allows the attacker to control the contents\n of the freed aa_loaddata allocation via heap spraying, enabling\n arbitrary kernel memory reads and information disclosure.\nI:H -The use-after-free enables heap spraying to place\n attacker-controlled data in the freed allocation, providing\n arbitrary write primitives and potential code execution in kernel\n context.\nA:H -The use-after-free causes access to freed memory which\n reliably triggers kernel crashes (oops/panic), especially since\n kfree_sensitive zeros the freed memory, causing NULL pointer\n dereferences on the stale data.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a88ba385837116bd22227c0fc5fca236696d52be", "tree": "b6d43799defa6dbbbfe4a58b91889a13483e1a3b", "parents": [ "d3370bf9cc3e6351c5712871d35cfcaf11bc01a7" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:44:15 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23408: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered by writing to AppArmor\u0027s\n securityfs interface (.load or .replace files), which requires\n local system access.\nAC:L -The double free is deterministic and triggered reliably by\n loading a policy where ent-\u003ens_name is set and ns_name is NULL\n after aa_unpack(). No race condition or special conditions are\n needed.\nPR:L -CAP_MAC_ADMIN is required but can be obtained via user\n namespaces with the default unprivileged_userns_apparmor_policy\u003d1\n setting, making this reachable by unprivileged local users.\nUI:N -No user interaction is required; the attacker can trigger the\n vulnerability entirely by loading crafted AppArmor policy data.\nS:U -The vulnerability stays within the kernel\u0027s security\n authority; there is no crossing of a security boundary like a VM\n escape or sandbox escape.\nC:H -A double free enables use-after-free conditions where the\n attacker can control freed object contents via heap spraying,\n allowing arbitrary kernel memory reads.\nI:H -The double free enables heap corruption and arbitrary write\n primitives through heap spraying, potentially allowing kernel code\n execution.\nA:H -A double free causes immediate kernel heap corruption which\n can lead to kernel crashes (panic/oops) even without deliberate\n exploitation.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d3370bf9cc3e6351c5712871d35cfcaf11bc01a7", "tree": "4c4e2a9bbb3b499dda58a772d841e8b6909580cd", "parents": [ "ce1c1c8539bd88b0319061aa320e466aaa4a9390" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:46:04 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23407: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered by writing a crafted AppArmor\n policy to the securityfs interface\n (`/sys/kernel/security/apparmor/.load` or `.replace`), which\n requires local system access.\nAC:L -The attacker fully controls the malformed DFA data\n (DEFAULT_TABLE entries) supplied in the crafted policy. No race\n conditions or unpredictable conditions are involved — the OOB\n access is deterministic.\nPR:L -AppArmor policy loading requires CAP_MAC_ADMIN, but the\n kernel default `unprivileged_userns_apparmor_policy\u003d1` allows this\n capability to be obtained via unprivileged user namespaces, making\n it reachable by an unprivileged local user.\nUI:N -No user interaction is required; the attacker can craft and\n load the malicious AppArmor policy entirely on their own.\nS:U -The vulnerability results in kernel heap corruption within the\n same security authority (kernel space). No virtualization or\n sandbox boundary is crossed.\nC:H -The OOB read from `DEFAULT_TABLE(dfa)[j]` and\n `BASE_TABLE(dfa)[j]` allows reading arbitrary kernel heap memory\n beyond the allocated DFA tables, enabling kernel address/data\n disclosure.\nI:H -The OOB write via `BASE_TABLE(dfa)[j] |\u003d MARK_DIFF_ENCODE`\n corrupts kernel heap memory at attacker-controlled offsets,\n providing a write primitive that could be leveraged for code\n execution.\nA:H -The OOB memory access causes kernel oops/crash as demonstrated\n by the KASAN report, resulting in system denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ce1c1c8539bd88b0319061aa320e466aaa4a9390", "tree": "29e763b4b818f0c5244a42dd5868da9778d9b912", "parents": [ "f5ecc24a5acfaf8e75611047a34c36a69bb43a3f" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 05:58:21 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23406: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through the file open syscall\n (openat) which goes through AppArmor\u0027s DFA matching on file paths.\n This requires local system access.\nAC:L -The bug is deterministic — any file path that triggers a\n differential encoding chain traversal in the AppArmor DFA will\n cause character skipping and OOB reads. The attacker reliably\n triggers it by opening files on systems with standard AppArmor\n policies using differential encoding.\nPR:L -Any unprivileged local user confined by an AppArmor profile\n can trigger this by performing normal file operations (e.g.,\n opening files). No special privileges are required.\nUI:N -No user interaction is needed. The attacker simply opens\n files, and AppArmor\u0027s DFA matching is triggered automatically as\n part of the security hook.\nS:U -The vulnerability is in the kernel\u0027s AppArmor security module\n and impacts kernel memory and kernel-enforced access control, all\n within the same security authority (kernel space).\nC:H -The OOB read accesses kernel slab memory past the input buffer\n boundary, potentially reading unbounded amounts of adjacent kernel\n heap data. While the data is used as DFA indices rather than\n returned directly, the permission decision outcome can serve as an\n oracle.