Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 16.0 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2023-20585: iommu/amd: Use maximum Event log buffer size when SNP is enabled on Family 0x19 (bsc#1243603).
- CVE-2026-3150: bcache: fix cached_dev.sb_bio use-after-free and crash (bsc#1263169).
- CVE-2026-23359: bpf: Fix stack-out-of-bounds write in devmap (bsc#1260584).
- CVE-2026-23380: tracing: Fix WARN_ON in tracing_buffers_mmap_close (bsc#1260539).
- CVE-2026-23444: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure (bsc#1266307).
- CVE-2026-31464: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() (bsc#1262656).
- CVE-2026-31480: tracing: Fix potential deadlock in cpu hotplug with osnoise (bsc#1262634).
- CVE-2026-31483: s390/barrier: Make array_index_mask_nospec() __always_inline (bsc#1261590 bsc#1262771).
- CVE-2026-31493: RDMA/efa: Fix use of completion ctx after free (bsc#1262668).
- CVE-2026-31516: xfrm: prevent policy_hthresh.work from racing with netns teardown (bsc#1262755).
- CVE-2026-31521: module: Fix kernel panic when a symbol st_shndx is out of bounds (bsc#1263102).
- CVE-2026-31568: s390/mm: Add missing secure storage access fixups for donated memory (bsc#1263068).
- CVE-2026-31575: mm/userfaultfd: fix hugetlb fault mutex hash calculation (bsc#1263067).
- CVE-2026-31613: smb: client: fix OOB reads parsing symlink error response (bsc#1263769).
- CVE-2026-31614: smb: client: fix off-by-8 bounds check in check_wsl_eas() (bsc#1263774).
- CVE-2026-31729: usb: typec: ucsi: validate connector number in ucsi_notify_common() (bsc#1264112).
- CVE-2026-31736: net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled (bsc#1263908).
- CVE-2026-43012: net/mlx5: Fix switchdev mode rollback in case of failure (bsc#1264016).
- CVE-2026-43013: net/mlx5: lag: Check for LAG device before creating debugfs (bsc#1264011).
- CVE-2026-43054: scsi: target: tcm_loop: Drain commands in target_reset handler (bsc#1264063).
- CVE-2026-43112: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (bsc#1264437).
- CVE-2026-43234: team: avoid NETDEV_CHANGEMTU event when unregistering slave (bsc#1264409).
- CVE-2026-43252: mptcp: pm: in-kernel: always set ID as avail when rm endp (bsc#1264300).
- CVE-2026-43325: wifi: iwlwifi: mvm: don't send a 6E related command when not supported (bsc#1265110).
- CVE-2026-43328: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path (bsc#1264832).
- CVE-2026-43333: bpf: reject direct access to nullable PTR_TO_BUF pointers (bsc#1264726).
- CVE-2026-43338: btrfs: reserve enough transaction items for qgroup ioctls (bsc#1264716).
- CVE-2026-43341: net/ipv6: ioam6: prevent schema length wraparound in trace fill (bsc#1265044).
- CVE-2026-43359: btrfs: fix transaction abort on set received ioctl due to item overflow (bsc#1264719).
- CVE-2026-43360: btrfs: fix transaction abort on file creation due to name hash collision (bsc#1264720).
- CVE-2026-43361: btrfs: fix transaction abort when snapshotting received subvolumes (bsc#1264722).
- CVE-2026-43362: smb: client: fix in-place encryption corruption in SMB2_write() (bsc#1264989).
- CVE-2026-43414: scsi: qla2xxx: Completely fix fcport double free (bsc#1264669).
- CVE-2026-43499: rtmutex: Use waiter::task instead of current in remove_waiter() (bsc#1266001).
- CVE-2026-45843: slip: bound decode() reads against the compressed packet length (bsc#1266395).
- CVE-2026-46110: net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() (bsc#1266759).
The following non security issues were fixed:
- ACPI: x86: cmos_rtc: Clean up address space handler driver (stable-fixes).
- ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver (git-fixes).
- ALSA: asihpi: Fix potential OOB array access at reading cache (stable-fixes).
- ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 (stable-fixes).
- ALSA: pcm: Don't setup bogus iov_iter for silencing (git-fixes).
- ALSA: pcm: oss: Fix setup list UAF on proc write error (git-fixes).
- ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 (git-fixes).
- ALSA: seq: avoid past-the-end iterator in snd_seq_create_port() (git-fixes).
- ALSA: seq: Serialize UMP output teardown with event_input (git-fixes).
- ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register() (git-fixes).
- ALSA: ua101: Reject too-short USB descriptors (git-fixes).
- arm64: tlb: Flush walk cache when unsharing PMD tables (git-fixes).
- ASoC: codecs: simple-mux: Fix enum control bounds check (git-fixes).
- ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() (git-fixes).
- ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors (git-fixes).
- ASoC: qcom: q6asm-dai: close stream only when running (git-fixes).
- ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks (git-fixes).
- ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params (git-fixes).
- ASoC: SOF: ipc3: Use standard dev_dbg API (stable-fixes).
- auxdisplay: line-display: fix OOB read on zero-length message_store() (git-fixes).
- bcache: fix uninitialized closure object (git-fixes).
- Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() (git-fixes).
- Bluetooth: bnep: Fix UAF read of dev->name (git-fixes).
- Bluetooth: btmtk: accept too short WMT FUNC_CTRL events (git-fixes).
- Bluetooth: btmtk: fix urb->setup_packet leak in error paths (git-fixes).
- Bluetooth: btusb: Allow firmware re-download when version matches (git-fixes).
- Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() (git-fixes).
- Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync (git-fixes).
- Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close (git-fixes).
- Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths (git-fixes).
- Bluetooth: HIDP: fix missing length checks in hidp_input_report() (git-fixes).
- Bluetooth: ISO: drop ISO_END frames received without prior ISO_START (git-fixes).
- Bluetooth: ISO: fix UAF in iso_recv_frame (git-fixes).
- Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock (git-fixes).
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success (git-fixes).
- Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer (git-fixes).
- Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn (git-fixes).
- Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp (git-fixes).
- Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() (git-fixes).
- Bluetooth: MGMT: validate Add Extended Advertising Data length (git-fixes).
- Bluetooth: serialize accept_q access (git-fixes).
- btrfs: do not mark inode incompressible after inline attempt fails (git-fixes).
- comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() (git-fixes).
- comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() (git-fixes).
- device property: set fwnode->secondary to NULL in fwnode_init() (git-fixes).
- dm: fix a buffer overflow in ioctl processing (git-fixes).
- drm/amd/display: Fix integer overflow in bios_get_image() (stable-fixes).
- drm/amd/display: Validate GPIO pin LUT table size before iterating (stable-fixes).
- drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async (stable-fixes).
- drm/amd/pm/si: Disregard vblank time when no displays are connected (git-fixes).
- drm/amdgpu/uvd3.1: Don't validate the firmware when already validated (git-fixes).
- drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled (git-fixes).
- drm/amdgpu/vce2: Fix VCE 2 firmware size and offsets (git-fixes).
- drm/amdgpu/vce3: Fix VCE 3 firmware size and offsets (git-fixes).
- drm/amdgpu/vpe: Force collaborate sync after TRAP (stable-fixes).
- drm/amdgpu: add amdgpu_device reference in ip block (stable-fixes).
- drm/amdgpu: fix spelling typos (stable-fixes).
- drm/amdgpu: update the handle ptr in dump_ip_state (stable-fixes).
- drm/amdgpu: update the handle ptr in early_init (stable-fixes).
- drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe (git-fixes).
- drm/bridge: it66121: acquire reset GPIO in probe (git-fixes).
- drm/bridge: megachips: remove bridge when irq request fails (git-fixes).
- drm/hyperv: validate resolution_count and fix WIN8 fallback (git-fixes).
- drm/hyperv: validate VMBus packet size in receive callback (git-fixes).
- drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP (git-fixes).
- drm/i915: Fix potential UAF in TTM object purge (git-fixes).
- drm/msm/dsi: don't dump registers past the mapped region (git-fixes).
- drm/msm/snapshot: fix dumping of the unaligned regions (git-fixes).
- drm/radeon/evergreen_cs: Add missing NULL prefix check in surface check (git-fixes).
- drm/virtio: use uninterruptible resv lock for plane updates (git-fixes).
- drm/xe/gsc: Fix double-free of managed BO in error path (git-fixes).
- drm/xe/oa: Fix exec_queue leak on width check in stream open (git-fixes).
- drm/xe/pf: Fix CFI failure in debugfs access (git-fixes).
- drm/xe/vf: Fix signature of print functions (git-fixes).
- drm/xe: Define CACHE_MODE_1 as MCR register (git-fixes).
- efi: Allocate runtime workqueue before ACPI init (git-fixes).
- firmware: arm_ffa: Align RxTx buffer size before mapping (git-fixes).
- firmware: arm_ffa: Check for NULL FF-A ID table while driver registration (git-fixes).
- firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue (git-fixes).
- firmware: arm_ffa: Skip free_pages on RX buffer alloc failure (git-fixes).
- gve: Add RSS cache for non RSS device option scenario (bsc#1265925).
- gve: add XDP DROP and PASS support for DQ (bsc#1265925).
- gve: Enable reading max ring size from the device in DQO-QPL mode (bsc#1265925).
- gve: introduce config-based allocation for XDP (bsc#1265925).
