Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-2chr-7vph-93pf/GHSA-2chr-7vph-93pf.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2chr-7vph-93pf",
+  "modified": "2026-02-14T18:30:15Z",
+  "published": "2026-02-14T18:30:14Z",
+  "aliases": [
+    "CVE-2026-23151"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix memory leak in set_ssp_complete\n\nFix memory leak in set_ssp_complete() where mgmt_pending_cmd structures\nare not freed after being removed from the pending list.\n\nCommit 302a1f674c00 (\"Bluetooth: MGMT: Fix possible UAFs\") replaced\nmgmt_pending_foreach() calls with individual command handling but missed\nadding mgmt_pending_free() calls in both error and success paths of\nset_ssp_complete(). Other completion functions like set_le_complete()\nwere fixed correctly in the same commit.\n\nThis causes a memory leak of the mgmt_pending_cmd structure and its\nassociated parameter data for each SSP command that completes.\n\nAdd the missing mgmt_pending_free(cmd) calls in both code paths to fix\nthe memory leak. Also fix the same issue in set_advertising_complete().",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1850a558d116d7e3e2ef36d06a56f59b640cc214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3b6318505378828ee415d6ef678db6a74c077504"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T16:15:55Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2j2f-9hjh-v2xm/GHSA-2j2f-9hjh-v2xm.json

@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2j2f-9hjh-v2xm",
+  "modified": "2026-02-14T18:30:15Z",
+  "published": "2026-02-14T18:30:15Z",
+  "aliases": [
+    "CVE-2026-23150"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().\n\nsyzbot reported various memory leaks related to NFC, struct\nnfc_llcp_sock, sk_buff, nfc_dev, etc. [0]\n\nThe leading log hinted that nfc_llcp_send_ui_frame() failed\nto allocate skb due to sock_error(sk) being -ENXIO.\n\nENXIO is set by nfc_llcp_socket_release() when struct\nnfc_llcp_local is destroyed by local_cleanup().\n\nThe problem is that there is no synchronisation between\nnfc_llcp_send_ui_frame() and local_cleanup(), and skb\ncould be put into local->tx_queue after it was purged in\nlocal_cleanup():\n\n  CPU1                          CPU2\n  ----                          ----\n  nfc_llcp_send_ui_frame()      local_cleanup()\n  |- do {                       '\n     |- pdu = nfc_alloc_send_skb(..., &err)\n     |                          .\n     |                          |- nfc_llcp_socket_release(local, false, ENXIO);\n     |                          |- skb_queue_purge(&local->tx_queue);      |\n     |                          '                                          |\n     |- skb_queue_tail(&local->tx_queue, pdu);                             |\n    ...                                                                    |\n     |- pdu = nfc_alloc_send_skb(..., &err)                                |\n                                       ^._________________________________.'\n\nlocal_cleanup() is called for struct nfc_llcp_local only\nafter nfc_llcp_remove_local() unlinks it from llcp_devices.\n\nIf we hold local->tx_queue.lock then, we can synchronise\nthe thread and nfc_llcp_send_ui_frame().\n\nLet's do that and check list_empty(&local->list) before\nqueuing skb to local->tx_queue in nfc_llcp_send_ui_frame().\n\n[0]:\n[   56.074943][ T6096] llcp: nfc_llcp_send_ui_frame: Could not allocate PDU (error=-6)\n[   64.318868][ T5813] kmemleak: 6 new suspected memory leaks (see /sys/kernel/debug/kmemleak)\nBUG: memory leak\nunreferenced object 0xffff8881272f6800 (size 1024):\n  comm \"syz.0.17\", pid 6096, jiffies 4294942766\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00  '..@............\n  backtrace (crc da58d84d):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4979 [inline]\n    slab_alloc_node mm/slub.c:5284 [inline]\n    __do_kmalloc_node mm/slub.c:5645 [inline]\n    __kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658\n    kmalloc_noprof include/linux/slab.h:961 [inline]\n    sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239\n    sk_alloc+0x36/0x360 net/core/sock.c:2295\n    nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979\n    llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044\n    nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31\n    __sock_create+0x1a9/0x340 net/socket.c:1605\n    sock_create net/socket.c:1663 [inline]\n    __sys_socket_create net/socket.c:1700 [inline]\n    __sys_socket+0xb9/0x1a0 net/socket.c:1747\n    __do_sys_socket net/socket.c:1761 [inline]\n    __se_sys_socket net/socket.c:1759 [inline]\n    __x64_sys_socket+0x1b/0x30 net/socket.c:1759\n    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n    do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nBUG: memory leak\nunreferenced object 0xffff88810fbd9800 (size 240):\n  comm \"syz.0.17\", pid 6096, jiffies 4294942850\n  hex dump (first 32 bytes):\n    68 f0 ff 08 81 88 ff ff 68 f0 ff 08 81 88 ff ff  h.......h.......\n    00 00 00 00 00 00 00 00 00 68 2f 27 81 88 ff ff  .........h/'....