{"schema_version":"1.7.2","id":"OESA-2026-2311","modified":"2026-05-15T14:00:51Z","published":"2026-05-15T14:00:51Z","upstream":["CVE-2026-23317","CVE-2026-31404","CVE-2026-31419","CVE-2026-31441","CVE-2026-31448","CVE-2026-31476","CVE-2026-31504","CVE-2026-31515","CVE-2026-31521","CVE-2026-31523","CVE-2026-31555","CVE-2026-31560","CVE-2026-31592","CVE-2026-31628","CVE-2026-31630","CVE-2026-31667","CVE-2026-31673","CVE-2026-31674","CVE-2026-31679","CVE-2026-31682","CVE-2026-31697","CVE-2026-31698","CVE-2026-31699","CVE-2026-31773","CVE-2026-31787","CVE-2026-43020","CVE-2026-43049","CVE-2026-43064","CVE-2026-43079","CVE-2026-43124","CVE-2026-43284"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Return the correct value in vmw_translate_ptr functions\n\nBefore the referenced fixes these functions used a lookup function that\nreturned a pointer. This was changed to another lookup function that\nreturned an error code with the pointer becoming an out parameter.\n\nThe error path when the lookup failed was not changed to reflect this\nchange and the code continued to return the PTR_ERR of the now\nuninitialized pointer. This could cause the vmw_translate_ptr functions\nto return success when they actually failed causing further uninitialized\nand OOB accesses.(CVE-2026-23317)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callbacks\n\nsvc_export_put() calls path_put() and auth_domain_put() immediately\nwhen the last reference drops, before the RCU grace period. RCU\nreaders in e_show() and c_show() access both ex_path (via\nseq_path/d_path) and ex_client->name (via seq_escape) without\nholding a reference. If cache_clean removes the entry and drops the\nlast reference concurrently, the sub-objects are freed while still\nin use, producing a NULL pointer dereference in d_path.\n\nCommit 2530766492ec ("nfsd: fix UAF when access ex_uuid or\nex_stats") moved kfree of ex_uuid and ex_stats into the\ncall_rcu callback, but left path_put() and auth_domain_put() running\nbefore the grace period because both may sleep and call_rcu\ncallbacks execute in softirq context.\n\nReplace call_rcu/kfree_rcu with queue_rcu_work(), which defers the\ncallback until after the RCU grace period and executes it in process\ncontext where sleeping is permitted. This allows path_put() and\nauth_domain_put() to be moved into the deferred callback alongside\nthe other resource releases. Apply the same fix to expkey_put(),\nwhich has the identical pattern with ek_path and ek_client.\n\nA dedicated workqueue scopes the shutdown drain to only NFSD\nexport release work items; flushing the shared\nsystem_unbound_wq would stall on unrelated work from other\nsubsystems. nfsd_export_shutdown() uses rcu_barrier() followed\nby flush_workqueue() to ensure all deferred release callbacks\ncomplete before the export caches are destroyed.\n\nReviwed-by: Jeff Layton <(CVE-2026-31404)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is "last" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop.  This preserves the\nzero-copy optimization for the last slave while making the "last"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================(CVE-2026-31419)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix memory leak when a wq is reset\n\nidxd_wq_disable_cleanup() which is called from the reset path for a\nworkqueue, sets the wq type to NONE, which for other parts of the\ndriver mean that the wq is empty (all its resources were released).\n\nOnly set the wq type to NONE after its resources are released.(CVE-2026-31441)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n"inserted" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we've\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I'd just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline](CVE-2026-31448)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: do not expire session on binding failure\n\nWhen a multichannel session binding request fails (e.g. wrong password),\nthe error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.