- gve: merge packet buffer size fields (bsc#1265925).
- gve: remove xdp_xsk_done and xdp_xsk_wakeup statistics (bsc#1265925).
- gve: update GQ RX to use buf_size (bsc#1265925).
- gve: Update QPL page registration logic (bsc#1265925).
- gve: update XDP allocation path support RX buffer posting (bsc#1265925).
- HID: playstation: Clamp num_touch_reports (git-fixes).
- HID: quirks: really enable the intended work around for appledisplay (git-fixes).
- HID: uclogic: Fix regression of input name assignment (git-fixes).
- hwmon: (lenovo-ec-sensors): Convert to devm_request_region() (git-fixes).
- hwmon: (lenovo-ec-sensors): Fix EC "MCHP" signature validation logic (git-fixes).
- hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer (git-fixes).
- hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR (git-fixes).
- hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple (git-fixes).
- hwmon: (pmbus/adm1266) include adapter number in GPIO line label (git-fixes).
- hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer (git-fixes).
- hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() (git-fixes).
- hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() (git-fixes).
- hwmon: (pmbus/adm1266) reject implausible blackbox record_count (git-fixes).
- hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors (git-fixes).
- hwmon: (pmbus/adm1266) seed timestamp from the real-time clock (git-fixes).
- hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX (git-fixes).
- iio: adc: mt6359: fix unchecked return value in mt6358_read_imp (git-fixes).
- iio: adc: npcm: fix unbalanced clk_disable_unprepare() (git-fixes).
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw (git-fixes).
- iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux (git-fixes).
- iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() (git-fixes).
- iio: buffer: hw-consumer: fix use-after-free in error path (git-fixes).
- iio: dac: ad5686: acquire lock when doing powerdown control (git-fixes).
- iio: dac: ad5686: fix input raw value check (git-fixes).
- iio: dac: max5821: fix return value check in powerdown sync (git-fixes).
- iio: gyro: adis16260: fix division by zero in write_raw (git-fixes).
- iio: gyro: itg3200: fix i2c read into the wrong stack location (git-fixes).
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer (git-fixes).
- iio: light: cm3323: fix reg_conf not being initialized correctly (git-fixes).
- iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL (git-fixes).
- iio: ssp_sensors: cancel delayed work_refresh on remove (git-fixes).
- iio: temperature: tsys01: fix broken PROM checksum validation (git-fixes).
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem (git-fixes).
- Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() (git-fixes).
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size (git-fixes).
- Input: xpad - fix out-of-bounds access for Share button (git-fixes).
- KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE (git-fixes).
- KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation (git-fixes).
- KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (git-fixes).
- KVM: x86: Fix Xen hypercall tracepoint argument assignment (git-fixes).
- KVM: x86: Return the VM's configured APIC bus frequency when queried (git-fixes).
- media: i2c: og01a1b: Fix V4L2 subdevice data initialization on probe (git-fixes).
- media: i2c: og01a1b: Replace client->dev usage (stable-fixes).
- net: mana: Add NULL guards in teardown path to prevent panic on attach failure (git-fixes).
- net: mana: Expose hardware diagnostic info via debugfs (bsc#1266414).
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer (bsc#1265928).
- net: mana: hardening: Reject zero max_num_queues from GDMA_QUERY_MAX_RESOURCES (git-fixes).
- net: mana: hardening: Reject zero max_num_queues from MANA_QUERY_VPORT_CONFIG (git-fixes).
- net: mana: Skip redundant detach on already-detached port (git-fixes).
- net: mana: Use kvmalloc for large RX queue and buffer allocations (bsc#1266765).
- net: mana: Use per-queue allocation for tx_qp to reduce allocation size (bsc#1266765).
- net: mana: validate rx_req_idx to prevent out-of-bounds array access (bsc#1266402).
- parport: Fix race between port and client registration (git-fixes).
- platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 (git-fixes).
- platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL (git-fixes).
- platform/x86: hp_accel: Check ACPI_COMPANION() against NULL (git-fixes).
- platform/x86: intel-hid: Check ACPI_HANDLE() against NULL (git-fixes).
- platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL (git-fixes).
- RDMA/efa: Check stored completion CTX command ID with received one (git-fixes).
- RDMA/efa: Extend admin timeout error print (git-fixes).
- RDMA/efa: Fix possible deadlock (git-fixes).
- RDMA/efa: Improve admin completion context state machine (git-fixes).
- RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port (git-fixes).
- Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" (git-fixes).
- s390/pfault: Fix virtual vs physical address confusion (bsc#1262754).
- scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP (git-fixes).
- scsi: mpi3mr: Clear reset history on ready and recheck state after timeout (git-fixes).