\nI:H -The incorrect DFA matching (skipping input characters) causes\n AppArmor to evaluate the wrong path against policy rules,\n potentially allowing file access that should be denied —\n effectively a mandatory access control policy bypass.\nA:H -The OOB read can advance the pointer past the slab allocation\n and potentially into unmapped memory, causing a kernel crash as\n demonstrated by the KASAN slab-out-of-bounds report in the commit\n message.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "f5ecc24a5acfaf8e75611047a34c36a69bb43a3f", "tree": "012fbe77ec6ed069a85d911c44f330093f8199b3", "parents": [ "ebdf205b8f1dc18eeb21ac22a9ba345d74a89c15" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:08:50 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23393: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability requires local access to configure bridge\n CFM via netlink (RTM_SETLINK requiring CAP_NET_ADMIN) and send CFM\n frames on virtual bridge interfaces, all achievable from a local\n user namespace.\nAC:L -The attacker controls both sides of the race — they can\n simultaneously delete peer MEPs via netlink and send CFM frames on\n virtual bridge port interfaces, making the race reliably\n triggerable.\nPR:L -CAP_NET_ADMIN is required for bridge CFM configuration, but\n it is obtainable via user namespaces (unshare -Urn) since\n netlink_net_capable checks against the namespace\u0027s user_ns.\nUI:N -No user interaction is needed; the attacker can set up the\n bridge, configure CFM, and trigger the race entirely autonomously.\nS:U -This is a standard kernel use-after-free with no\n cross-boundary impact such as VM escape or IOMMU bypass.\nC:H -The use-after-free allows the attacker to read freed memory\n that may be reallocated with controlled data, enabling arbitrary\n kernel memory disclosure.\nI:H -The use-after-free on the peer_mep structure enables heap\n spraying and potential arbitrary write primitives through control\n of the freed object\u0027s contents.\nA:H -The use-after-free causes ccm_rx_work_expired to operate on\n freed memory, reliably causing a kernel crash or panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ebdf205b8f1dc18eeb21ac22a9ba345d74a89c15", "tree": "cf167fbf8921c7f2dc926cccc95fafeb9e225302", "parents": [ "fe0bee2478f87ef2567ea9e46043dce204dbee6f" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:09:07 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23392: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -nftables is accessed via netlink sockets\n (NFNL_SUBSYS_NFTABLES), requiring local system access through the\n netlink interface.\nAC:L -The attacker controls both sides of the race: they trigger\n the flowtable creation error path (via duplicate hooks causing\n EEXIST) and concurrently perform nfnetlink_hook dumps. Since the\n attacker controls both racing operations, complexity is Low.\nPR:L -nftables is reachable from unprivileged user namespaces\n (unshare -Urn), so only basic unprivileged user access is required.\nUI:N -No user interaction is needed; the attacker can trigger the\n flowtable creation and concurrent hook dump entirely on their own.\nS:U -This is a standard kernel use-after-free vulnerability within\n the same security authority (kernel space); it does not cross a\n security boundary like a VM escape.\nC:H -Use-after-free of the nft_flowtable heap object allows an\n attacker to control freed object contents via heap spraying,\n enabling arbitrary kernel memory reads.\nI:H -Use-after-free enables heap spraying to place\n attacker-controlled data in the freed flowtable object, providing\n arbitrary write primitives and potential control flow hijacking.\nA:H -Use-after-free reliably causes kernel crashes (oops/panic)\n when the freed flowtable memory is accessed by RCU readers on the\n packet path or nfnetlink_hook dump.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "fe0bee2478f87ef2567ea9e46043dce204dbee6f", "tree": "f57a0e2f07024341c40277afca27bffd94e7a1ec", "parents": [ "a793005d01baa06f783a6e5534bd579af144fb25" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:10:22 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23391: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Requires local access to configure iptables rules (CT target\n with helper/timeout) and NFQUEUE via netlink/setsockopt syscalls.\n Not remotely exploitable.\nAC:L -The attacker controls both sides of the race — they set up\n the NFQUEUE and CT rules, send packets to fill the queue, then\n remove the CT rule to trigger the UAF. No conditions beyond\n attacker control.\nPR:L -Requires CAP_NET_ADMIN, but ip_tables.c uses\n ns_capable(sock_net(sk)-\u003euser_ns, CAP_NET_ADMIN), making it\n reachable from unprivileged user namespaces (unshare -Urn).\nUI:N -No user interaction required. The attacker can set up rules,\n send packets, and remove rules entirely on their own.\nS:U -Standard kernel privilege escalation within the same security\n authority. No VM escape, IOMMU bypass, or sandbox escape involved.\nC:H -Use-after-free on the helper/timeout objects allows reading\n freed and potentially reallocated memory, enabling arbitrary kernel\n memory disclosure through heap spraying.\nI:H -Use-after-free enables heap spraying — attacker can reclaim\n the freed helper/timeout object with controlled data, achieving\n arbitrary write primitives and code execution.\nA:H -Use-after-free reliably causes kernel crashes when the freed\n helper or timeout object is dereferenced through the dangling\n template pointer.