cves
publicly-credited vulnerability disclosures across kernel and userspace targets. each row links to the nvd record and (where available) the lore announcement and original write-up.
- CVE-2026-46195 9.8 CRITICAL
smb: client: validate dacloffset before building DACL pointers
Linux kernel - SMB client (fs/smb/client)
The Linux kernel SMB client added a server-supplied DACL offset to the security-descriptor base before proving that a DACL header fit within the returned descriptor. On 32-bit builds a malicious server could supply an offset near the 4 GiB boundary, wrap the derived DACL pointer below the end of the ACL, and bypass the later pointer-based bounds checks in parse_sec_desc(), build_sec_desc(), and the chown path of id_mode_to_cifs_acl().
Continues the cifsacl bound-check hardening line (cf. CVE-2026-43350); adds the dacloffset wrap check for 32-bit builds.
- CVE-2026-31706 8.8 HIGH
ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]
ksmbd's smb_inherit_dacl() trusted the on-disk num_aces from a parent directory's stored DACL. A crafted parent DACL could drive smb_inherit_dacl into an out-of-bounds ACE walk, with potential 32-bit allocation-size overflow on the inherited buffer construction.
- CVE-2026-31709 8.8 HIGH
smb: client: validate the whole DACL before rewriting it in cifsacl
Linux kernel - Linux SMB client (fs/smb/client) [NVD-CWE-noinfo]
The Linux SMB client's cifsacl chmod/chown paths trusted server-supplied dacloffset and num_aces fields when rebuilding ACLs locally. A malicious server could provide a DACL whose advertised structure exceeded the actual buffer, causing replace_sids_and_copy_aces() and set_chmod_dacl() to walk past the validated end of the security descriptor.
Client-side counterpart of CVE-2025-21994. Sent 2026-04-16 v1, 2026-04-20 v2; in-thread follow-up KCIFS2_END_OF_DACL_DEBUG2 sent 2026-04-21.
-
ksmbd: require 3 sub-authorities before reading sub_auth[2]
Linux kernel - ksmbd (fs/smb/server) [NVD-CWE-noinfo]
The Linux kernel ksmbd parse_dacl() compared each ACE SID against sid_unix_NFS_mode using only min(num_subauth, 2) sub-authorities. A client SID with num_subauth = 2 could match the NFS-mode SID prefix; reading sub_auth[2] then crossed the end-of-ACL boundary by 4 bytes, applying out-of-band bytes as the file's POSIX mode.
Server-side sister of my client-side patch (sent 2026-04-20 to linux-cifs@). Same bug class in fs/smb/client/cifsacl.c was disclosed first; the direct client-side assignment is CVE-2026-43350.
- CVE-2026-31712 8.3 HIGH
ksmbd: require minimum ACE size in smb_check_perm_dacl()
Linux kernel - ksmbd (fs/smb/server) [CWE-787]
ksmbd's smb_check_perm_dacl() walked Access Control Entries after checking only that the remaining DACL buffer could hold the ACE header. A crafted ACE whose declared size was smaller than the minimum valid layout could pass the loop bounds and drive out-of-bounds reads of access_req and SID fields during a later CREATE permission check.
Patch 3 of the original KIPC_series, later tracked as the companion CVE to CVE-2026-31707 for the ipc_validate_msg() response-size validation patch.
- CVE-2026-46303 8.2 HIGH
isofs: validate Rock Ridge CE continuation extent against volume size
Linux kernel - isofs (fs/isofs)
The isofs Rock Ridge handler read the CE (continuation entry) extent block number (rs->cont_extent) verbatim from on-disk directory metadata in rock_continue() and passed it to sb_bread() without checking that the block fell within the mounted ISO 9660 volume. Earlier fixes had validated the CE continuation offset and size and capped the CE chain length, but left the extent block number itself unchecked. With a crafted ISO mounted via desktop optical auto-mount (udisks2) or a CAP_SYS_ADMIN mount, the CE extent could point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same device. The fix adds an s_nzones bounds check to rock_continue().