- scsi: ses: Handle positive SCSI error from ses_recv_diag() (git-fixes).
- scsi: ufs: core: Fix shift out of bounds when MAXQ=32 (git-fixes).
- security/keys: fix missed RCU read section on lookup (stable-fixes).
- serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma (git-fixes).
- serial: qcom-geni: fix UART_RX_PAR_EN bit position (git-fixes).
- serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ (git-fixes).
- smb: client: reject userspace cifs.spnego descriptions (bsc#1266238).
- spi: ep93xx: fix error pointer deref after DMA setup failure (git-fixes).
- spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() (git-fixes).
- spi: qup: fix error pointer deref after DMA setup failure (git-fixes).
- spi: sprd: fix error pointer deref after DMA setup failure (git-fixes).
- spi: ti-qspi: fix use-after-free after DMA setup failure (git-fixes).
- thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow (git-fixes).
- thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() (git-fixes).
- tracing: Switch trace_osnoise.c code over to use guard() and __free() (bsc#1262634).
- tty: serial: pch_uart: add check for dma_alloc_coherent() (git-fixes).
- tty: serial: samsung: Remove redundant port lock acquisition in rx helpers (git-fixes).
- USB: cdc-acm: Fix bit overlap and move quirk definitions to header (git-fixes).
- usb: cdns3: gadget: fix request skipping after clearing halt (git-fixes).
- usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure (git-fixes).
- usb: chipidea: core: convert ci_role_switch to local variable (git-fixes).
- usb: dwc2: Fix use after free in debug code (git-fixes).
- usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling (git-fixes).
- usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports (git-fixes).
- usb: gadget: f_fs: copy only received bytes on short ep0 read (git-fixes).
- usb: gadget: f_fs: serialize DMABUF cancel against request completion (git-fixes).
- usb: gadget: f_hid: fix device reference leak in hidg_alloc() (git-fixes).
- usb: gadget: net2280: Fix double free in probe error path (git-fixes).
- usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind (git-fixes).
- USB: serial: belkin_sa: validate interrupt status length (git-fixes).
- USB: serial: cypress_m8: validate interrupt packet headers (git-fixes).
- USB: serial: keyspan: fix missing indat transfer sanity check (git-fixes).
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity check (git-fixes).
- USB: serial: mxuport: fix memory corruption with small endpoint (git-fixes).
- USB: serial: omninet: fix memory corruption with small endpoint (git-fixes).
- USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL (git-fixes).
- USB: serial: safe_serial: fix memory corruption with small endpoint (git-fixes).
- usb: typec: tcpm: improve handling of DISCOVER_MODES failures (git-fixes).
- usb: typec: ucsi: Don't update power_supply on power role change if not connected (git-fixes).
- usb: usbtmc: check URB actual_length for interrupt-IN notifications (git-fixes).
- usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize (git-fixes).
- usbip: vudc: Fix use after free bug in vudc_remove due to race condition (git-fixes).
- virt: sev-guest: Explicitly leak pages in unknown state (git-fixes).
- wifi: ath10k: skip WMI and beacon transmission when device is wedged (git-fixes).
- wifi: ath11k: clear shared SRNG pointer state on restart (git-fixes).
- wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() (git-fixes).
- wifi: ath11k: fix error path leaks in some WMI calls (git-fixes).
- wifi: ath11k: fix error path leaks in some WMI WOW calls (git-fixes).
- wifi: ath11k: fix peer resolution on rx path when peer_id=0 (git-fixes).
- wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce() (git-fixes).
- wifi: cfg80211: advance loop vars in cfg80211_merge_profile() (git-fixes).
- wifi: mac80211: consume only present negotiated TTLM maps (git-fixes).
- wifi: mac80211: fix MLE defragmentation (git-fixes).
- wifi: mac80211: fix multi-link element inheritance (git-fixes).
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1243603
- SUSE Bug 1260539
- SUSE Bug 1260584
- SUSE Bug 1261590
- SUSE Bug 1262634
- SUSE Bug 1262656
- SUSE Bug 1262668
- SUSE Bug 1262754
- SUSE Bug 1262755
- SUSE Bug 1262771
- SUSE Bug 1263067
- SUSE Bug 1263068
- SUSE Bug 1263102
- SUSE Bug 1263169
- SUSE Bug 1263769
- SUSE Bug 1263774
- SUSE Bug 1263908
- SUSE Bug 1264011
- SUSE Bug 1264014
Описание
Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity.
Затронутые продукты
Ссылки
- CVE-2023-20585
- SUSE Bug 1243603
Описание
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX_NEST_DEV (e.g., many macvlans), causing a stack-out-of-bounds write. Add a max parameter to get_upper_ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect. To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS. Then send a packet to the device to trigger the XDP redirect path.
