OESA-2026-2172

The Linux Kernel, the operating system core itself.

Security Fix(es):

IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.(CVE-2025-27558)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_ife: Fix metalist update behavior

Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to the metalist which might cause an out of bounds error when running the encode op:

[ 138.423369][ C1] ================================================================== [ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ifetlvmetaencode (net/ife/ife.c:168) [ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ifeoutoutbou/255 [ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ifeoutoutbou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full) [ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 138.425800][ C1] Call Trace: [ 138.425804][ C1] <IRQ> [ 138.425808][ C1] dumpstacklvl (lib/dumpstack.c:122) [ 138.425828][ C1] printreport (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 138.425839][ C1] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 138.425844][ C1] ? __virtaddrvalid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1)) [ 138.425853][ C1] ? ife_tlvmetaencode (net/ife/ife.c:168) [ 138.425859][ C1] kasanreport (mm/kasan/report.c:221 mm/kasan/report.c:597) [ 138.425868][ C1] ? ifetlvmetaencode (net/ife/ife.c:168) [ 138.425878][ C1] kasancheckrange (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1)) [ 138.425884][ C1] __asanmemset (mm/kasan/shadow.c:84 (discriminator 2)) [ 138.425889][ C1] ifetlvmetaencode (net/ife/ife.c:168) [ 138.425893][ C1] ? ifetlvmetaencode (net/ife/ife.c:171) [ 138.425898][ C1] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 138.425903][ C1] ifeencodemetau16 (net/sched/actife.c:57) [ 138.425910][ C1] ? __pfxdorawspinlock (kernel/locking/spinlock_debug.c:114) [ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3)) [ 138.425921][ C1] ? __pfxifeencodemetau16 (net/sched/actife.c:45) [ 138.425927][ C1] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 138.425931][ C1] tcfifeact (net/sched/actife.c:847 net/sched/actife.c:879)

To solve this issue, fix the replace behavior by adding the metalist to the ife rcu data structure.(CVE-2026-23378)

In the Linux kernel, the following vulnerability has been resolved:

icmp: fix NULL pointer dereference in icmptagvalidation()

icmptagvalidation() unconditionally dereferences the result of rcudereference(inetprotos[proto]) without checking for NULL. The inetprotos[] array is sparse -- only about 15 of 256 protocol numbers have registered handlers. When ipnopmtudisc is set to 3 (hardened PMTU mode) and the kernel receives an ICMP Fragmentation Needed error with a quoted inner IP header containing an unregistered protocol number, the NULL dereference causes a kernel panic in softirq context.

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:icmpunreach (net/ipv4/icmp.c:1085 net/ipv4/icmp.c:1143) Call Trace: <IRQ> icmprcv (net/ipv4/icmp.c:1527) ipprotocoldeliverrcu (net/ipv4/ipinput.c:207) iplocaldeliverfinish (net/ipv4/ipinput.c:242) iplocaldeliver (net/ipv4/ipinput.c:262) iprcv (net/ipv4/ip_input.c:573) __netifreceiveskbonecore (net/core/dev.c:6164) processbacklog (net/core/dev.c:6628) handlesoftirqs (kernel/softirq.c:561) </IRQ>

Add a NULL check before accessing icmpstricttag_validation. If the protocol has no registered handler, return false since it cannot perform strict tag validation.(CVE-2026-23398)

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix side-effect bug in match_char() macro usage

The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary.

[ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aadfamatch+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976

[ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dumpstacklvl+0x5e/0x80 [ 94.986374] printreport+0xc8/0x270 [ 94.986384] ? aadfamatch+0x5ae/0x760 [ 94.986388] kasanreport+0x118/0x150 [ 94.986401] ? aadfamatch+0x5ae/0x760 [ 94.986405] aadfamatch+0x5ae/0x760 [ 94.986408] __aapathperm+0x131/0x400 [ 94.986418] aa_pathperm+0x219/0x2f0 [ 94.986424] apparmorfileopen+0x345/0x570 [ 94.986431] securityfileopen+0x5c/0x140 [ 94.986442] dodentryopen+0x2f6/0x1120 [ 94.986450] vfsopen+0x38/0x2b0 [ 94.986453] ? mayopen+0x1e2/0x2b0 [ 94.986466] pathopenat+0x231b/0x2b30 [ 94.986469] ? __x64sysopenat+0xf8/0x130 [ 94.986477] dofileopen+0x19d/0x360 [ 94.986487] dosysopenat2+0x98/0x100 [ 94.986491] __x64sysopenat+0xf8/0x130 [ 94.986499] dosyscall64+0x8e/0x660 [ 94.986515] ? countmemcgevents+0x15f/0x3c0 [ 94.986526] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986540] ? handlemmfault+0x1639/0x1ef0 [ 94.986551] ? vmastartread+0xf0/0x320 [ 94.986558] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986561] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986563] ? fpregsassertstateconsistent+0x50/0xe0 [ 94.986572] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986574] ? archexittousermodeprepare+0x9/0xb0 [ 94.986587] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 94.986588] ? irqentryexit+0x3c/0x590 [ 94.986595] entrySYSCALL64afterhwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea

Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop.(CVE-2026-23406)

In the Linux kernel, the following vulnerability has been resolved:

apparmor: fix missing bounds check on DEFAULT table in verify_dfa()

The verifydfa() function only checks DEFAULTTABLE bounds when the state is not differentially encoded.

When the verification loop traverses the differential encoding chain, it reads k = DEFAULTTABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULTTABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes.

[ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993

[ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 #1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dumpstacklvl+0x5e/0x80 [ 57.181596] printreport+0xc8/0x270 [ 57.181605] ? verifydfa+0x59a/0x660 [ 57.181608] kasanreport+0x118/0x150 [ 57.181620] ? verifydfa+0x59a/0x660 [ 57.181623] verifydfa+0x59a/0x660 [ 57.181627] aadfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloccachenoprof+0x1d0/0x470 [ 57.181640] unpackpdb+0x86d/0x46b0 [ 57.181647] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181653] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181656] ? aaunpacknameX+0x1a8/0x300 [ 57.181659] aaunpack+0x20b0/0x4c30 [ 57.181662] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181664] ? stackdepotsaveflags+0x33/0x700 [ 57.181681] ? kasansavetrack+0x4f/0x80 [ 57.181683] ? kasansavetrack+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmallocnodenoprof+0x44a/0x780 [ 57.181693] ? aasimplewritetobuffer+0x54/0x130 [ 57.181697] ? policyupdate+0x154/0x330 [ 57.181704] aareplaceprofiles+0x15a/0x1dd0 [ 57.181707] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181710] ? __kvmallocnodenoprof+0x44a/0x780 [ 57.181712] ? aaloaddataalloc+0x77/0x140 [ 57.181715] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 57.181717] ? copyfromuser+0x2a/0x70 [ 57.181730] policyupdate+0x17a/0x330 [ 57.181733] profilereplace+0x153/0x1a0 [ 57.181735] ? rwverifyarea+0x93/0x2d0 [ 57.181740] vfswrite+0x235/0xab0 [ 57.181745] ksyswrite+0xb0/0x170 [ 57.181748] dosyscall64+0x8e/0x660 [ 57.181762] entrySYSCALL64afterhwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2

Remove the MATCHFLAGDIFFENCODE condition to validate all DEFAULTTABLE entries unconditionally.(CVE-2026-23407)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: add NULL checks for idev in SRv6 paths

_in6devget() can return NULL when the device has no IPv6 configuration (e.g. MTU < IPV6MINMTU or after NETDEVUNREGISTER).

Add NULL checks for idev returned by _in6devget() in both seg6hmacvalidateskb() and ipv6srhrcv() to prevent potential NULL pointer dereferences.(CVE-2026-23442)

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdcncmrxverifyndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use structsizet() to express the NDP-plus-DPE-array size more clearly.

Compile-tested only.(CVE-2026-23447)

In the Linux kernel, the following vulnerability has been resolved:

net/sched: teql: Fix double-free in teqlmasterxmit

Whenever a TEQL devices has a lockless Qdisc as root, qdiscreset should be called using the seqlock to avoid racing with the datapath. Failure to do so may cause crashes like the following:

[ 238.028993][ T318] BUG: KASAN: double-free in skbreleasedata (net/core/skbuff.c:1139) [ 238.029328][ T318] Free of addr ffff88810c67ec00 by task pocteqluafke/318 [ 238.029749][ T318] [ 238.029900][ T318] CPU: 3 UID: 0 PID: 318 Comm: pocteqlke Not tainted 7.0.0-rc3-00149-ge5b31d988a41 #704 PREEMPT(full) [ 238.029906][ T318] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 238.029910][ T318] Call Trace: [ 238.029913][ T318] <TASK> [ 238.029916][ T318] dumpstacklvl (lib/dumpstack.c:122) [ 238.029928][ T318] printreport (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 238.029940][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029944][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) ... [ 238.029957][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029969][ T318] kasanreportinvalidfree (mm/kasan/report.c:221 mm/kasan/report.c:563) [ 238.029979][ T318] ? skbreleasedata (net/core/skbuff.c:1139) [ 238.029989][ T318] checkslaballocation (mm/kasan/common.c:231) [ 238.029995][ T318] kmemcachefree (mm/slub.c:2637 (discriminator 1) mm/slub.c:6168 (discriminator 1) mm/slub.c:6298 (discriminator 1)) [ 238.030004][ T318] skbreleasedata (net/core/skbuff.c:1139) ... [ 238.030025][ T318] skskbreasondrop (net/core/skbuff.c:1256) [ 238.030032][ T318] pfifofastreset (./include/linux/ptrring.h:171 ./include/linux/ptrring.h:309 ./include/linux/skbarray.h:98 net/sched/schgeneric.c:827) [ 238.030039][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) ... [ 238.030054][ T318] qdiscreset (net/sched/schgeneric.c:1034) [ 238.030062][ T318] teqldestroy (./include/linux/spinlock.h:395 net/sched/sch_teql.c:157) [ 238.030071][ T318] __qdiscdestroy (./include/net/pktsched.h:328 net/sched/schgeneric.c:1077) [ 238.030077][ T318] qdiscgraft (net/sched/schapi.c:1062 net/sched/schapi.c:1053 net/sched/sch_api.c:1159) [ 238.030089][ T318] ? __pfxqdiscgraft (net/sched/schapi.c:1091) [ 238.030095][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030102][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030106][ T318] ? srsoaliasreturnthunk (arch/x86/lib/retpoline.S:221) [ 238.030114][ T318] tcgetqdisc (net/sched/schapi.c:1529 net/sched/schapi.c:1556) ... [ 238.072958][ T318] Allocated by task 303 on cpu 5 at 238.026275s: [ 238.073392][ T318] kasansavestack (mm/kasan/common.c:58) [ 238.073884][ T318] kasansavetrack (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.074230][ T318] __kasanslaballoc (mm/kasan/common.c:369) [ 238.074578][ T318] kmem_cacheallocnodenoprof (./include/linux/kasan.h:253 mm/slub.c:4542 mm/slub.c:4869 mm/slub.c:4921) [ 238.076091][ T318] kmallocreserve (net/core/skbuff.c:616 (discriminator 107)) [ 238.076450][ T318] __allocskb (net/core/skbuff.c:713) [ 238.076834][ T318] allocskbwithfrags (./include/linux/skbuff.h:1383 net/core/skbuff.c:6763) [ 238.077178][ T318] sockallocsendpskb (net/core/sock.c:2997) [ 238.077520][ T318] packetsendmsg (net/packet/afpacket.c:2926 net/packet/afpacket.c:3019 net/packet/afpacket.c:3108) [ 238.081469][ T318] [ 238.081870][ T318] Freed by task 299 on cpu 1 at 238.028496s: [ 238.082761][ T318] kasansavestack (mm/kasan/common.c:58) [ 238.083481][ T318] kasansavetrack (mm/kasan/common.c:64 (discriminator 5) mm/kasan/common.c:79 (discriminator 5)) [ 238.085348][ T318] kasansavefreeinfo (mm/kasan/generic.c:587 (discriminator 1)) [ 238.085900][ T318] __kasanslabfree (mm/ ---truncated---(CVE-2026-23449)

In the Linux kernel, the following vulnerability has been resolved:

PM: runtime: Fix a race condition related to device removal

The following code in pmruntimework() may dereference the dev->parent pointer after the parent device has been freed:

/* Maybe the parent is now able to suspend. */
if (parent && !parent->power.ignore_children) {
    spin_unlock(&dev->power.lock);

    spin_lock(&parent->power.lock);
    rpm_idle(parent, RPM_ASYNC);
    spin_unlock(&parent->power.lock);

    spin_lock(&dev->power.lock);
}

Fix this by inserting a flushwork() call in pmruntime_remove().