Continues the isofs hardening line (cf. CVE-2026-46124); validates the Rock Ridge CE extent block number against the volume size.
- CVE-2026-31708 8.1 HIGH
smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
Linux kernel - Linux SMB client (fs/smb/client) [CWE-125]
The Linux SMB client's smb2_ioctl_query_info() had two response-copy branches: PASSTHRU_FSCTL was bounds-checked since 2019, but the QUERY_INFO branch never validated qi.input_buffer_length against the on-wire response, allowing a malicious SMB server to drive an out-of-bounds copy on the response buffer tail.
- CVE-2026-46123 7.7 HIGH
Bluetooth: virtio_bt: clamp rx length before skb_put
Linux kernel - Bluetooth virtio_bt (drivers/bluetooth)
The virtio Bluetooth transport called skb_put(skb, len) in virtbt_rx_work() with a length taken directly from the device backend via virtqueue_get_buf(), without validating it against the buffer actually posted to the device. A malicious or buggy virtio backend could supply an oversized length and overflow the receive skb.
First of a two-patch virtio_bt receive-path hardening series; CVE-2026-46186 is the second.
- CVE-2026-43350 7.6 HIGH
smb: client: require a full NFS mode SID before reading mode bits
Linux kernel - SMB client (fs/smb/client)
The Linux kernel SMB client treated an ACE SID matching sid_unix_NFS_mode as an NFS mode SID, then read sub_auth[2] without first requiring the ACE to carry three subauthorities. A malicious SMB server could return a short SID that still matched the prefix and trigger an out-of-bounds read in cifsacl parsing.
Direct client-side KCIFS4 assignment. CVE-2026-31611 remains the related server-side sister-fix for the same SID bound-check pattern.
- CVE-2026-46114 7.5 HIGH
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
Linux kernel - RDMA/rxe (drivers/infiniband/sw/rxe)
The Linux kernel software RoCEv2 RDMA driver (rxe) accepted an ATOMIC_WRITE request whose RETH length was zero, because the length check only compared the packet length against the residual. atomic_write_reply() then unconditionally dereferenced eight bytes at the payload address, so a remote initiator could trigger an out-of-bounds read of kernel memory past the received packet.
Direct assignment for the rxe ATOMIC_WRITE bound-check fix.
- CVE-2026-46124 7.5 HIGH
isofs: validate block number from NFS file handle in isofs_export_iget
Linux kernel - isofs (fs/isofs)
The isofs NFS export path passed an attacker-controlled block number from the NFS file handle (ifid->block or ifid->parent_block) to isofs_export_iget(), which only rejected block 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle could drive a read of an out-of-range block on an exported ISO9660 filesystem.
Direct assignment for the isofs NFS file-handle block-number validation fix.
- CVE-2026-46133 7.5 HIGH
RDMA/rxe: Reject unknown opcodes before ICRC processing
Linux kernel - RDMA/rxe (drivers/infiniband/sw/rxe)
Even after an earlier fix that handled payload_size() underflow for valid opcodes in short packets, the rxe receive path still computed payload_size() for packets carrying an unknown opcode before rejecting them. A single unauthenticated UDP packet could therefore trigger an out-of-bounds read and kernel panic. The fix rejects unknown opcodes before any ICRC or length processing.
Distinct from CVE-2026-46114; this is the unknown-opcode receive-path fix in rxe_recv.
- CVE-2026-31711 7.5 HIGH
smb: server: fix active_num_conn leak on transport allocation failure
Linux kernel - ksmbd (fs/smb/server) [CWE-401]
ksmbd's transport allocation path leaked the active_num_conn counter when alloc_transport() returned NULL after a successful kernel_accept(). An unauthenticated remote attacker could drive cumulative allocation failures (e.g. via memory pressure) until atomic_inc_return() saturated max_connections, denying service to legitimate SMB clients.
Pre-auth slow remote DoS. Companion to other ksmbd hardening sent in the same week.
