CVE-2026-45847 net: remove WARN_ON_ONCE when accessing forward path array

In the Linux kernel, the following vulnerability has been resolved: net: remove WARNONONCE when accessing forward path array Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARNONONCE if userspace manages to build a sufficiently long forward path. Remove it...

CVE-2026-45847

The CVE-2026-45847 entry describes a Linux kernel issue where WARN_ON_ONCE was triggered while accessing the forward path array. The fix removes WARN_ON_ONCE to mitigate the risk, noting that while unlikely, added support for IPIP tunnels increases the chance of encountering the warning if a suff...

CVE-2025-71309

CVE-2025-71309 describes a deadlock in the Linux kernel ntfs3 code where an inode mutex (ni_lock) and per-page locks can invert order, causing a hang in ntfs_read_folio() / ni_read_folio_cmpr() during frame reads. The root cause is locking order: taking ni_lock in ntfs_read_folio() before acquiri...

CVE-2025-71307

CVE-2025-71307 affects the Linux kernel’s DRM panthor path. The vulnerability arises in panthor_fw_unplug() where the MCU halt-and-wait sequence could dereference a NULL pointer if the MCU is in an unexpected state or the firmware is not loaded/initialized. The patch removes the MCU halt/wait dur...

CVE-2025-71306 ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec()

In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in isbprmcredsforexec KASAN reported a stack-out-of-bounds access in imaappraisemeasurement from isbprmcredsforexec: BUG: KASAN: stack-out-of-bounds in imaappraisemeasurement+0x12dc/0x16a0 Read of siz...

CVE-2025-71306

In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in isbprmcredsforexec KASAN reported a stack-out-of-bounds access in imaappraisemeasurement from isbprmcredsforexec: BUG: KASAN: stack-out-of-bounds in imaappraisemeasurement+0x12dc/0x16a0 Read of siz...

CVE-2025-71305

In the Linux kernel, the following vulnerability has been resolved: drm/display/dpmst: Add protection against 0 vcpi When releasing a timeslot there is a slight chance we may end up with the wrong payload mask due to overflow if the delayeddestroywork ends up coming into play after a DP 2.1 monit...

CVE-2025-71304

The CVE-2025-71304 entry describes a Linux kernel Smack issue where /smack/doi could accept values that were previously written, causing decommissioned DOIs to linger and the default domain map to be unavailable. This behavior can disable networking for non-ambient labels because existing CIPSO/D...

CVE-2026-45846

In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudpfillmetadatadst bareudpfillmetadatadst passes bareudp-sock to udptunnel6dstlookup in the IPv6 path without a NULL check. The socket is only created in bareudpopen and NULLed in...

CVE-2026-45842

In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhcinit accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhcinit is...

CVE-2026-45837

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arenavmclose on fork arenavmopen only bumps vml-mmapcount but never registers the child VMA in arena-vmalist. The vml-vma always points at the parent VMA, so after parent munmap the pointer dangles. If...

CVE-2026-45841

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkosf: fix divide-by-zero in OSFWSSMODULO nfosfmatchone computes ctx-window % f-wss.val in the OSFWSSMODULO branch with no guard for f-wss.val == 0. A CAPNETADMIN user can add such a fingerprint via nfnetlink; a...

CVE-2026-45843

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode reads against the compressed packet length slhcuncompress parses a VJ-compressed TCP header by advancing a pointer through the packet via decode and pull16. Neither helper bounds-checks against isize, and decod...

CVE-2026-45844

In the Linux kernel, the following vulnerability has been resolved: netfilter: arptables: fix IEEE1394 ARP payload parsing Weiming Shi says: "arppacketmatch unconditionally parses the ARP payload assuming two hardware addresses are present source and target. However, IPv4-over-IEEE1394 ARP RFC 27...

CVE-2026-45839

In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpfcoreparsespec CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members...

UBUNTU-CVE-2026-45842

In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhcinit accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhcinit is...

UBUNTU-CVE-2026-45838

In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroupstoragegetnextkey listnextentry never returns NULL -- when the current element is the last entry it wraps to the list head via containerof. The subsequent NULL check is therefore dead code...

UBUNTU-CVE-2026-45845

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTMDELQDISC, tapriograft is called with new == NULL and stores NULL into q-qdiscscl - 1. Subsequent RTMGETTCLASS dump operatio...

UBUNTU-CVE-2026-45843

In the Linux kernel, the following vulnerability has been resolved: slip: bound decode reads against the compressed packet length slhcuncompress parses a VJ-compressed TCP header by advancing a pointer through the packet via decode and pull16. Neither helper bounds-checks against isize, and decod...

UBUNTU-CVE-2026-45844

In the Linux kernel, the following vulnerability has been resolved: netfilter: arptables: fix IEEE1394 ARP payload parsing Weiming Shi says: "arppacketmatch unconditionally parses the ARP payload assuming two hardware addresses are present source and target. However, IPv4-over-IEEE1394 ARP RFC 27...