Without this patch blktest block/001 triggers the following complaint sporadically:

BUG: KASAN: slab-use-after-free in lockacquire+0x70/0x160 Read of size 1 at addr ffff88812bef7198 by task kworker/u553:1/3081 Workqueue: pm pmruntimework Call Trace: <TASK> dumpstacklvl+0x61/0x80 printaddressdescription.constprop.0+0x8b/0x310 printreport+0xfd/0x1d7 kasan_report+0xd8/0x1d0 _kasancheckbyte+0x42/0x60 lockacquire.part.0+0x38/0x230 lockacquire+0x70/0x160 rawspinlock+0x36/0x50 rpmsuspend+0xc6a/0xfe0 rpmidle+0x578/0x770 pmruntimework+0xee/0x120 processonework+0xde3/0x1410 workerthread+0x5eb/0xfe0 kthread+0x37b/0x480 retfromfork+0x6cb/0x920 retfromforkasm+0x11/0x20 </TASK>

Allocated by task 4314: kasansavestack+0x2a/0x50 kasansavetrack+0x18/0x40 kasansavealloc_info+0x3d/0x50 __kasan_kmalloc+0xa0/0xb0 __kmallocnoprof+0x311/0x990 scsialloctarget+0x122/0xb60 [scsimod] __scsiscantarget+0x101/0x460 [scsimod] scsiscan_channel+0x179/0x1c0 [scsimod] scsiscanhostselected+0x259/0x2d0 [scsimod] storescan+0x2d2/0x390 [scsimod] devattrstore+0x43/0x80 sysfskfwrite+0xde/0x140 kernfsfopwriteiter+0x3ef/0x670 vfswrite+0x506/0x1470 ksyswrite+0xfd/0x230 __x64syswrite+0x76/0xc0 x64syscall+0x213/0x1810 dosyscall64+0xee/0xfc0 entrySYSCALL64afterhwframe+0x4b/0x53

Freed by task 4314: kasansavestack+0x2a/0x50 kasansavetrack+0x18/0x40 kasansavefree_info+0x3f/0x50 __kasanslabfree+0x67/0x80 kfree+0x225/0x6c0 scsitargetdevrelease+0x3d/0x60 [scsimod] devicerelease+0xa3/0x220 kobjectcleanup+0x105/0x3a0 kobjectput+0x72/0xd0 putdevice+0x17/0x20 scsidevicedevrelease+0xacf/0x12c0 [scsimod] devicerelease+0xa3/0x220 kobjectcleanup+0x105/0x3a0 kobjectput+0x72/0xd0 putdevice+0x17/0x20 scsideviceput+0x7f/0xc0 [scsimod] sdevstoredelete+0xa5/0x120 [scsimod] devattrstore+0x43/0x80 sysfskfwrite+0xde/0x140 kernfsfopwriteiter+0x3ef/0x670 vfswrite+0x506/0x1470 ksys_write+0xfd/0x230 __x64syswrite+0x76/0xc0 x64syscall+0x213/0x1810(CVE-2026-23452)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntrackh323: check for zero length in DecodeQ931()

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wraps to -1, which is then passed as a large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.(CVE-2026-23455)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntrackh323: fix OOB read in decode_int() CONS case

In decodeint(), the CONS case calls getbits(bs, 2) to read a length value, then calls getuint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for getbits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read.

Add a boundary check for len bytes after getbits() and before getuint().(CVE-2026-23456)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntracksip: fix Content-Length u32 truncation in siphelptcp()

siphelptcp() parses the SIP Content-Length header with simplestrtoul(), which returns unsigned long, but stores the result in unsigned int clen. On 64-bit systems, values exceeding UINTMAX are silently truncated before computing the SIP message boundary.

For example, Content-Length 4294967328 (2^32 + 32) is truncated to 32, causing the parser to miscalculate where the current message ends. The loop then treats trailing data in the TCP segment as a second SIP message and processes it through the SDP parser.

Fix this by changing clen to unsigned long to match the return type of simple_strtoul(), and reject Content-Length values that exceed the remaining TCP payload length.(CVE-2026-23457)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ctnetlink: fix use-after-free in ctnetlinkdumpexp_ct()

ctnetlinkdumpexpct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlinkexpctdumptable(), but drops the conntrack reference immediately after netlinkdumpstart(). When the dump spans multiple rounds, the second recvmsg() triggers the dump callback which dereferences the now-freed conntrack via nfcthelp(ct), leading to a use-after-free on ct->ext.

The bug is that the netlinkdumpcontrol has no .start or .done callbacks to manage the conntrack reference across dump rounds. Other dump functions in the same file (e.g. ctnetlinkgetconntrack) properly use .start/.done callbacks for this purpose.