Затронутые продукты
Ссылки
- CVE-2026-23359
- SUSE Bug 1260584
Описание
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON. Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork. Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.
Затронутые продукты
Ссылки
- CVE-2026-23380
- SUSE Bug 1260539
Описание
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure ieee80211_tx_prepare_skb() has three error paths, but only two of them free the skb. The first error path (ieee80211_tx_prepare() returning TX_DROP) does not free it, while invoke_tx_handlers() failure and the fragmentation check both do. Add kfree_skb() to the first error path so all three are consistent, and remove the now-redundant frees in callers (ath9k, mt76, mac80211_hwsim) to avoid double-free. Document the skb ownership guarantee in the function's kdoc.
Затронутые продукты
Ссылки
- CVE-2026-23444
- SUSE Bug 1266307
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.
Затронутые продукты
Ссылки
- CVE-2026-31464
- SUSE Bug 1262656
Описание
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential deadlock in cpu hotplug with osnoise The following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutex_lock(&interface_lock) [CPU GOING OFFLINE] cpus_write_lock(); osnoise_cpu_die(); kthread_stop(task3); wait_for_completion(); osnoise_sleep(); mutex_lock(&interface_lock); cpus_read_lock(); [DEAD LOCK] Fix by swap the order of cpus_read_lock() and mutex_lock(&interface_lock).
Затронутые продукты
Ссылки
- CVE-2026-31480
- SUSE Bug 1262634
Описание
In the Linux kernel, the following vulnerability has been resolved: s390/syscalls: Add spectre boundary for syscall dispatch table The s390 syscall number is directly controlled by userspace, but does not have an array_index_nospec() boundary to prevent access past the syscall function pointer tables.
Затронутые продукты
Ссылки
- CVE-2026-31483
- SUSE Bug 1262771
Описание
In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in polling/interrupts handler which means we print data from context in an unknown state (it might be already used again). Change the admin submission flow so alloc/dealloc of the context will be symmetric and dealloc will be called after any potential use of the context.
Затронутые продукты
Ссылки
- CVE-2026-31493
- SUSE Bug 1262668
Описание
A security vulnerability has been detected in itsourcecode College Management System 1.0. This affects an unknown part of the file /admin/display-teacher.php. The manipulation of the argument teacher_id leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Затронутые продукты
Ссылки
- CVE-2026-3150
Описание
In the Linux kernel, the following vulnerability has been resolved: xfrm: prevent policy_hthresh.work from racing with netns teardown A XFRM_MSG_NEWSPDINFO request can queue the per-net work item policy_hthresh.work onto the system workqueue. The queued callback, xfrm_hash_rebuild(), retrieves the enclosing struct net via container_of(). If the net namespace is torn down before that work runs, the associated struct net may already have been freed, and xfrm_hash_rebuild() may then dereference stale memory. xfrm_policy_fini() already flushes policy_hash_work during teardown, but it does not synchronize policy_hthresh.work. Synchronize policy_hthresh.work in xfrm_policy_fini() as well, so the queued work cannot outlive the net namespace teardown and access a freed struct net.
Затронутые продукты
Ссылки
- CVE-2026-31516
- SUSE Bug 1262755
Описание
In the Linux kernel, the following vulnerability has been resolved: module: Fix kernel panic when a symbol st_shndx is out of bounds The module loader doesn't check for bounds of the ELF section index in simplify_symbols(): for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) { const char *name = info->strtab + sym[i].st_name; switch (sym[i].st_shndx) { case SHN_COMMON: [...] default: /* Divert to percpu allocation if a percpu var. */ if (sym[i].st_shndx == info->index.pcpu) secbase = (unsigned long)mod_percpu(mod); else /** HERE --> **/ secbase = info->sechdrs[sym[i].st_shndx].sh_addr; sym[i].st_value += secbase; break; } } A symbol with an out-of-bounds st_shndx value, for example 0xffff (known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic: BUG: unable to handle page fault for address: ... RIP: 0010:simplify_symbols+0x2b2/0x480 ... Kernel panic - not syncing: Fatal exception This can happen when module ELF is legitimately using SHN_XINDEX or when it is corrupted. Add a bounds check in simplify_symbols() to validate that st_shndx is within the valid range before using it. This issue was discovered due to a bug in llvm-objcopy, see relevant discussion for details [1]. [1] https://lore.kernel.org/linux-modules/20251224005752.201911-1-ihor.solodrai@linux.dev/
Затронутые продукты
Ссылки
- CVE-2026-31521
- SUSE Bug 1263102
Описание
In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arch_make_folio_accessible() which would instantly return since the arch bit is absent signifying that the page was already exported and no further action is necessary. This leads to secure storage access exception loops which can never be resolved. With this patch we unconditionally try to export and if that fails we fixup.
