OESA-2026-2496 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: Revert "smb: client: fix TCP timers deadlock after rmmod" This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. Commit e9f2517a3e18 "smb: client: fix TCP...

CVE-2026-46158

A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. When an ADDADDR message is retransmitted, a socket reference count may not be properly decreased, leading to a potential resource leak. Over time, this resource exhaustion could allow a remote attacker to cause a Denial of...

CVE-2026-46170

A flaw was found in the Linux kernel's Multipath TCP MPTCP implementation. When an ADDADDR message is retransmitted, an issue in socket sk reference counting can prevent the socket from being properly freed. This improper resource management may lead to a Denial of Service DoS condition, where th...

CVE-2026-46170

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADDADDR rtx: free sk if last When an ADDADDR is retransmitted, the sk is held in skresettimer, and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sockput should...

UBUNTU-CVE-2026-46170

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADDADDR rtx: free sk if last When an ADDADDR is retransmitted, the sk is held in skresettimer, and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sockput should...

EUVD-2026-32797

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADDADDR rtx: free sk if last When an ADDADDR is retransmitted, the sk is held in skresettimer, and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sockput should...

PT-2026-44281

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A reference leak exists in the Multipath TCP mptcp path manager. When an ADD ADDR message is retransmitted, the socket sk is held in the sk reset timer function. Certain execution paths...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the lack of consistent reduction of socket reference counts during the retransmission of ADDADDR ...

PT-2026-44293

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD ADDR rtx: free sk if last When an ADD ADDR is retransmitted, the sk is held in sk reset timer, and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock put...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: net: Better tracking of kernel sockets’ lifetimes While kernel sockets are destroyed during pernetoperations-exit, their freeing can be delayed due to any TX packets still held in qdisc or device queues. This occurs because of...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are received using GRO with a fraglist, they may be segmented later on and continue their journey within the stack. In skbSegmentlist, these segments can be reused as they are. This is a...

EUVD-2026-25640

In the Linux kernel, the following vulnerability has been resolved: afunix: read UNIXDIAGVFS data under unixstatelock Exact UNIX diag lookups hold a reference to the socket, but not to u-path. Meanwhile, unixreleasesock clears u-path under unixstatelock and drops the path reference after unlockin...

EUVD-2026-20469

In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigdsend Reproducer available at 1. The ATM send path sendmsg - vccsendmsg - sigdsend reads the vcc pointer from msg-vcc and uses it directly without any validation. This...

SUSE CVE-2026-31408

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in scorecvframe due to missing sockhold scorecvframe reads conn-sk under scoconnlock but immediately releases the lock without holding a reference to the socket. A concurrent close can free the...

CVE-2026-31408

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in scorecvframe due to missing sockhold scorecvframe reads conn-sk under scoconnlock but immediately releases the lock without holding a reference to the socket. A concurrent close can free the...

CVE-2026-31408

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in scorecvframe due to missing sockhold scorecvframe reads conn-sk under scoconnlock but immediately releases the lock without holding a reference to the socket. A concurrent close can free the...

PT-2026-30576

Name of the Vulnerable Software and Affected Versions Linux Kernel affected versions not specified Description The Linux kernel contains a use-after-free issue in the sco recv frame function within the Bluetooth SCO Synchronous Connection-Oriented subsystem. The function reads conn-sk under sco...

SUSE CVE-2026-23419

In the Linux kernel, the following vulnerability has been resolved: net/rds: Fix circular locking dependency in rdstcptune syzbot reported a circular locking dependency in rdstcptune where sknetrefcntupgrade is called while holding the socket lock:...

PT-2026-30033

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a circular locking dependency within the rds tcp tune function. The sk net refcnt upgrade function is called while holding the socket lock, leading to a circula...

EUVD-2026-15396

In the Linux kernel, the following vulnerability has been resolved: afunix: Give up GC if MSGPEEK intervened. Igor Ushakov reported that GC purged the receive queue of an alive socket due to a race with MSGPEEK with a nice repro. This is the exact same issue previously fixed by commit cbcf01128d0...