Fix this by adding .start and .done callbacks that hold and release the conntrack reference for the duration of the dump, and move the nfct_help() call after the cb->args[0] early-return check in the dump callback to avoid dereferencing ct->ext unnecessarily.

BUG: KASAN: slab-use-after-free in ctnetlinkexpctdumptable+0x4f/0x2e0 Read of size 8 at addr ffff88810597ebf0 by task ctnetlink_poc/133

CPU: 1 UID: 0 PID: 133 Comm: ctnetlinkpoc Not tainted 7.0.0-rc2+ #3 PREEMPTLAZY Call Trace: <TASK> ctnetlinkexpctdumptable+0x4f/0x2e0 netlinkdump+0x333/0x880 netlinkrecvmsg+0x3e2/0x4b0 ? aaskperm+0x184/0x450 sockrecvmsg+0xde/0xf0

Allocated by task 133: kmemcachealloc_noprof+0x134/0x440 __nfconntrackalloc+0xa8/0x2b0 ctnetlinkcreateconntrack+0xa1/0x900 ctnetlinknewconntrack+0x3cf/0x7d0 nfnetlinkrcvmsg+0x48e/0x510 netlinkrcvskb+0xc9/0x1f0 nfnetlinkrcv+0xdb/0x220 netlinkunicast+0x3ec/0x590 netlink_sendmsg+0x397/0x690 _syssendmsg+0xf4/0x180

Freed by task 0: slabfreeafterrcudebug+0xad/0x1e0 rcu_core+0x5c3/0x9c0(CVE-2026-23458)

In the Linux kernel, the following vulnerability has been resolved:

spi: fix statistics allocation

The controller per-cpu statistics is not allocated until after the controller has been registered with driver core, which leaves a window where accessing the sysfs attributes can trigger a NULL-pointer dereference.

Fix this by moving the statistics allocation to controller allocation while tying its lifetime to that of the controller (rather than using implicit devres).(CVE-2026-23475)

In the Linux kernel, the following vulnerability has been resolved:

spi: fix use-after-free on controller registration failure

Make sure to deregister from driver core also in the unlikely event that per-cpu statistics allocation fails during controller registration to avoid use-after-free (of driver resources) and unclocked register accesses.(CVE-2026-31389)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: avoid overflows in ip6datagramsend_ctl()

Yiming Qian reported : <quote> I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via skb_under_panic() (local DoS).

The core issue is a mismatch between:

• a 16-bit length accumulator (struct ipv6_txoptions::opt_flen, type __u16) and

• a pointer to the last provided destination-options header (opt->dst1opt)

  when multiple IPV6_DSTOPTS control messages (cmsgs) are provided.

• include/net/ipv6.h:

  • struct ipv6_txoptions::opt_flen is __u16 (wrap possible). (lines 291-307, especially 298)
• net/ipv6/datagram.c:ip6_datagram_send_ctl():
  • Accepts repeated IPV6_DSTOPTS and accumulates into opt_flen without rejecting duplicates. (lines 909-933)
• net/ipv6/ip6_output.c:__ip6_append_data():
  • Uses opt->opt_flen + opt->opt_nflen to compute header sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)
• net/ipv6/ip6_output.c:__ip6_make_skb():
  • Calls ipv6_push_frag_opts() if opt->opt_flen is non-zero. (lines 1930-1934)
• net/ipv6/exthdrs.c:ipv6_push_frag_opts() / ipv6_push_exthdr():
  • Push size comes from ipv6_optlen(opt->dst1opt) (based on the pointed-to header). (lines 1179-1185 and 1206-1211)

1. opt_flen is a 16-bit accumulator:

• include/net/ipv6.h:298 defines __u16 opt_flen; /* after fragment hdr */.

2. ip6_datagram_send_ctl() accepts repeated IPV6_DSTOPTS cmsgs and increments opt_flen each time:

• In net/ipv6/datagram.c:909-933, for IPV6_DSTOPTS:

  • It computes len = ((hdr->hdrlen + 1) << 3);
  • It checks CAP_NET_RAW using ns_capable(net->user_ns, CAP_NET_RAW). (line 922)
  • Then it does:
    • opt->opt_flen += len; (line 927)
    • opt->dst1opt = hdr; (line 928)

  There is no duplicate rejection here (unlike the legacy IPV6_2292DSTOPTS path which rejects duplicates at net/ipv6/datagram.c:901-904).