- CVE-2002-1809 7.5 HIGH
MySQL Windows binary release default NULL root password
MySQL AB - MySQL Windows binary 3.23.2-3.23.52
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.
PoC published as mysqlfuck.c on Bugtraq.
- CVE-2002-1921 7.5 HIGH
MySQL Windows default bind address allows remote connections
MySQL AB - MySQL Windows 3.20.32-3.23.52
The default configuration of MySQL 3.20.32 through 3.23.52, when running on Windows, does set the bind address to the loopback interface, which allows remote attackers to connect to the database.
Reported in same series as CVE-2002-1809.
- CVE-2002-1923 7.5 HIGH
MySQL Windows default config has logging disabled
MySQL AB - MySQL Windows 3.20.32-3.23.52
The default configuration in MySQL 3.20.32 through 3.23.52, when running on Windows, does not have logging enabled, which could allow remote attackers to conduct activities without detection.
Reported in same series as CVE-2002-1809 and CVE-2002-1921.
- CVE-2026-31707 7.1 HIGH
ksmbd: validate response sizes in ipc_validate_msg()
Linux kernel - ksmbd (fs/smb/server) [CWE-787]
ksmbd's ipc_validate_msg() computed the expected message size for each response type by summing or multiplying attacker-controlled fields from the userspace daemon's response into unsigned int arithmetic. Three response cases could overflow the size computation, leading to under-allocated buffers consumed by downstream parsing.
Patch 1 of the original KIPC_series; this is the cap on response sizes. The companion smb_check_perm_dacl() minimum ACE-size patch is tracked separately as CVE-2026-31712.
- CVE-2026-46186 5.5 MEDIUM
Bluetooth: virtio_bt: validate rx pkt_type header length
Linux kernel - Bluetooth virtio_bt (drivers/bluetooth) [CWE-908]
The virtio Bluetooth transport read the leading pkt_type byte from a received skb and forwarded the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload met the fixed HCI header length for that type. After the length of the backend-supplied buffer is bounded, a one-byte completion could still reach hci_recv_frame() with an undersized buffer.
Second of a two-patch virtio_bt receive-path hardening series; CVE-2026-46123 is the first.
- CVE-2026-46193 5.5 MEDIUM
xfrm: ah: account for ESN high bits in async callbacks
Linux kernel - xfrm AH (net/ipv4, net/ipv6) [NVD-CWE-noinfo]
When ESN was enabled, the IPsec AH async hash setup appended a 4-byte sequence-high slot before the ICV or auth-data area, but the async completion callbacks reconstructed the temporary layout as if that slot were absent. With an async AH implementation selected, AH copied or compared the wrong bytes on both the IPv4 and IPv6 paths, corrupting authentication handling.
Direct assignment for the AH ESN async-callback layout fix across the IPv4 and IPv6 AH paths.
- CVE-2026-53146 unscored
thunderbolt: Limit XDomain response copy to actual frame size
Linux kernel - Thunderbolt/USB4 XDomain (drivers/thunderbolt)
tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions. Use the minimum of frame size and expected response size for the copy length. The Linux kernel CVE team has assigned CVE-2026-53146 to this issue.
- CVE-2026-53147 unscored
thunderbolt: Validate XDomain request packet size before type cast
Linux kernel - Thunderbolt/USB4 XDomain (drivers/thunderbolt)
tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast. The Linux kernel CVE team has assigned CVE-2026-53147 to this issue.
- CVE-2026-53148 unscored
thunderbolt: Clamp XDomain response data copy to allocation size
Linux kernel - Thunderbolt/USB4 XDomain (drivers/thunderbolt)
tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len. The Linux kernel CVE team has assigned CVE-2026-53148 to this issue.
