OESA-2026-2313

The Linux Kernel, the operating system core itself.

Security Fix(es):

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: fix possible wrong descriptor completion in llistabortdesc()

At the end of this function, d is the traversal cursor of flist, but the code completes found instead. This can lead to issues such as NULL pointer dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final listforeachentrysafe() loop.(CVE-2026-31436)

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pmbus/core) Protect regulator operations with mutex

The regulator operations pmbusregulatorgetvoltage(), pmbusregulatorsetvoltage(), and pmbusregulatorlistvoltage() access PMBus registers and shared data but were not protected by the updatelock mutex. This could lead to race conditions.

However, adding mutex protection directly to these functions causes a deadlock because pmbusregulatornotify() (which calls regulatornotifiercallchain()) is often called with the mutex already held (e.g., from pmbusfault_handler()). If a regulator callback then calls one of the now-protected voltage functions, it will attempt to acquire the same mutex.

Rework pmbusregulatornotify() to utilize a worker function to send notifications outside of the mutex protection. Events are stored as atomics in a per-page bitmask and processed by the worker.

Initialize the worker and its associated data during regulator registration, and ensure it is cancelled on device removal using devmaddactionorreset().

While at it, remove the unnecessary include of linux/of.h.(CVE-2026-31486)

In the Linux kernel, the following vulnerability has been resolved:

net: fix fanout UAF in packetrelease() via NETDEVUP race

packet_release() has a race window where NETDEV_UP can re-register a socket into a fanout group's arr[] array. The re-registration is not cleaned up by fanout_release(), leaving a dangling pointer in the fanout array. packet_release() does NOT zero po->num in its bind_lock section. After releasing bind_lock, po->num is still non-zero and po->ifindex still matches the bound device. A concurrent packet_notifier(NETDEV_UP) that already found the socket in sklist can re-register the hook. For fanout sockets, this re-registration calls __fanout_link(sk, po) which adds the socket back into f->arr[] and increments f->num_members, but does NOT increment f->sk_ref.

The fix sets po->num to zero in packet_release while bind_lock is held to prevent NETDEV_UP from linking, preventing the race window.

This bug was found following an additional audit with Claude Code based on CVE-2025-38617.(CVE-2026-31504)

In the Linux kernel, the following vulnerability has been resolved:

afkey: validate families in pfkeysend_migrate()

syzbot was able to trigger a crash in skb_put() [1]

Issue is that pfkeysendmigrate() does not check old/new families, and that set_ipsecrequest() @family argument was truncated, thus possibly overfilling the skb.

Validate families early, do not wait set_ipsecrequest().

[1]

skbuff: skboverpanic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL> kernel BUG at net/core/skbuff.c:214 ! Call Trace: <TASK> skboverpanic net/core/skbuff.c:219 [inline] skbput+0x159/0x210 net/core/skbuff.c:2655 skbputzero include/linux/skbuff.h:2788 [inline] setipsecrequest net/key/afkey.c:3532 [inline] pfkeysendmigrate+0x1270/0x2e50 net/key/afkey.c:3636 kmmigrate+0x155/0x260 net/xfrm/xfrmstate.c:2848 xfrmmigrate+0x2140/0x2450 net/xfrm/xfrmpolicy.c:4705 xfrmdomigrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515)

In the Linux kernel, the following vulnerability has been resolved:

mm/userfaultfd: fix hugetlb fault mutex hash calculation

In mfillatomichugetlb(), linearpageindex() is used to calculate the page index for hugetlbfaultmutexhash(). However, linearpageindex() returns the index in PAGESIZE units, while hugetlbfaultmutexhash() expects the index in huge page units. This mismatch means that different addresses within the same huge page can produce different hash values, leading to the use of different mutexes for the same huge page. This can cause races between faulting threads, which can corrupt the reservation map and trigger the BUGON in resvmaprelease().