Затронутые продукты
Ссылки
- CVE-2026-31568
- SUSE Bug 1263068
Описание
In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix hugetlb fault mutex hash calculation In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the page index for hugetlb_fault_mutex_hash(). However, linear_page_index() returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUG_ON in resv_map_release(). Fix this by introducing hugetlb_linear_page_index(), which returns the page index in huge page granularity, and using it in place of linear_page_index().
Затронутые продукты
Ссылки
- CVE-2026-31575
- SUSE Bug 1263067
Описание
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the server-controlled ErrorDataLength advances p to within 1-7 bytes of end, the next iteration will read past it. When the matching context is found, sym->SymLinkErrorTag is read at offset 4 from p->ErrorContextData with no check that the symlink header itself fits. smb2_parse_symlink_response() then bounds-checks the substitute name using SMB2_SYMLINK_STRUCT_SIZE as the offset of PathBuffer from iov_base. That value is computed as sizeof(smb2_err_rsp) + sizeof(smb2_symlink_err_rsp), which is correct only when ErrorContextCount == 0. With at least one error context the symlink data sits 8 bytes deeper, and each skipped non-matching context shifts it further by 8 + ALIGN(ErrorDataLength, 8). The check is too short, allowing the substitute name read to run past iov_len. The out-of-bound heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2). Fix this all up by making the loops test require the full context header to fit, rejecting sym if its header runs past end, and bound the substitute name against the actual position of sym->PathBuffer rather than a fixed offset. Because sub_offs and sub_len are 16bits, the pointer math will not overflow here with the new greater-than.
Затронутые продукты
Ссылки
- CVE-2026-31613
- SUSE Bug 1263769
- SUSE Bug 1263770
Описание
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix off-by-8 bounds check in check_wsl_eas() The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun? The earlier check (u8 *)ea > end - sizeof(*ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov. Fix this mess all up by using ea->ea_data as the base for the bounds check. An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.
Затронутые продукты
Ссылки
- CVE-2026-31614
- SUSE Bug 1263774
- SUSE Bug 1263775
Описание
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsi_notify_common() The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_change(). However, the array is only allocated for the number of connectors reported by the device (typically 2-4 entries). A malicious or malfunctioning device could report an out-of-range connector number in the CCI, causing an out-of-bounds array access in ucsi_connector_change(). Add a bounds check in ucsi_notify_common(), the central point where CCI is parsed after arriving from hardware, so that bogus connector numbers are rejected before they propagate further.
Затронутые продукты
Ссылки
- CVE-2026-31729
- SUSE Bug 1264112
- SUSE Bug 1264128
Описание
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled If the gmac0 is disabled, the precheck for a valid ingress device will cause a NULL pointer deref and crash the system. This happens because eth->netdev[0] will be NULL but the code will directly try to access netdev_ops. Instead of just checking for the first net_device, it must be checked if any of the mtk_eth net_devices is matching the netdev_ops of the ingress device.
Затронутые продукты
Ссылки
- CVE-2026-31736
- SUSE Bug 1263908
Описание
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix incorrect pruning due to atomic fetch precision tracking When backtrack_insn encounters a BPF_STX instruction with BPF_ATOMIC and BPF_FETCH, the src register (or r0 for BPF_CMPXCHG) also acts as a destination, thus receiving the old value from the memory location. The current backtracking logic does not account for this. It treats atomic fetch operations the same as regular stores where the src register is only an input. This leads the backtrack_insn to fail to propagate precision to the stack location, which is then not marked as precise! Later, the verifier's path pruning can incorrectly consider two states equivalent when they differ in terms of stack state. Meaning, two branches can be treated as equivalent and thus