kernel: md/bitmap: fix GPF in write_page caused by resize race

A flaw was found in the Linux kernel's md/bitmap component. This vulnerability involves a use-after-free race condition that occurs during array resize operations. When the bitmapdaemonwork and bitmapresize functions execute concurrently, they can access memory pages that have already been freed...

kernel: md/bitmap: fix GPF in write_page caused by resize race

A flaw was found in the Linux kernel's md/bitmap component. This vulnerability involves a use-after-free race condition that occurs during array resize operations. When the bitmapdaemonwork and bitmapresize functions execute concurrently, they can access memory pages that have already been freed...

kernel: md/bitmap: fix GPF in write_page caused by resize race

A flaw was found in the Linux kernel's md/bitmap component. This vulnerability involves a use-after-free race condition that occurs during array resize operations. When the bitmapdaemonwork and bitmapresize functions execute concurrently, they can access memory pages that have already been freed...

kernel: md/bitmap: fix GPF in write_page caused by resize race

A flaw was found in the Linux kernel's md/bitmap component. This vulnerability involves a use-after-free race condition that occurs during array resize operations. When the bitmapdaemonwork and bitmapresize functions execute concurrently, they can access memory pages that have already been freed...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ptrring: Do not block hard interrupts in ptrringresizemultiple. Jakub added a lockdepassertnohardirq check in pagepoolputpage to increase test coverage. syzbot identified a crash caused by hard interrupt blocking in...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: nilfs2: The OOB issue in nilfssetdetype has been fixed. The size of the nilfstypebymode array in the fs/nilfs2/dir.c file is defined as “SIFT SSHIFT”. However, the nilfssetdetype function, which uses this array, specifies the ind...

CVE-2026-43163

A flaw was found in the Linux kernel's md/bitmap component. This vulnerability involves a use-after-free race condition that occurs during array resize operations. When the bitmapdaemonwork and bitmapresize functions execute concurrently, they can access memory pages that have already been freed...

EUVD-2026-27726

In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in writepage caused by resize race A General Protection Fault occurs in writepage during array resize: RIP: 0010:writepage+0x22b/0x3c0 mdmod This is a use-after-free race between bitmapdaemonwork and...

FreeBSD -- Remotely triggerable out-of-bounds heap write in dhclient

Problem Description: As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. Impact: A specially crafted...

OESA-2026-1305 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: ptrring: do not block hard interrupts in ptrringresizemultiple Jakub added a lockdepassertnohardirq check in pagepoolputpage to increase test coverage. syzbot...

OESA-2026-1303 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: ptrring: do not block hard interrupts in ptrringresizemultiple Jakub added a lockdepassertnohardirq check in pagepoolputpage to increase test coverage. syzbot...

CVE-2025-62490

In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...

CVE-2025-62490 Use-after-free in js_print_object in QuickJS

In quickjs, in jsprintobject, when printing an array, the function first fetches the array length and then loops over it. The issue is, printing a value is not side-effect free. An attacker-defined callback could run during jsprintvalue, during which the array could get resized and len1 become ou...

SUSE CVE-2024-57994

In the Linux kernel, the following vulnerability has been resolved: ptrring: do not block hard interrupts in ptrringresizemultiple Jakub added a lockdepassertnohardirq check in pagepoolputpage to increase test coverage. syzbot found a splat caused by hard irq blocking in ptrringresizemultiple 1 A...

DEBIAN-CVE-2024-47537

GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream-samples to accommodate stream-nsamples + samplescount elements of type QtDemuxSample. The problem is that samplescount is read from the input file. And i...

SUSE CVE-2024-26981

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix OOB in nilfssetdetype The size of the nilfstypebymode array in the fs/nilfs2/dir.c file is defined as "SIFMT SSHIFT", but the nilfssetdetype function, which uses this array, specifies the index to read from the array ...

UBUNTU-CVE-2020-1900

When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32....

CVE-2020-1900

When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it. Otherwise the array might resize, invalidating previously stored references. This pre-reservation was not occurring in HHVM prior to v4.32....

Mozilla: BodyStream:: OnInputStreamReady was missing protections against state confusion

The Mozilla Foundation Security Advisory describes this flaw as: By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash...

Mozilla: BodyStream:: OnInputStreamReady was missing protections against state confusion

The Mozilla Foundation Security Advisory describes this flaw as: By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a potentially exploitable crash...