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a793005d01baa06f783a6e5534bd579af144fb25", "tree": "1764ed59d80778781d82c091fa5d7c99c0b782cd", "parents": [ "90e4b2a3a146bb7798a951f1c3d4b0b8c782a069" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:17:57 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23383: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -BPF is accessed via the bpf() syscall, requiring local system\n access. There is no remote or adjacent network path to trigger BPF\n program loading or trampoline attachment.\nAC:L -The attacker controls both sides of the race — they load the\n BPF program (creating the misaligned PLT) and trigger the text_poke\n (by attaching a trampoline). The ~50% misalignment chance is\n overcome by loading multiple programs. No conditions beyond\n attacker control are needed.\nPR:L -While CAP_BPF and CAP_PERFMON are required, the BPF token\n delegation mechanism allows these capabilities to be granted to\n users in user namespaces. This is a supported, reasonable\n deployment scenario for containerized BPF workloads.\nUI:N -No user interaction is required. The attacker independently\n loads BPF programs and attaches trampolines.\nS:U -The vulnerability results in kernel-level control flow\n corruption within the same security authority. No VM escape, IOMMU\n bypass, or sandbox boundary crossing occurs.\nC:H -The torn PLT target causes a kernel-mode jump to a corrupted\n address, which is a control-flow hijack in kernel context. This\n could be leveraged to read arbitrary kernel memory through code\n execution.\nI:H -A kernel-mode jump to a corrupted address constitutes\n control-flow hijacking that could be leveraged for arbitrary code\n execution in kernel context, enabling arbitrary memory writes.\nA:H -Jumping to a corrupted address in kernel mode will almost\n certainly cause a kernel panic/oops, resulting in complete denial\n of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "90e4b2a3a146bb7798a951f1c3d4b0b8c782a069", "tree": "16bf0e9dfd474b47dea1e983f72aa54c2995c6e8", "parents": [ "14fce9385829a63a063c802337d64e1084e8ae29" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:18:52 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23378: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -This is a tc/netlink (net/sched) action bug triggered via\n RTM_NEWTFILTER or RTM_NEWACTION netlink messages, requiring local\n system access.\nAC:L -The attacker fully controls both sides of the race (replace\n operations and packet sending). Even without a race, repeated\n replace deterministically grows the metalist causing the u16\n metalen overflow and OOB write.\nPR:L -While CAP_NET_ADMIN is needed, the tc filter path\n (RTM_NEWTFILTER) uses netlink_net_capable() which checks per-netns\n user_ns, so an unprivileged user can obtain CAP_NET_ADMIN via\n user+network namespace (unshare -Urn).\nUI:N -No user interaction is needed; the attacker creates the IFE\n action, performs replace operations, and sends packets through the\n interface entirely on their own.\nS:U -This is a standard kernel memory corruption leading to\n potential privilege escalation within the same security authority\n (kernel context), not crossing a VM or sandbox boundary.\nC:H -The slab-out-of-bounds write corrupts adjacent heap objects,\n which can be leveraged via heap spraying techniques to gain\n arbitrary memory read primitives.\nI:H -The slab-out-of-bounds write enables overwriting adjacent\n kernel heap objects, providing arbitrary write primitives and\n potential kernel code execution through control flow hijacking.\nA:H -The KASAN report directly confirms a kernel crash\n (slab-out-of-bounds write in ife_tlv_meta_encode), and the bug is\n trivially reproducible by repeated IFE action replacement.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "14fce9385829a63a063c802337d64e1084e8ae29", "tree": "6407bd7f1182a31f8a91b7e325f3921474c33591", "parents": [ "a8ca0b5e145572ac7b22bc24888e7c5a9b012863" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:23:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23372: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The attacker needs local access to create an AF_NFC socket\n and perform socket operations (connect, sendmsg, close). NFC is the\n affected subsystem but the exploit entry is through local syscalls.\nAC:L -The attacker controls both sides of the race — they schedule\n tx_work via sendmsg() then immediately close the socket. The race\n is reliably triggerable by the attacker.\nPR:L -Creating a SOCK_SEQPACKET NFC socket requires no capabilities\n (only SOCK_RAW requires CAP_NET_RAW). Any unprivileged local user\n in the init network namespace can create and use these sockets.\nUI:N -No user interaction needed. The attacker opens, connects,\n sends, and closes the NFC socket entirely on their own.\nS:U -Standard kernel use-after-free within the same security\n authority (kernel privilege escalation). No cross-boundary escape\n such as VM or sandbox escape.\nC:H -UAF on a struct containing function pointers (nfc_dev with\n dev-\u003eops) allows an attacker to read arbitrary kernel memory via\n heap spray techniques placing controlled data in the freed\n allocation.\nI:H -The UAF dereferences dev-\u003eops-\u003eim_transceive, a function\n pointer on freed memory. Via heap spraying, the attacker can hijack\n this function pointer to achieve arbitrary code execution in kernel\n context.