get pruned when they should not be seen as such. Fix it as follows: Extend the BPF_LDX handling in backtrack_insn to also cover atomic fetch operations via is_atomic_fetch_insn() helper. When the fetch dst register is being tracked for precision, clear it, and propagate precision over to the stack slot. For non-stack memory, the precision walk stops at the atomic instruction, same as regular BPF_LDX. This covers all fetch variants. Before: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs=r2 stack= before 2: (b7) r2 = 0 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit After: 0: (b7) r1 = 8 ; R1=8 1: (7b) *(u64 *)(r10 -8) = r1 ; R1=8 R10=fp0 fp-8=8 2: (b7) r2 = 0 ; R2=0 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) ; R2=8 R10=fp0 fp-8=mmmmmmmm 4: (bf) r3 = r10 ; R3=fp0 R10=fp0 5: (0f) r3 += r2 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r2 stack= before 4: (bf) r3 = r10 mark_precise: frame0: regs=r2 stack= before 3: (db) r2 = atomic64_fetch_add((u64 *)(r10 -8), r2) mark_precise: frame0: regs= stack=-8 before 2: (b7) r2 = 0 mark_precise: frame0: regs= stack=-8 before 1: (7b) *(u64 *)(r10 -8) = r1 mark_precise: frame0: regs=r1 stack= before 0: (b7) r1 = 8 6: R2=8 R3=fp8 6: (b7) r0 = 0 ; R0=0 7: (95) exit
Затронутые продукты
Ссылки
- CVE-2026-43009
- SUSE Bug 1264014
Описание
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix switchdev mode rollback in case of failure If for some internal reason switchdev mode fails, we rollback to legacy mode, before this patch, rollback will unregister the uplink netdev and leave it unregistered causing the below kernel bug. To fix this, we need to avoid netdev unregister by setting the proper rollback flag 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to indicate legacy mode. devlink (431) used greatest stack depth: 11048 bytes left mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), \ necvfs(0), active vports(0) mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload mlx5_core 0000:00:03.0: Loading uplink representor for vport 65535 mlx5_core 0000:00:03.0: mlx5_cmd_out_err:816:(pid 456): \ QUERY_HCA_CAP(0x100) op_mod(0x0) failed, \ status bad parameter(0x3), syndrome (0x3a3846), err(-22) mlx5_core 0000:00:03.0 enp0s3np0 (unregistered): Unloading uplink \ representor for vport 65535 ------------[ cut here ]------------ kernel BUG at net/core/dev.c:12070! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 456 Comm: devlink Not tainted 6.16.0-rc3+ \ #9 PREEMPT(voluntary) RIP: 0010:unregister_netdevice_many_notify+0x123/0xae0 ... Call Trace: [ 90.923094] unregister_netdevice_queue+0xad/0xf0 [ 90.923323] unregister_netdev+0x1c/0x40 [ 90.923522] mlx5e_vport_rep_unload+0x61/0xc6 [ 90.923736] esw_offloads_enable+0x8e6/0x920 [ 90.923947] mlx5_eswitch_enable_locked+0x349/0x430 [ 90.924182] ? is_mp_supported+0x57/0xb0 [ 90.924376] mlx5_devlink_eswitch_mode_set+0x167/0x350 [ 90.924628] devlink_nl_eswitch_set_doit+0x6f/0xf0 [ 90.924862] genl_family_rcv_msg_doit+0xe8/0x140 [ 90.925088] genl_rcv_msg+0x18b/0x290 [ 90.925269] ? __pfx_devlink_nl_pre_doit+0x10/0x10 [ 90.925506] ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 [ 90.925766] ? __pfx_devlink_nl_post_doit+0x10/0x10 [ 90.926001] ? __pfx_genl_rcv_msg+0x10/0x10 [ 90.926206] netlink_rcv_skb+0x52/0x100 [ 90.926393] genl_rcv+0x28/0x40 [ 90.926557] netlink_unicast+0x27d/0x3d0 [ 90.926749] netlink_sendmsg+0x1f7/0x430 [ 90.926942] __sys_sendto+0x213/0x220 [ 90.927127] ? __sys_recvmsg+0x6a/0xd0 [ 90.927312] __x64_sys_sendto+0x24/0x30 [ 90.927504] do_syscall_64+0x50/0x1c0 [ 90.927687] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 90.927929] RIP: 0033:0x7f7d0363e047
Затронутые продукты
Ссылки
- CVE-2026-43012
- SUSE Bug 1264016
Описание
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: lag: Check for LAG device before creating debugfs __mlx5_lag_dev_add_mdev() may return 0 (success) even when an error occurs that is handled gracefully. Consequently, the initialization flow proceeds to call mlx5_ldev_add_debugfs() even when there is no valid LAG context. mlx5_ldev_add_debugfs() blindly created the debugfs directory and attributes. This exposed interfaces (like the members file) that rely on a valid ldev pointer, leading to potential NULL pointer dereferences if accessed when ldev is NULL. Add a check to verify that mlx5_lag_dev(dev) returns a valid pointer before attempting to create the debugfs entries.