\n  backtrace (crc 6cc652b1):\n    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]\n    slab_post_alloc_hook mm/slub.c:4979 [inline]\n    slab_alloc_node mm/slub.c:5284 [inline]\n    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5336\n    __alloc_skb+0x203/0x240 net/core/skbuff.c:660\n    alloc_skb include/linux/skbuff.h:1383 [inline]\n    alloc_skb_with_frags+0x69/0x3f0 net/core/sk\n---truncated---",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23150"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/165c34fb6068ff153e3fc99a932a80a9d5755709"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3098e5c8af0f4c8f7eebbb370798df8aa2e12ba5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/61858cbce6ca4bef9ed116c689a4be9520841339"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/65e976e1f474ae3bf5681d7abafb8f3fdb34b8cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/6734ff1ac6beba1d0c22dc9a3dc1849b773b511f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ab660cb8e17aa93426d1e821c2cce60e4b9bc56a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/f8d002626d434f5fea9085e2557711c16a15cec6"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T16:15:55Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-2m65-7fpj-78p9/GHSA-2m65-7fpj-78p9.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m65-7fpj-78p9",
+  "modified": "2026-02-14T18:30:16Z",
+  "published": "2026-02-14T18:30:16Z",
+  "aliases": [
+    "CVE-2026-23186"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify()\n\nThe acpi_power_meter driver's .notify() callback function,\nacpi_power_meter_notify(), calls hwmon_device_unregister() under a lock\nthat is also acquired by callbacks in sysfs attributes of the device\nbeing unregistered which is prone to deadlocks between sysfs access and\ndevice removal.\n\nAddress this by moving the hwmon device removal in\nacpi_power_meter_notify() outside the lock in question, but notice\nthat doing it alone is not sufficient because two concurrent\nMETER_NOTIFY_CONFIG notifications may be attempting to remove the\nsame device at the same time.  To prevent that from happening, add a\nnew lock serializing the execution of the switch () statement in\nacpi_power_meter_notify().  For simplicity, it is a static mutex\nwhich should not be a problem from the performance perspective.\n\nThe new lock also allows the hwmon_device_register_with_info()\nin acpi_power_meter_notify() to be called outside the inner lock\nbecause it prevents the other notifications handled by that function\nfrom manipulating the \"resource\" object while the hwmon device based\non it is being registered.  The sending of ACPI netlink messages from\nacpi_power_meter_notify() is serialized by the new lock too which\ngenerally helps to ensure that the order of handling firmware\nnotifications is the same as the order of sending netlink messages\nrelated to them.\n\nIn addition, notice that hwmon_device_register_with_info() may fail\nin which case resource->hwmon_dev will become an error pointer,\nso add checks to avoid attempting to unregister the hwmon device\npointer to by it in that case to acpi_power_meter_notify() and\nacpi_power_meter_remove().",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23186"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/615901b57b7ef8eb655f71358f7e956e42bcd16b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8860ddf0e07be37169d4ef9f2618e39fca934a66"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T17:15:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-372h-fwqg-rp6x/GHSA-372h-fwqg-rp6x.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-372h-fwqg-rp6x",
+  "modified": "2026-02-14T18:30:14Z",
+  "published": "2026-02-14T18:30:14Z",
+  "aliases": [
+    "CVE-2026-23143"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n        __le16                     max_tx_vq;            /*     0     2 */\n        __u8                       hash_key_length;      /*     2     1 */\n        __u8                       hash_key_data[];      /*     3     0 */\n\n        /* size: 4, cachelines: 1, members: 3 */\n        /* padding: 1 */\n        /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n        struct virtio_net_rss_config_trailer rss_trailer; /*    80     4 */\n\n        /* XXX last struct has 1 byte of padding */\n\n        u8                         rss_hash_key_data[40]; /*    84    40 */\n...\n        /* size: 832, cachelines: 13, members: 48 */\n        /* sum members: 801, holes: 8, sum holes: 31 */\n        /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n        union {\n                struct virtio_net_rss_config_trailer rss_trailer; /*   792     4 */\n                struct {\n                        unsigned char __offset_to_hash_key_data[3]; /*   792     3 */\n                        u8         rss_hash_key_data[40]; /*   795    40 */\n                };                                       /*   792    43 */\n        };                                               /*   792    44 */\n...\n        /* size: 840, cachelines: 14, members: 47 */\n        /* sum members: 801, holes: 8, sum holes: 35 */\n        /* padding: 4 */\n        /* paddings: 1, sum paddings: 4 */\n        /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23143"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T16:15:54Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-398f-64gc-qxqm/GHSA-398f-64gc-qxqm.json