  If enough large IPV6_DSTOPTS cmsgs are provided, opt_flen wraps while dst1opt still points to a large (2048-byte) destination-options header.

  In the attached PoC (poc.c):

• 32 cmsgs with hdrlen=255 => len = (255+1)*8 = 2048

• 1 cmsg with hdrlen=0 => len = 8
• Total increment: 32*2048 + 8 = 65544, so (__u16)opt_flen == 8
• The last cmsg is 2048 bytes, so dst1opt points to a 2048-byte header.

3. The transmit path sizes headers using the wrapped opt_flen:

• In net/ipv6/ip6_output.c:1463-1465:

  • headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen + opt->opt_nflen : 0) + ...;

  With wrapped opt_flen, headersize/headroom decisions underestimate what will be pushed later.

  4. When building the final skb, the actual push length comes from dst1opt and is not limited by wrapped opt_flen:
  • In net/ipv6/ip6_output.c:1930-1934:
    • if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);
  • In net/ipv6/exthdrs.c:1206-1211, ipv6_push_frag_opts() pushes dst1opt via ipv6_push_exthdr().
  • In net/ipv6/exthdrs.c:1179-1184, ipv6_push_exthdr() does:
    • skb_push(skb, ipv6_optlen(opt));
    • memcpy(h, opt, ipv6_optlen(opt));

  With insufficient headroom, skb_push() underflows and triggers skb_under_panic() -> BUG():

  • net/core/skbuff.c:2669-2675 (skb_push() calls skb_under_panic())

  • net/core/skbuff.c:207-214 (skb_panic() ends in BUG())

  • The IPV6_DSTOPTS cmsg path requires CAP_NET_RAW in the target netns user namespace (ns_capable(net->user_ns, CAP_NET_RAW)).

  • Root (or any task with CAP_NET_RAW) can trigger this without user namespaces.

  • An unprivileged uid=1000 user can trigger this if unprivileged user namespaces are enabled and it can create a userns+netns to obtain namespaced CAP_NET_RAW (the attached PoC does this).

  • Local denial of service: kernel BUG/panic (system crash). - ---truncated---(CVE-2026-31415)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlink_log: account for netlink header size

This is a followup to an old bug fix: NLMSG_DONE needs to account for the netlink header size, not just the attribute size.

This can result in a WARN splat + drop of the netlink message, but other than this there are no ill effects.(CVE-2026-31416)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfconntracksip: fix use of uninitialized rtpaddr in processsdp

processsdp() declares union nfinetaddr rtpaddr on the stack and passes it to the nfnatsip sdpsession hook after walking the SDP media descriptions. However rtpaddr is only initialized inside the media loop when a recognized media type with a non-zero port is found.

If the SDP body contains no m= lines, only inactive media sections (m=audio 0 ...) or only unrecognized media types, rtpaddr is never assigned. Despite that, the function still calls hooks->sdpsession() with &rtpaddr, causing nfnatsdpsession() to format the stale stack value as an IP address and rewrite the SDP session owner and connection lines with it.

With CONFIGINITSTACKALLZERO (default on most distributions) this results in the session-level o= and c= addresses being rewritten to 0.0.0.0 for inactive SDP sessions. Without stack auto-init the rewritten address is whatever happened to be on the stack.

Fix this by pre-initializing rtpaddr from the session-level connection address (caddr) when available, and tracking via a havertpaddr flag whether any valid address was established. Skip the sdpsession hook entirely when no valid address exists.(CVE-2026-31427)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nfnetlinklog: fix uninitialized padding leak in NFULAPAYLOAD

_buildpacketmessage() manually constructs the NFULAPAYLOAD netlink attribute using skbput() and skbcopybits(), bypassing the standard nlareserve()/nlaput() helpers. While nlatotalsize(datalen) bytes are allocated (including NLA alignment padding), only datalen bytes of actual packet data are copied. The trailing nlapadlen(datalen) bytes (1-3 when datalen is not 4-byte aligned) are never initialized, leaking stale heap contents to userspace via the NFLOG netlink socket.

Replace the manual attribute construction with nla_reserve(), which handles the tailroom check, header setup, and padding zeroing via _nlareserve(). The subsequent skbcopybits() fills in the payload data on top of the properly initialized attribute.(CVE-2026-31428)

In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algifaead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of the associated data.\n\nThere is no benefit in operating in-place in algifaead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.(CVE-2026-31431)