Затронутые продукты
Ссылки
- CVE-2026-43013
- SUSE Bug 1264011
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcm_loop: Drain commands in target_reset handler tcm_loop_target_reset() violates the SCSI EH contract: it returns SUCCESS without draining any in-flight commands. The SCSI EH documentation (scsi_eh.rst) requires that when a reset handler returns SUCCESS the driver has made lower layers "forget about timed out scmds" and is ready for new commands. Every other SCSI LLD (virtio_scsi, mpt3sas, ipr, scsi_debug, mpi3mr) enforces this by draining or completing outstanding commands before returning SUCCESS. Because tcm_loop_target_reset() doesn't drain, the SCSI EH reuses in-flight scsi_cmnd structures for recovery commands (e.g. TUR) while the target core still has async completion work queued for the old se_cmd. The memset in queuecommand zeroes se_lun and lun_ref_active, causing transport_lun_remove_cmd() to skip its percpu_ref_put(). The leaked LUN reference prevents transport_clear_lun_ref() from completing, hanging configfs LUN unlink forever in D-state: INFO: task rm:264 blocked for more than 122 seconds. rm D 0 264 258 0x00004000 Call Trace: __schedule+0x3d0/0x8e0 schedule+0x36/0xf0 transport_clear_lun_ref+0x78/0x90 [target_core_mod] core_tpg_remove_lun+0x28/0xb0 [target_core_mod] target_fabric_port_unlink+0x50/0x60 [target_core_mod] configfs_unlink+0x156/0x1f0 [configfs] vfs_unlink+0x109/0x290 do_unlinkat+0x1d5/0x2d0 Fix this by making tcm_loop_target_reset() actually drain commands: 1. Issue TMR_LUN_RESET via tcm_loop_issue_tmr() to drain all commands that the target core knows about (those not yet CMD_T_COMPLETE). 2. Use blk_mq_tagset_busy_iter() to iterate all started requests and flush_work() on each se_cmd - this drains any deferred completion work for commands that already had CMD_T_COMPLETE set before the TMR (which the TMR skips via __target_check_io_state()). This is the same pattern used by mpi3mr, scsi_debug, and libsas to drain outstanding commands during reset.
Затронутые продукты
Ссылки
- CVE-2026-43054
- SUSE Bug 1264063
Описание
In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs.
Затронутые продукты
Ссылки
- CVE-2026-43112
- SUSE Bug 1264437
Описание
In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied.
Затронутые продукты
Ссылки
- CVE-2026-43234
- SUSE Bug 1264409
Описание
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always set ID as avail when rm endp Syzkaller managed to find a combination of actions that was generating this warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000 netlink: 'syz.3.50': attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: <TASK> mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000 ---truncated---
Затронутые продукты
Ссылки
- CVE-2026-43252
- SUSE Bug 1264300
Описание
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't send a 6E related command when not supported MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the device doesn't support 6E. Apparently, the firmware is mistakenly advertising support for this command even on AX201 which does not support 6E and then the firmware crashes.
Затронутые продукты
Ссылки
- CVE-2026-43325
- SUSE Bug 1265110
Описание
In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release().
Затронутые продукты
Ссылки
- CVE-2026-43328
- SUSE Bug 1264832
Описание
In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern.
Затронутые продукты
Ссылки
- CVE-2026-43333
- SUSE Bug 1264726
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC such that other critical metadata updates need to resort to the global reserve. However this is not optimal, as not reserving proper space may result in a transaction abort due to not reserving space for delayed refs and then abusing the use of the global block reserve. For example, the following reproducer (which is unlikely to model any real world use case, but just to illustrate the problem), triggers such a transaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it's much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNT When running this, we can see in dmesg/syslog that a transaction abort happened: [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: ---truncated---
Затронутые продукты
Ссылки
- CVE-2026-43338
- SUSE Bug 1264716
Описание
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length.
Затронутые продукты
Ссылки
- CVE-2026-43341
- SUSE Bug 1265044
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon.
Затронутые продукты
Ссылки
- CVE-2026-43359
- SUSE Bug 1264719
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges/capabilities. Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( 'foobar' '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC' 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z' 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:' 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO' 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us' 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY' 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' 'Ono7avN5GjC:_6dBJ_' 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am' 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k' 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2' 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd' 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm' 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ' 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky' 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS' 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz' 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu' 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN' 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=' 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn' 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW' '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc' 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC ---truncated---
Затронутые продукты
Ссылки
- CVE-2026-43360
- SUSE Bug 1264720
Описание
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ ---truncated---
Затронутые продукты
Ссылки
- CVE-2026-43361
- SUSE Bug 1264722
Описание
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption.
Затронутые продукты
Ссылки
- CVE-2026-43362
- SUSE Bug 1264989
- SUSE Bug 1264990
Описание
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea.
Затронутые продукты
Ссылки
- CVE-2026-43414
- SUSE Bug 1264669
- SUSE Bug 1264670
Описание
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ]
Затронутые продукты
Ссылки
- CVE-2026-43499
- SUSE Bug 1266001
- SUSE Bug 1266014
Описание
In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to.
Затронутые продукты
Ссылки
- CVE-2026-45843
- SUSE Bug 1266395
Описание
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.
Затронутые продукты
Ссылки
- CVE-2026-46110
- SUSE Bug 1266759
Описание
In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key.
Затронутые продукты
Ссылки
- CVE-2026-46243
- SUSE Bug 1266238
- SUSE Bug 1266265