\nA:H -Use-after-free on kernel objects causes kernel crash/oops when\n the freed memory is dereferenced, leading to denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "a8ca0b5e145572ac7b22bc24888e7c5a9b012863", "tree": "6395e6ccd8715e8458142867082dca06f9008264", "parents": [ "9b84fb9192cd3aad5fb47a845e35ce86d702db42" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:27:33 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23364: Add CVSS 3.1 score (7.4 HIGH)\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\n\nAV:N -ksmbd is the in-kernel SMB server listening on TCP port 445,\n directly reachable by any network attacker.\nAC:H -This is a timing side-channel attack requiring many network\n requests to statistically distinguish memcmp() early-return timing\n differences; network jitter is beyond the attacker\u0027s control and\n adds noise that significantly increases exploitation difficulty.\nPR:N -The most critical vulnerable comparison (NTLMv2 MAC in\n ksmbd_auth_ntlmv2) is reached during the SMB session setup\n authentication handshake, before any credentials are verified — no\n prior privileges are needed.\nUI:N -The attacker directly sends SMB authentication requests to\n the ksmbd server; no victim user action is required.\nS:U -The vulnerability and its impact remain within the\n ksmbd/kernel security authority; no security boundary is crossed.\nC:H -Successful timing attack on the NTLMv2 MAC comparison enables\n authentication bypass, granting the attacker full read access to\n all SMB-shared files and data.\nI:H -Authentication bypass via forged NTLMv2 response grants write\n access to SMB shares, allowing arbitrary modification of shared\n data.\nA:N -The timing side-channel itself causes no crashes, hangs, or\n denial of service; it only leaks timing information about MAC\n correctness.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9b84fb9192cd3aad5fb47a845e35ce86d702db42", "tree": "1d5862afeb1278b87a36bece1aff0efeb7891f89", "parents": [ "2dc531509e373d3c31c273b47c8c2da4cd88474c" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:37:40 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23350: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is reached via the\n DRM_IOCTL_XE_EXEC_QUEUE_CREATE ioctl on the Intel Xe GPU render\n node (/dev/dri/renderD*), which requires local system access.\nAC:L -The attacker can trigger xe_lrc_create() failure through\n memory pressure (controllable by a local user) or by using a width\n \u003e 1 to increase allocation failure probability. No race condition\n or uncontrollable preconditions are required.\nPR:L -The ioctl is DRM_RENDER_ALLOW, accessible to any unprivileged\n user who can open the render node device file, which is typically\n world-accessible on systems with Intel GPUs.\nUI:N -No user interaction is needed; the attacker directly invokes\n the ioctl.\nS:U -The vulnerability affects the kernel within its own security\n authority; there is no VM escape or sandbox boundary crossing.\nC:H -This is a use-after-free where the freed queue object remains\n in the exec_queue_lookup xarray. An attacker can reclaim the freed\n slab with controlled data, enabling arbitrary kernel memory reads\n through the stale pointer.\nI:H -The use-after-free allows heap spraying to control the freed\n object\u0027s contents, enabling arbitrary write primitives and\n potential code execution when the GuC submission code operates on\n the stale queue pointer.\nA:H -Accessing the freed queue through the dangling pointer in\n exec_queue_lookup will cause invalid memory references, leading to\n kernel crashes or panics.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "2dc531509e373d3c31c273b47c8c2da4cd88474c", "tree": "eac1ad3b1931699c014485c9a867bbefce78a3fa", "parents": [ "d22a31c6a2eda9b5c6a1dee4c5fa2e148c558fc9" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:38:15 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23351: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -nftables is accessed via netlink sockets from local system\n access; it is not reachable directly from the network without local\n shell access.\nAC:L -The attacker controls both sides: they create nftables sets\n with expiring elements and trigger commits while sending packets\n through the rules. The UAF window is wide (between RCU callback\n completion and pointer swap), making exploitation reliable.\nPR:L -nftables requires CAP_NET_ADMIN, which is obtainable by an\n unprivileged user via user namespaces (unshare -Urn), as confirmed\n by netlink_net_capable() checking against the namespace\u0027s user_ns.\nUI:N -No user interaction is needed; the attacker creates the\n nftables rules, elements with expiration, and triggers the commit\n and packet flow entirely on their own.\nS:U -This is a standard kernel memory corruption vulnerability; it\n does not cross a security boundary such as a VM or sandbox escape.\nC:H -The use-after-free allows the freed nft_pipapo_elem slab to be\n reallocated with attacker-controlled content; the packet path reads\n from the freed structure\u0027s nft_set_ext fields, enabling arbitrary\n kernel memory disclosure.\nI:H -The use-after-free enables heap spraying of the freed\n element\u0027s slab; attacker-controlled data in nft_set_ext offset\n fields can redirect reads/writes, providing arbitrary write\n primitives for code execution.\nA:H -The commit message explicitly reports \"soft lockup warnings\n and RCU stall reports (local denial of service)\" and the UAF itself\n causes kernel crashes when freed memory is accessed with corrupted\n contents.