@@ -0,0 +1,41 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-398f-64gc-qxqm",
+  "modified": "2026-02-14T18:30:15Z",
+  "published": "2026-02-14T18:30:15Z",
+  "aliases": [
+    "CVE-2026-23159"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: sched: Fix perf crash with new is_user_task() helper\n\nIn order to do a user space stacktrace the current task needs to be a user\ntask that has executed in user space. It use to be possible to test if a\ntask is a user task or not by simply checking the task_struct mm field. If\nit was non NULL, it was a user task and if not it was a kernel task.\n\nBut things have changed over time, and some kernel tasks now have their\nown mm field.\n\nAn idea was made to instead test PF_KTHREAD and two functions were used to\nwrap this check in case it became more complex to test if a task was a\nuser task or not[1]. But this was rejected and the C code simply checked\nthe PF_KTHREAD directly.\n\nIt was later found that not all kernel threads set PF_KTHREAD. The io-uring\nhelpers instead set PF_USER_WORKER and this needed to be added as well.\n\nBut checking the flags is still not enough. There's a very small window\nwhen a task exits that it frees its mm field and it is set back to NULL.\nIf perf were to trigger at this moment, the flags test would say its a\nuser space task but when perf would read the mm field it would crash with\nat NULL pointer dereference.\n\nNow there are flags that can be used to test if a task is exiting, but\nthey are set in areas that perf may still want to profile the user space\ntask (to see where it exited). The only real test is to check both the\nflags and the mm field.\n\nInstead of making this modification in every location, create a new\nis_user_task() helper function that does all the tests needed to know if\nit is safe to read the user space memory or not.\n\n[1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23159"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5aac392fcd3d981d7997f1a0766829e1afdeac2e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/76ed27608f7dd235b727ebbb12163438c2fbb617"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/a28fce0365e1cb9cb8c04c893b9334e5ca9d9f1c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/d84a4836dc246b7dc244e46a08ff992956b68db0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T16:15:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3jpp-f2wm-pcvv/GHSA-3jpp-f2wm-pcvv.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jpp-f2wm-pcvv",
+  "modified": "2026-02-14T18:30:16Z",
+  "published": "2026-02-14T18:30:16Z",
+  "aliases": [
+    "CVE-2026-23185"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mld: cancel mlo_scan_start_wk\n\nmlo_scan_start_wk is not canceled on disconnection. In fact, it is not\ncanceled anywhere except in the restart cleanup, where we don't really\nhave to.\n\nThis can cause an init-after-queue issue: if, for example, the work was\nqueued and then drv_change_interface got executed.\n\nThis can also cause use-after-free: if the work is executed after the\nvif is freed.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23185"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5ff641011ab7fb63ea101251087745d9826e8ef5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/9b9f52f052f4953fecd2190ae2dde3aa76d10962"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T17:15:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3mg9-9f72-h562/GHSA-3mg9-9f72-h562.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3mg9-9f72-h562",
+  "modified": "2026-02-14T18:30:16Z",
+  "published": "2026-02-14T18:30:16Z",
+  "aliases": [
+    "CVE-2026-23201"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix oops due to invalid pointer for kfree() in parse_longname()\n\nThis fixes a kernel oops when reading ceph snapshot directories (.snap),\nfor example by simply running `ls /mnt/my_ceph/.snap`.\n\nThe variable str is guarded by __free(kfree), but advanced by one for\nskipping the initial '_' in snapshot names. Thus, kfree() is called\nwith an invalid pointer.  This patch removes the need for advancing the\npointer so kfree() is called with correct memory pointer.\n\nSteps to reproduce:\n\n1. Create snapshots on a cephfs volume (I've 63 snaps in my testcase)\n\n2. Add cephfs mount to fstab\n$ echo \"samba-fileserver@.files=/volumes/datapool/stuff/3461082b-ecc9-4e82-8549-3fd2590d3fb6      /mnt/test/stuff   ceph     acl,noatime,_netdev    0       0\" >> /etc/fstab\n\n3. Reboot the system\n$ systemctl reboot\n\n4. Check if it's really mounted\n$ mount | grep stuff\n\n5. List snapshots (expected 63 snapshots on my system)\n$ ls /mnt/test/stuff/.snap\n\nNow ls hangs forever and the kernel log shows the oops.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23201"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8c9af7339de419819cfc641d551675d38ff99abf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/bc8dedae022ce3058659c3addef3ec4b41d15e00"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/e258ed369c9e04caa7d2fd49785d753ae4034cb6"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T17:15:57Z"
+  }
+}