Количество 30
Количество 30
CVE-2026-31504
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an a...
CVE-2026-31504
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an a...
CVE-2026-31504
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an
CVE-2026-31504
net: fix fanout UAF in packet_release() via NETDEV_UP race
CVE-2026-31504
In the Linux kernel, the following vulnerability has been resolved: n ...
GHSA-5v9p-3rfc-6rw2
In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following ...
SUSE-SU-2026:2592-1
Security update for the Linux Kernel (Live Patch 79 for SUSE Linux Enterprise 12 SP5)
SUSE-SU-2026:2549-1
Security update for the Linux Kernel (Live Patch 71 for SUSE Linux Enterprise 12 SP5)
SUSE-SU-2026:2518-1
Security update for the Linux Kernel (Live Patch 70 for SUSE Linux Enterprise 12 SP5)
SUSE-SU-2026:2494-1
Security update for the Linux Kernel (Live Patch 69 for SUSE Linux Enterprise 12 SP5)
SUSE-SU-2026:2594-1
Security update for the Linux Kernel (Live Patch 14 for SUSE Linux Enterprise 15 SP7)
SUSE-SU-2026:2571-1
Security update for the Linux Kernel (Live Patch 30 for SUSE Linux Enterprise 15 SP5)
SUSE-SU-2026:2567-1
Security update for the Linux Kernel (Live Patch 26 for SUSE Linux Enterprise 15 SP5)
SUSE-SU-2026:2559-1
Security update for the Linux Kernel (Live Patch 23 for SUSE Linux Enterprise 15 SP6)
SUSE-SU-2026:2520-1
Security update for the Linux Kernel (Live Patch 11 for SUSE Linux Enterprise 15 SP7)
SUSE-SU-2026:2511-1
Security update for the Linux Kernel (Live Patch 47 for SUSE Linux Enterprise 15 SP4)
SUSE-SU-2026:2503-1
Security update for the Linux Kernel RT (Live Patch 11 for SUSE Linux Enterprise 15 SP7)
SUSE-SU-2026:2496-1
Security update for the Linux Kernel (Live Patch 46 for SUSE Linux Enterprise 15 SP4)
ELSA-2026-50318
ELSA-2026-50318: Unbreakable Enterprise kernel security update (IMPORTANT)
SUSE-SU-2026:2588-1
Security update for the Linux Kernel (Live Patch 18 for SUSE Linux Enterprise 15 SP6)
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-31504 In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an a... | CVSS3: 7.8 | 0% Низкий | 2 месяца назад |
 | CVE-2026-31504 In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an a... | CVSS3: 6.3 | 0% Низкий | 2 месяца назад |
 | CVE-2026-31504 In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following an | CVSS3: 7.8 | 0% Низкий | 2 месяца назад |
 | CVE-2026-31504 net: fix fanout UAF in packet_release() via NETDEV_UP race | CVSS3: 7 | 0% Низкий | около 2 месяцев назад |
| CVE-2026-31504 In the Linux kernel, the following vulnerability has been resolved: n ... | CVSS3: 7.8 | 0% Низкий | 2 месяца назад |
| GHSA-5v9p-3rfc-6rw2 In the Linux kernel, the following vulnerability has been resolved: net: fix fanout UAF in packet_release() via NETDEV_UP race `packet_release()` has a race window where `NETDEV_UP` can re-register a socket into a fanout group's `arr[]` array. The re-registration is not cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout array. `packet_release()` does NOT zero `po->num` in its `bind_lock` section. After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex` still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)` that already found the socket in `sklist` can re-register the hook. For fanout sockets, this re-registration calls `__fanout_link(sk, po)` which adds the socket back into `f->arr[]` and increments `f->num_members`, but does NOT increment `f->sk_ref`. The fix sets `po->num` to zero in `packet_release` while `bind_lock` is held to prevent NETDEV_UP from linking, preventing the race window. This bug was found following ... | CVSS3: 7.8 | 0% Низкий | 2 месяца назад |
 | SUSE-SU-2026:2592-1 Security update for the Linux Kernel (Live Patch 79 for SUSE Linux Enterprise 12 SP5) | 3 дня назад | ||
| SUSE-SU-2026:2549-1 Security update for the Linux Kernel (Live Patch 71 for SUSE Linux Enterprise 12 SP5) | 3 дня назад | ||
| SUSE-SU-2026:2518-1 Security update for the Linux Kernel (Live Patch 70 for SUSE Linux Enterprise 12 SP5) | 4 дня назад | ||
| SUSE-SU-2026:2494-1 Security update for the Linux Kernel (Live Patch 69 for SUSE Linux Enterprise 12 SP5) | 4 дня назад | ||
| SUSE-SU-2026:2594-1 Security update for the Linux Kernel (Live Patch 14 for SUSE Linux Enterprise 15 SP7) | 3 дня назад | ||
| SUSE-SU-2026:2571-1 Security update for the Linux Kernel (Live Patch 30 for SUSE Linux Enterprise 15 SP5) | 3 дня назад | ||
| SUSE-SU-2026:2567-1 Security update for the Linux Kernel (Live Patch 26 for SUSE Linux Enterprise 15 SP5) | 3 дня назад | ||
| SUSE-SU-2026:2559-1 Security update for the Linux Kernel (Live Patch 23 for SUSE Linux Enterprise 15 SP6) | 3 дня назад | ||
| SUSE-SU-2026:2520-1 Security update for the Linux Kernel (Live Patch 11 for SUSE Linux Enterprise 15 SP7) | 4 дня назад | ||
| SUSE-SU-2026:2511-1 Security update for the Linux Kernel (Live Patch 47 for SUSE Linux Enterprise 15 SP4) | 4 дня назад | ||
| SUSE-SU-2026:2503-1 Security update for the Linux Kernel RT (Live Patch 11 for SUSE Linux Enterprise 15 SP7) | 4 дня назад | ||
| SUSE-SU-2026:2496-1 Security update for the Linux Kernel (Live Patch 46 for SUSE Linux Enterprise 15 SP4) | 4 дня назад | ||
| ELSA-2026-50318 ELSA-2026-50318: Unbreakable Enterprise kernel security update (IMPORTANT) | 12 дней назад | ||
| SUSE-SU-2026:2588-1 Security update for the Linux Kernel (Live Patch 18 for SUSE Linux Enterprise 15 SP6) | 3 дня назад |
Уязвимостей на страницу