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "d22a31c6a2eda9b5c6a1dee4c5fa2e148c558fc9", "tree": "8bf5f8635391f4be75128c06bd8ceecf70bd4f36", "parents": [ "dbdc29cabde6b8e3c45e16e2062eefae982551fa" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:43:57 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23340: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Triggered via ethtool netlink (ETHTOOL_MSG_CHANNELS_SET)\n which requires local access through a netlink socket. Not reachable\n from the network.\nAC:L -The attacker controls both sides of the race — sending\n traffic and changing channel count simultaneously. The commit\n message confirms this is \"easily reproduced\" with concurrent iperf\n and ethtool.\nPR:L -ETHTOOL_MSG_CHANNELS_SET uses GENL_UNS_ADMIN_PERM, which\n checks CAP_NET_ADMIN in the user namespace via\n netlink_ns_capable(). Veth devices support set_channels and can be\n created in user namespaces, so an unprivileged user can trigger\n this via unshare -Urn.\nUI:N -No user interaction is required. The attacker can\n independently trigger both the traffic and channel reconfiguration.\nS:U -Standard kernel use-after-free within the same security\n authority (kernel). No cross-boundary impact like VM escape.\nC:H -This is a use-after-free on sk_buff objects. The freed skb\n memory can be reallocated with attacker-controlled content,\n enabling reading of arbitrary kernel memory through the dangling\n pointer.\nI:H -UAF on sk_buff objects allows heap spraying — the freed skb\n slab can be reclaimed with attacker-controlled data, enabling\n arbitrary write primitives and potential code execution.\nA:H -The KASAN report confirms a slab-use-after-free crash in\n __qdisc_run. This causes a kernel oops/panic, and is easily and\n repeatedly triggerable.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "dbdc29cabde6b8e3c45e16e2062eefae982551fa", "tree": "b2e304b73135a202a083137169f7862068f4bfa1", "parents": [ "cc44bfa05b1f471204b1eca2f2b3e879189d0217" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 06:48:26 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23336: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through WiFi driver device\n lifecycle operations (device registration/removal and rfkill state\n changes), requiring local system access. Not remotely reachable\n through WiFi frames — it\u0027s a driver management race condition.\nAC:L -The attacker controls both sides of the race — device\n insertion triggers rfkill hardware state changes, and device\n removal triggers wiphy_unregister(). A crafted USB WiFi device can\n reliably trigger both events in the needed sequence.\nPR:L -A local user with access to USB ports or device management\n interfaces can trigger device attachment/removal. No\n root/CAP_NET_ADMIN is needed to plug in a USB WiFi device on shared\n workstations.\nUI:N -No user interaction is required; the attacker triggers both\n the rfkill state change and the device unregistration autonomously.\nS:U -Standard kernel vulnerability — the impact remains within the\n same security authority (kernel space). No VM escape or sandbox\n boundary crossing.\nC:H -This is a use-after-free where the attacker can control freed\n heap contents through heap spraying, enabling arbitrary memory\n reads via the freed rdev structure.\nI:H -The UAF accesses freed memory that iterates a list and calls\n dev_close() on network devices. With heap spray, the attacker can\n redirect function pointers for arbitrary code execution in kernel\n context.\nA:H -The kernel crash is confirmed by the KASAN report showing a\n use-after-free read in cfg80211_shutdown_all_interfaces. Any UAF\n reliably causes kernel oops/panic.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "cc44bfa05b1f471204b1eca2f2b3e879189d0217", "tree": "903b709b1c8b77d49672404f192800291d79b42f", "parents": [ "eac76da002d4c455c14a3a8c69ad7932161e7fbb" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 07:01:03 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23317: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via the DRM execbuf ioctl\n (DRM_IOCTL_VMW_EXECBUF) on the vmwgfx render node\n (/dev/dri/renderD*), requiring local system access.\nAC:L -The attacker reliably triggers the bug by submitting a\n command buffer with an invalid buffer handle. With\n CONFIG_INIT_STACK_ALL_ZERO (default on most modern distros), the\n uninitialized vmw_bo is deterministically NULL, making PTR_ERR\n return 0 every time.\nPR:L -The ioctl is marked DRM_RENDER_ALLOW, meaning any user with\n access to the render node can trigger it. Render nodes are\n typically accessible to unprivileged local users on desktop/VM\n systems.\nUI:N -No user interaction is required; the attacker directly issues\n the ioctl with a crafted command buffer.\nS:U -The vulnerability affects the kernel within its own security\n authority. While this is in a VM guest driver, exploitation stays\n within the guest kernel boundary.\nC:H -The uninitialized pointer dereference leads to OOB memory\n accesses, potentially reading arbitrary kernel memory contents.\nI:H -The uninitialized pointer is passed to vmw_bo_placement_set\n and vmw_validation_add_bo which perform write operations, enabling\n memory corruption that could be leveraged for code execution.\nA:H -Dereferencing an uninitialized or invalid pointer in kernel\n context causes a kernel oops/crash, confirmed by the commit message\n describing \"uninitialized and OOB accesses.\"\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "eac76da002d4c455c14a3a8c69ad7932161e7fbb", "tree": "e716e105e9e20f7ab5c35ff3b720960441a826d6", "parents": [ "9c206c75dc605e11590b0f695cac13f9e48f35cb" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 07:06:44 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23306: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The pm8001 is a PCI-based SAS/SATA host bus adapter driver.