CVE-2026-46158

In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADDADDR rtx: always decrease sk refcount When an ADDADDR is retransmitted, the sk is held in skresettimer. It should then be released in all cases at the end. Some unlikely checks were returning directly instead of...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: net: Use sockgenput when skstate is TCPTIMEWAIT. It is possible for a pointer of type struct inettimewaitsock to be returned from the functions inetlookupestablished and inet6lookupestablished. This can cause a crash when the...

EUVD-2026-25522

In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCPCLOSED checks In nfcllcprecvhdlc and nfcllcprecvdisc, when the socket state is LLCPCLOSED, the code correctly calls releasesock and nfcllcpsockput but fails to return. Execution falls throu...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013232)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013232 advisory. In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sockput when msg has moredata In tcpbpfsendverdict redirectio...

CVE-2026-31408

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in scorecvframe due to missing sockhold scorecvframe reads conn-sk under scoconnlock but immediately releases the lock without holding a reference to the socket. A concurrent close can free the...

CVE-2026-31408

CVE-2026-31408 is a Linux kernel Bluetooth SCO use-after-free in sco_recv_frame(), where conn->sk is accessed after releasing sco_conn_lock() without holding a reference. The fix uses sco_sock_hold() to take a reference before unlocking and adds sock_put() on exit paths. Connected advisories s...

SUSE CVE-2025-40258

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcpschedulework syzbot reported use-after-free in mptcpschedulework 1 Issue here is that mptcpschedulework schedules a work, then gets a refcount on sk-skrefcnt if the work was scheduled. This...

AZL-71380 CVE-2025-40258 affecting package kernel for versions less than 6.6.119.3-1

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcpschedulework syzbot reported use-after-free in mptcpschedulework 1 Issue here is that mptcpschedulework schedules a work, then gets a refcount on sk-skrefcnt if the work was scheduled. This...

CVE-2025-40258

The CVE-2025-40258 issue is confirmed in connected advisories for the Linux kernel: a race in mptcp_schedule_work() could cause use-after-free via sock_hold/sock_put timing around scheduled work. The fix, as described in the advisory, reorders operations by holding the socket before scheduling an...

CVE-2022-50536

CVE-2022-50536 affects the Linux kernel’s BPF sockmap path. In tcp_bpf_send_verdict() redirection, the eval variable is set to __SK_REDIRECT after sending apply_bytes data; if msg.has_more_data, sock_put() can be called multiple times, risking a use-after-free via refcount misuse. The issue is fi...

CVE-2022-50536 bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sockput when msg has moredata In tcpbpfsendverdict redirection, the eval variable is assigned to SKREDIRECT after the applybytes data is sent, if msg has moredata, sockput will be called multip...

CVE-2022-50536

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sockput when msg has moredata In tcpbpfsendverdict redirection, the eval variable is assigned to SKREDIRECT after the applybytes data is sent, if msg has moredata, sockput will be called multip...

EUVD-2025-32819

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix repeated calls to sockput when msg has moredata In tcpbpfsendverdict redirection, the eval variable is assigned to SKREDIRECT after the applybytes data is sent, if msg has moredata, sockput will be called multip...

CVE-2023-53585 bpf: reject unhashed sockets in bpf_sk_assign

In the Linux kernel, the following vulnerability has been resolved: bpf: reject unhashed sockets in bpfskassign The semantics for bpfskassign are as follows: sk = somelookupfunc bpfskassignskb, sk bpfskreleasesk That is, the sk is not consumed by bpfskassign. The function therefore needs to make...

UBUNTU-CVE-2025-37894

In the Linux kernel, the following vulnerability has been resolved: net: use sockgenput when skstate is TCPTIMEWAIT It is possible for a pointer of type struct inettimewaitsock to be returned from the functions inetlookupestablished and inet6lookupestablished. This can cause a crash when the...

kernel: bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data

A reference-count flaw was found in the Linux kernel Berkeley Packet Filter BPF sockmap implementation. When processing messages with remaining data, the same Transmission Control Protocol TCP socket reference could be released more than once. A local user running BPF sockmap programs could use...