Fix this by introducing hugetlblinearpageindex(), which returns the page index in huge page granularity, and using it in place of linearpage_index().(CVE-2026-31575)

In the Linux kernel, the following vulnerability has been resolved:

HID: core: clamp report_size in s32ton() to avoid undefined shift

s32ton() shifts by n-1 where n is the field's reportsize, a value that comes directly from a HID device. The HID parser bounds reportsize only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hidoutputfield() or hidsetfield().

Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hidreportraw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way.

Fix this up by just clamping the max value of n, just like snto32() does.(CVE-2026-31624)

In the Linux kernel, the following vulnerability has been resolved:

HID: alps: fix NULL pointer dereference in alpsrawevent()

Commit ecfa6f34492c ("HID: Add HIDCLAIMEDINPUT guards in raw_event callbacks missing them") attempted to fix up the HID drivers that had missed the previous fix that was done in 2ff5baa9b527 ("HID: appleir: Fix potential NULL dereference at raw event handle"), but the alps driver was missed.

Fix this up by properly checking in the hid-alps driver that it had been claimed correctly before attempting to process the raw event.(CVE-2026-31625)

In the Linux kernel, the following vulnerability has been resolved:

afunix: read UNIXDIAGVFS data under unixstate_lock

Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unixreleasesock() clears u->path under unixstatelock() and drops the path reference after unlocking.

Read the inode and device numbers for UNIXDIAGVFS while holding unixstatelock(), then emit the netlink attribute after dropping the lock.

This keeps the VFS data stable while the reply is being built.(CVE-2026-31673)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ip6trt: reject oversized addrnr in rtmt6_check()

Reject rt match rules whose addrnr exceeds IP6TRTHOPS.

rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.(CVE-2026-31674)

In the Linux kernel, the following vulnerability has been resolved:

bridge: brndsend: linearize skb before parsing ND options

brndsend() parses neighbour discovery options from ns->opt[] and assumes that these options are in the linear part of request.

Its callers only guarantee that the ICMPv6 header and target address are available, so the option area can still be non-linear. Parsing ns->opt[] in that case can access data past the linear buffer.

Linearize request before option parsing and derive ns from the linear network header.(CVE-2026-31682)

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: lag: Check for LAG device before creating debugfs

_mlx5lagdevaddmdev() may return 0 (success) even when an error occurs that is handled gracefully. Consequently, the initialization flow proceeds to call mlx5ldevadddebugfs() even when there is no valid LAG context.

mlx5ldevadd_debugfs() blindly created the debugfs directory and attributes. This exposed interfaces (like the members file) that rely on a valid ldev pointer, leading to potential NULL pointer dereferences if accessed when ldev is NULL.

Add a check to verify that mlx5lagdev(dev) returns a valid pointer before attempting to create the debugfs entries.(CVE-2026-43013)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: MGMT: validate mesh send advertising payload length

meshsend() currently bounds MGMTOPMESHSEND by total command length, but it never verifies that the bytes supplied for the flexible advdata[] array actually match the embedded advdatalen field. MGMTMESHSENDSIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer.

Keep rejecting zero-length and oversized advertising payloads, but validate advdatalen explicitly and require the command length to exactly match the flexible array size before queueing the request.(CVE-2026-43017)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hcievent: fix potential UAF in hcileremoteconnparamreq_evt

hciconn lookup and field access must be covered by hdev lock in hcileremoteconnparamreq_evt, otherwise it's possible it is freed concurrently.

Extend the hcidevlock critical section to cover all conn usage.(CVE-2026-43018)

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hciconn: fix potential UAF in setcigparamssync

hciconn lookup and field access must be covered by hdev lock in setcigparamssync, otherwise it's possible it is freed concurrently.

Take hdev lock to prevent hci_conn from being deleted or modified concurrently. Just RCU lock is not suitable here, as we also want to avoid "tearing" in the configuration.(CVE-2026-43019)

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Add SRCU protection for reading PDPTRs in _getsregs2()

Add SRCU read-side protection when reading PDPTR registers in _getsregs2().