\n Triggering this vulnerability requires local access to submit\n SCSI/ATA commands to a device managed by this HBA, which is done\n through local SCSI device interfaces.\nAC:L -The vulnerability triggers deterministically when I/O is\n submitted to a SATA device that is in the \"gone\" state. The\n attacker can control the device removal (e.g., by physically\n disconnecting a SATA drive or through hotplug) and then issue I/O,\n reliably triggering the double-free.\nPR:L -Submitting SCSI commands requires access to SCSI device files\n (e.g., /dev/sdX), which typically requires at least basic\n user-level access with appropriate device permissions. Root is not\n strictly required if the user has group access to the device.\nUI:N -No user interaction is required. The attacker can trigger the\n vulnerability by issuing I/O commands to a gone device\n independently.\nS:U -The vulnerability affects the kernel within its own security\n authority. There is no crossing of a security boundary such as a VM\n escape or sandbox escape.\nC:H -A double-free on slab memory (kmem_cache) is a powerful\n exploitation primitive. Through heap spraying, an attacker can\n control the contents of the reallocated object, potentially\n achieving arbitrary kernel memory read capabilities.\nI:H -The double-free allows an attacker to reclaim the freed slab\n object with controlled data, enabling type confusion and arbitrary\n kernel memory write primitives that can lead to code execution.\nA:H -The double-free will at minimum cause a kernel crash/panic\n when the slab allocator detects corruption, and can also be used to\n cause repeated crashes for denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9c206c75dc605e11590b0f695cac13f9e48f35cb", "tree": "d49d45ae75e711d90f1e9f5bb1df689741f84454", "parents": [ "09d64cd1ba982feaadaec71691146c43db98acab" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 07:13:24 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:39 2026 -0400" }, "message": "CVE-2026-23294: Add CVSS 3.1 score (7.0 HIGH)\n\nCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Exploiting this vulnerability requires loading a BPF XDP\n program and creating a devmap, which is done via local syscalls\n (bpf() syscall and rtnetlink). This is not remotely reachable.\nAC:H -The vulnerability only manifests on PREEMPT_RT kernels, which\n is a non-default, EXPERT-only kernel configuration. This is a\n condition entirely beyond the attacker\u0027s control. Most deployed\n kernels do not use PREEMPT_RT.\nPR:L -Loading XDP programs and creating DEVMAPs requires\n CAP_NET_ADMIN, which can be obtained via user namespaces (unshare\n -Urn creates a network namespace where the user has CAP_NET_ADMIN).\n This makes it reachable by unprivileged local users.\nUI:N -No user interaction is required. The attacker can set up the\n XDP program, devmap, and trigger the race condition entirely on\n their own.\nS:U -The vulnerability affects the kernel within the same security\n authority. There is no cross-boundary escape (no VM escape, no\n IOMMU bypass).\nC:H -The use-after-free allows the attacker to control freed object\n contents via heap spraying, potentially enabling arbitrary kernel\n memory reads.\nI:H -The use-after-free on bq-\u003eq[] combined with count/array\n corruption provides write primitives that could be leveraged for\n control flow hijacking and arbitrary code execution in kernel\n context.\nA:H -The use-after-free and list corruption will reliably cause\n kernel crashes (oops/panic) when stale pointers in bq-\u003eq[] are\n dereferenced after being freed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "09d64cd1ba982feaadaec71691146c43db98acab", "tree": "41348bb49bc2ea9d0b7b2c047ca812bdc0440d6c", "parents": [ "e43606c46456ea6dc3b3c0d98b0e9cddc737b937" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 07:16:28 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23288: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -Triggered via DRM ioctl (AMDXDNA_EXEC_CMD) on the local\n /dev/accel device node. This is a PCI accelerator driver, not\n network-reachable.\nAC:L -The attacker can reliably trigger the OOB write by crafting a\n command chain that exhausts buffer space before the final slot. No\n race condition or special conditions required.\nPR:L -Requires opening the accelerator device file\n (/dev/accel/accel*). The ioctl has no DRM_MASTER requirement\n (flags\u003d0), so any local user with device access can trigger it. No\n root or special capabilities needed.\nUI:N -No user interaction required. The attacker directly submits\n malicious commands through the DRM ioctl interface.\nS:U -The vulnerability stays within the kernel\u0027s security\n authority. No VM escape, IOMMU bypass, or sandbox boundary crossing\n is involved.\nC:H -The ~52-byte heap zero-fill corrupts adjacent kernel objects.\n This memory corruption can be leveraged through heap shaping to\n corrupt length fields or create UAF conditions, potentially\n enabling arbitrary memory reads.\nI:H -Out-of-bounds write of zeros into kernel heap memory corrupts\n adjacent objects. This can overwrite function pointers, metadata,\n or security-critical fields, potentially enabling code execution.