- CVE-2026-53149 unscored
thunderbolt: Bound root directory content to block size
Linux kernel - Thunderbolt/USB4 XDomain (drivers/thunderbolt)
__tb_property_parse_dir() does not check that content_offset + content_len fits within block_len for the root directory case. When rootdir->length equals or exceeds block_len - 2, the entry loop reads past the allocated property block. Add a bounds check after computing content_offset and content_len to reject directories whose content extends past the block. The Linux kernel CVE team has assigned CVE-2026-53149 to this issue.
- CVE-2026-53150 unscored
thunderbolt: Reject zero-length property entries in validator
Linux kernel - Thunderbolt/USB4 XDomain (drivers/thunderbolt)
tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic: property->value.text[property->length * 4 - 1] = '\0'; When property->length is 0 this writes to offset -1 relative to the allocation. Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol. The Linux kernel CVE team has assigned CVE-2026-53150 to this issue.
-
rxrpc: Fix the ACK parser to extract the SACK table for parsing
Linux kernel - rxrpc (net/rxrpc)
Fix modification of the received skbuff in rxrpc_input_soft_acks() and a potential incorrect access of the buffer in a fragmented UDP packet (the packet would probably have to be deliberately pre-generated as fragmented) when AF_RXRPC tries to extract the contents of the SACK table by copying out the contents of the SACK table into a buffer before attempting to parse AF_RXRPC assumes that it can just call skb_condense() and then validly access the SACK table from skb->data and that it will be a flat buffer - but skb_condense() can silently fail to do anything under some circumstances.
Reported the bug and submitted the original fix (lore link above). Maintainer David Howells reworked the fix around the skb_condense() silent-failure root cause and committed it under his own authorship, crediting the report with Reported-by: Michael Bommarito.
- CVE-2026-53176 unscored
IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
Linux kernel - RDMA/iSER (drivers/infiniband/ulp/isert)
In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() computes the login request payload length as wc->byte_len minus ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. A remote iSER initiator can post a login Send work request carrying fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows and login_req_len becomes negative. isert_rx_login_req() then reads that negative length back into a signed int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the min() is signed it keeps the negative value; the value is then passed as the memcpy() length and sign-extended to a multi-gigabyte size_t.
- CVE-2026-53186 unscored
RDMA/srp: bound SRP_RSP sense copy by the received length
Linux kernel - RDMA/SRP (drivers/infiniband/ulp/srp)
srp_process_rsp() copies sense data from rsp->data + resp_data_len, where resp_data_len is the full 32-bit value supplied by the SRP target and is never checked against the number of bytes actually received (wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so at most 96 bytes are copied, but the source offset is not bounded. A malicious or compromised SRP target on the InfiniBand/RoCE fabric that the initiator has logged into can return an SRP_RSP with SRP_RSP_FLAG_SNSVALID set and a large resp_data_len.
- CVE-2026-53208 unscored
Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
Linux kernel - Bluetooth L2CAP (net/bluetooth)
net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms. Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands.
- CVE-2026-52995 unscored
net/rds: zero per-item info buffer before handing it to visitors
Linux kernel - RDS (net/rds)
rds_for_each_conn_info() and rds_walk_conn_path_info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item_len bytes back to user space via rds_info_copy() regardless of how much of the buffer the visitor actually wrote. rds_ib_conn_info_visitor() and rds6_ib_conn_info_visitor() only write a subset of their output struct when the underlying rds_connection is not in state RDS_CONN_UP (src/dst addr, tos, sl and the two GIDs via explicit memsets).
- CVE-2026-53004 unscored
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
Linux kernel - SCTP (net/sctp)
sctp_getsockopt_peer_auth_chunks() checks that the caller's optval buffer is large enough for the peer AUTH chunk list with if (len < num_chunks) return -EINVAL; but then writes num_chunks bytes to p->gauth_chunks, which lives at offset offsetof(struct sctp_authchunks, gauth_chunks) == 8 inside optval. The check is missing the sizeof(struct sctp_authchunks) = 8-byte header. When the caller supplies len == num_chunks (for any num_chunks > 0) the test passes but copy_to_user() writes sizeof(struct sctp_authchunks) = 8 bytes past the declared buffer.