Reading PDPTRs may trigger access to guest memory: kvmpdptrread() -> svmcachereg() -> loadpdptrs() -> kvmvcpureadguestpage() -> kvmvcpugfnto_memslot()

kvmvcpugfntomemslot() dereferences memslots via __kvmmemslots(), which uses srcudereferencecheck() and requires either kvm->srcu or kvm->slotslock to be held. Currently only vcpu->mutex is held, triggering lockdep warning:

============================= WARNING: suspicious RCU usage in kvmvcpugfntomemslot 6.12.59+ #3 Not tainted

include/linux/kvmhost.h:1062 suspicious rcudereference_check() usage!

other info that might help us debug this:

rcuscheduleractive = 2, debuglocks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvmvcpu_ioctl+0x1d5/0x1590

Call Trace: <TASK> __dumpstack lib/dumpstack.c:94 [inline] dump_stacklvl+0xf0/0x120 lib/dumpstack.c:120 lockdeprcususpicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvmmemslots include/linux/kvmhost.h:1062 [inline] __kvmmemslots include/linux/kvmhost.h:1059 [inline] kvmvcpumemslots include/linux/kvmhost.h:1076 [inline] kvmvcpugfntomemslot+0x518/0x5e0 virt/kvm/kvmmain.c:2617 kvmvcpureadguestpage+0x27/0x50 virt/kvm/kvmmain.c:3302 loadpdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svmcachereg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvmpdptrread arch/x86/kvm/kvmcacheregs.h:141 [inline] __getsregs2 arch/x86/kvm/x86.c:11784 [inline] kvmarchvcpuioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvmvcpuioctl+0x856/0x1590 virt/kvm/kvmmain.c:4663 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:907 [inline] __sesysioctl fs/ioctl.c:893 [inline] __x64sysioctl+0x18b/0x210 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xbd/0x1d0 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.(CVE-2026-43214)

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()

Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVMEXITUNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as something has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects.

As explained in the Fixes commits, it should be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state.

Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where KVM would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running.(CVE-2026-43265)

In the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSGSPLICEPAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFLSHAREDFRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284)

A NULL-pointer dereference vulnerability exists in the ACPI processor driver of the Linux kernel. In the acpiprocessorerratapiix4() function, the pointer dev is first assigned an IDE device and then reassigned an ISA device. If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when devdbg() is called. The fix is to use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.(CVE-2026-43313)

In the Linux kernel x86 APIC (Advanced Programmable Interrupt Controller) subsystem, when the system resumes from suspend (s2ram/suspend-to-RAM) state, if the kernel expects to disable x2APIC mode at startup, but the BIOS/firmware re-enables x2APIC during the recovery process, the kernel and hardware status will be inconsistent. This status mismatch may cause interrupt handling exceptions, system instability, or denial of service. The vulnerability belongs to CWE-372 (Internal State Corruption).(CVE-2026-43363)

In the Linux kernel, there is a race condition vulnerability in the Ceph filesystem. During async unlink, the i_nlink counter is dropped before receiving the completion (that will eventually update the i_nlink) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one:

WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023

In cephunlink(), a call to cephmdscsubmitrequest() submits the CEPHMDSOPUNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following dropnlink() call, a worker thread may process a CEPHCAPOPIMPORT, CEPHCAPOPGRANT or just a CEPHMSGCLIENTREPLY (the latter of which could be our own completion). These will lead to a setnlink() call, updating the i_nlink counter to the value received from the MDS. If that new i_nlink value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then.

The root cause of this vulnerability is updating the i_nlink counter without proper lock protection, creating a TOCTOU (Time-of-Check Time-of-Use) race condition. Since cephfillinode() and handlecapgrant() both hold the ceph_inode_info.i_ceph_lock spinlock while set_nlink() runs, this seems like the proper lock to protect the i_nlink updates.(CVE-2026-43420)

In the Linux kernel, there is a security vulnerability in the USB Test and Measurement Class driver (usbtmc). The driver accepts timeout values specified by the user via an ioctl command and uses these timeouts for usbbulkmsg() calls. Since the user can specify arbitrarily long timeouts and usbbulkmsg() uses unkillable waits, this may cause kernel threads to hang indefinitely.(CVE-2026-43429)