\nA:H -The out-of-bounds memset corrupts kernel heap metadata and\n adjacent objects, reliably causing kernel crashes or oops when the\n corrupted data is subsequently accessed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "e43606c46456ea6dc3b3c0d98b0e9cddc737b937", "tree": "8b1b3639f9aa010849638452007d2d0c6aa15f74", "parents": [ "9dc394413c62ce94a0ce02584d6d7f90caba8aeb" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 08:55:36 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23280: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via a DRM ioctl\n (AMDXDNA_CREATE_BO) on a local accelerator device node\n (/dev/accel/accelN), requiring local system access.\nAC:L -The integer overflow is reliably triggered by providing\n crafted va_entry len values that sum to wrap around. No race\n condition or special conditions beyond attacker control are\n required.\nPR:L -The ioctl is defined with flags 0 (no DRM_ROOT_ONLY), so any\n user who can open the accel device node can trigger it. On systems\n with AMD XDNA hardware, logged-in desktop users typically have\n access via the render group.\nUI:N -No user interaction is needed; the attacker directly issues\n the ioctl.\nS:U -The vulnerability is a kernel memory corruption within the\n kernel\u0027s security authority; no cross-boundary escape (VM, IOMMU)\n is involved.\nC:H -The heap buffer overflow writes page structure pointers beyond\n the allocated array, corrupting adjacent kernel heap objects. This\n memory corruption can be leveraged to read arbitrary kernel memory.\nI:H -The heap buffer overflow corrupts kernel heap metadata and\n adjacent objects, which can be exploited for arbitrary write\n primitives and code execution via heap spraying techniques.\nA:H -The heap corruption will cause kernel crashes (oops/panic)\n when corrupted objects are subsequently accessed.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "9dc394413c62ce94a0ce02584d6d7f90caba8aeb", "tree": "0be934f90200b7b7e1eb506b4f77d739738ff904", "parents": [ "da99946a0423590c89a42fef8a2811db8dd08bed" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 09:35:21 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23274: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -This is accessed through the iptables/netfilter sockopt\n interface (IPT_SO_SET_REPLACE), which requires local system access\n to create iptables rules. This is a local attack vector via\n setsockopt syscall.\nAC:L -The attacker can reliably trigger this by first creating a\n rev1 IDLETIMER rule with XT_IDLETIMER_ALARM flag and a chosen\n label, then creating a rev0 rule with the same label. No race\n condition or special conditions needed — this is a deterministic\n two-step operation.\nPR:L -The iptables interface requires CAP_NET_ADMIN, but\n ip_tables.c uses ns_capable(sock_net(sk)-\u003euser_ns, CAP_NET_ADMIN),\n meaning an unprivileged user can obtain this capability via user\n namespaces (unshare -Urn), making this reachable from a\n low-privilege user.\nUI:N -No user interaction is required. The attacker creates both\n iptables rules themselves without any victim action.\nS:U -The vulnerability stays within the kernel\u0027s security scope —\n there is no crossing of a security boundary like VM escape or\n sandbox escape. It\u0027s a standard kernel privilege escalation\n scenario.\nC:H -The bug calls mod_timer() on an uninitialized timer_list from\n kmalloc\u0027d memory. Since kmalloc does not zero memory, the\n timer_list contains stale heap content which an attacker can\n influence via heap spraying, potentially achieving arbitrary read\n through controlled function pointers and timer wheel manipulation.\nI:H -Operating mod_timer() on a timer_list with attacker-influenced\n stale heap data (uninitialized function pointer, hlist_node\n entries) can corrupt timer wheel data structures and potentially\n achieve arbitrary code execution if the function pointer is\n controlled through heap spraying.\nA:H -At minimum, mod_timer() on uninitialized memory triggers\n debug_assert_init() WARN which causes panic with panic_on_warn\u003d1.\n Even without that, following garbage pointers in timer_list-\u003eentry\n corrupts kernel data structures causing a crash/oops.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "da99946a0423590c89a42fef8a2811db8dd08bed", "tree": "3bf2f1fcce16afa2c5b5bca32b4386b833fedf03", "parents": [ "dd9a3adf839b8155a753550615843ff00edbfee2" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 09:35:33 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23275: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -io_uring is accessed via the io_uring_setup and\n io_uring_register syscalls, requiring local system access.\nAC:L -The attacker controls both sides of the race — they trigger\n ring resize while simultaneously causing task work additions.\n DEFER_TASKRUN+SINGLE_ISSUER means a single task, but completions\n adding task work happen concurrently with the register syscall.\nPR:L -io_uring is accessible to unprivileged local users by default\n (sysctl_io_uring_disabled defaults to 0, no capabilities required).\nUI:N -No user interaction is needed; the attacker can set up the\n io_uring ring with DEFER_TASKRUN and trigger the race entirely on\n their own.\nS:U -The vulnerability stays within the kernel security boundary;\n no VM escape or sandbox bypass is involved.\nC:H -This is a use-after-free on the rings structure. The freed\n memory can be reallocated with attacker-controlled data,\n potentially enabling arbitrary kernel memory reads.\nI:H -The UAF allows atomic_or on freed/reallocated memory, enabling\n heap spraying and arbitrary write primitives that could lead to\n code execution.\nA:H -Accessing freed memory (use-after-free) can cause kernel\n crashes/oops, and the race can be triggered repeatedly for reliable\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "dd9a3adf839b8155a753550615843ff00edbfee2", "tree": "a0a1af4efbbd20f30c3c09e62986b1520c1fca6b", "parents": [ "c738c24b5aeba529f32e19bd740698ed0bc448b0" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 09:36:51 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23273: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered via netlink RTM_NEWLINK\n message to create a macvlan device, requiring local system access\n through the netlink socket interface.\nAC:L -The attacker controls both sides of the race — one thread\n creates the macvlan with an invalid name to trigger the error path,\n while another sends packets to trigger the UAF read. The reproducer\n demonstrates reliable exploitation.\nPR:L -Requires CAP_NET_ADMIN which is obtainable by an unprivileged\n user through user namespaces (unshare -Urn), making this reachable\n without real root privileges.\nUI:N -No user interaction is needed; the attacker triggers both the\n macvlan creation and the packet sending themselves.\nS:U -Standard kernel use-after-free vulnerability; impact stays\n within the same security authority (kernel context).\nC:H -Use-after-free on a macvlan_dev/net_device structure allows\n reading freed and potentially reallocated memory, providing\n arbitrary kernel memory disclosure through controlled heap spraying.\nI:H -Use-after-free enables heap spraying to control the freed\n object contents, providing arbitrary write primitives and potential\n control flow hijacking for code execution.\nA:H -The use-after-free causes kernel crashes (KASAN\n slab-use-after-free as shown in the commit message), resulting in\n denial of service.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "c738c24b5aeba529f32e19bd740698ed0bc448b0", "tree": "f6235f25db8e3de0226623888f945c21e91c8d93", "parents": [ "ff01dd5cea4f83fa9f3978081ebb0fd5cfd3ee4c" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 09:37:14 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23272: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -nftables is accessed via nfnetlink sockets which require\n local system access (netlink socket). This is not remotely\n reachable.\nAC:L -The attacker controls the conditions: they fill the set to\n maximum, then insert another element to trigger the UAF. While the\n RCU reader race exists, the attacker controls both the insertion\n and can arrange for concurrent lookups, making the race reliably\n triggerable.\nPR:L -nfnetlink requires CAP_NET_ADMIN, but nftables is\n per-network-namespace and reachable via user namespaces (unshare\n -Urn), so an unprivileged local user can obtain CAP_NET_ADMIN in a\n new namespace.\nUI:N -No user interaction is needed. The attacker can trigger this\n entirely through their own netlink socket operations.\nS:U -The vulnerability operates within the kernel\u0027s security\n authority. There is no crossing of a security boundary like VM\n escape or sandbox escape.\nC:H -This is a use-after-free where an RCU reader accesses freed\n memory. The freed memory can be reclaimed and filled with\n attacker-controlled data via heap spraying, enabling arbitrary\n kernel memory reads.\nI:H -Use-after-free in the kernel enables heap spraying and type\n confusion, allowing arbitrary write primitives and control flow\n hijacking for code execution.\nA:H -The UAF can cause kernel crashes (oops/panic) when RCU readers\n access freed or corrupted memory. Even without full exploitation,\n the bug reliably causes availability impact.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" }, { "commit": "ff01dd5cea4f83fa9f3978081ebb0fd5cfd3ee4c", "tree": "25daffa134bb6f902258778eed8614198b0b45c2", "parents": [ "3ae77e2ff34b7747779597f0bbd5b4308067a1a8" ], "author": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 09:39:18 2026 -0400" }, "committer": { "name": "Sasha Levin", "email": "sashal@kernel.org", "time": "Thu Apr 02 10:40:38 2026 -0400" }, "message": "CVE-2026-23271: Add CVSS 3.1 score (7.8 HIGH)\n\nCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\nAV:L -The vulnerability is triggered through the perf_event_open()\n syscall and closing the event fd, both local operations requiring\n local system access.\nAC:L -The attacker controls both sides of the race: one thread\n triggers the software perf event overflow while another thread\n closes the fd. The attacker creates and controls the race timing,\n making it reliably exploitable.\nPR:L -An unprivileged local user can create software perf events\n with exclude_kernel\u003d1 under the default perf_event_paranoid\u003d2\n setting. No special capabilities are required.\nUI:N -No user interaction is needed. The attacker creates the perf\n event, triggers it, and races the close() independently.\nS:U -The vulnerability results in kernel privilege escalation\n within the same security authority (kernel context). There is no\n crossing of virtualization or sandbox boundaries.\nC:H -The use-after-free on the perf_event structure gives the\n attacker control over freed memory contents via heap spraying,\n enabling arbitrary kernel memory reads through controlled function\n pointer calls.\nI:H -The UAF includes a function pointer call\n (event-\u003eoverflow_handler) from potentially attacker-controlled\n freed memory, providing a direct code execution primitive for\n arbitrary kernel code execution.\nA:H -The use-after-free will cause kernel crashes (oops/panic) even\n without sophisticated exploitation, as accessing freed memory leads\n to immediate instability.\n\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n" } ], "next": "3ae77e2ff34b7747779597f0bbd5b4308067a1a8" }