\nHowever, during binding, sess points to the target session looked up via\nksmbd_session_lookup_slowpath() -- which belongs to another connection's\nuser. This allows a remote attacker to invalidate any active session by\nsimply sending a binding request with a wrong password (DoS).\n\nFix this by skipping session expiration when the failed request was\na binding attempt, since the session does not belong to the current\nconnection. The reference taken by ksmbd_session_lookup_slowpath() is\nstill correctly released via ksmbd_user_session_put().(CVE-2026-31476)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix fanout UAF in packet_release() via NETDEV_UP race\n\n`packet_release()` has a race window where `NETDEV_UP` can re-register a\nsocket into a fanout group's `arr[]` array. The re-registration is not\ncleaned up by `fanout_release()`, leaving a dangling pointer in the fanout\narray.\n`packet_release()` does NOT zero `po->num` in its `bind_lock` section.\nAfter releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`\nstill matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`\nthat already found the socket in `sklist` can re-register the hook.\nFor fanout sockets, this re-registration calls `__fanout_link(sk, po)`\nwhich adds the socket back into `f->arr[]` and increments `f->num_members`,\nbut does NOT increment `f->sk_ref`.\n\nThe fix sets `po->num` to zero in `packet_release` while `bind_lock` is\nheld to prevent NETDEV_UP from linking, preventing the race window.\n\nThis bug was found following an additional audit with Claude Code based\non CVE-2025-38617.(CVE-2026-31504)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_key: validate families in pfkey_send_migrate()\n\nsyzbot was able to trigger a crash in skb_put() [1]\n\nIssue is that pfkey_send_migrate() does not check old/new families,\nand that set_ipsecrequest() @family argument was truncated,\nthus possibly overfilling the skb.\n\nValidate families early, do not wait set_ipsecrequest().\n\n[1]\n\nskbuff: skb_over_panic: text:ffffffff8a752120 len:392 put:16 head:ffff88802a4ad040 data:ffff88802a4ad040 tail:0x188 end:0x180 dev:<NULL>\n kernel BUG at net/core/skbuff.c:214 !\nCall Trace:\n <TASK>\n  skb_over_panic net/core/skbuff.c:219 [inline]\n  skb_put+0x159/0x210 net/core/skbuff.c:2655\n  skb_put_zero include/linux/skbuff.h:2788 [inline]\n  set_ipsecrequest net/key/af_key.c:3532 [inline]\n  pfkey_send_migrate+0x1270/0x2e50 net/key/af_key.c:3636\n  km_migrate+0x155/0x260 net/xfrm/xfrm_state.c:2848\n  xfrm_migrate+0x2140/0x2450 net/xfrm/xfrm_policy.c:4705\n  xfrm_do_migrate+0x8ff/0xaa0 net/xfrm/xfrm_user.c:3150(CVE-2026-31515)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nmodule: Fix kernel panic when a symbol st_shndx is out of bounds\n\nThe module loader doesn't check for bounds of the ELF section index in\nsimplify_symbols():\n\n       for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {\n\t\tconst char *name = info->strtab + sym[i].st_name;\n\n\t\tswitch (sym[i].st_shndx) {\n\t\tcase SHN_COMMON:\n\n\t\t[...]\n\n\t\tdefault:\n\t\t\t/* Divert to percpu allocation if a percpu var. */\n\t\t\tif (sym[i].st_shndx == info->index.pcpu)\n\t\t\t\tsecbase = (unsigned long)mod_percpu(mod);\n\t\t\telse\n  /** HERE --> **/\t\tsecbase = info->sechdrs[sym[i].st_shndx].sh_addr;\n\t\t\tsym[i].st_value += secbase;\n\t\t\tbreak;\n\t\t}\n\t}\n\nA symbol with an out-of-bounds st_shndx value, for example 0xffff\n(known as SHN_XINDEX or SHN_HIRESERVE), may cause a kernel panic:\n\n  BUG: unable to handle page fault for address: ...\n  RIP: 0010:simplify_symbols+0x2b2/0x480\n  ...\n  Kernel panic - not syncing: Fatal exception\n\nThis can happen when module ELF is legitimately using SHN_XINDEX or\nwhen it is corrupted.\n\nAdd a bounds check in simplify_symbols() to validate that st_shndx is\nwithin the valid range before using it.\n\nThis issue was discovered due to a bug in llvm-objcopy, see relevant\ndiscussion for details [1].\n\n[1] https://lore.kernel.org/linux-modules/(CVE-2026-31521)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: ensure we're polling a polled queue\n\nA user can change the polled queue count at run time. There's a brief\nwindow during a reset where a hipri task may try to poll that queue\nbefore the block layer has updated the queue maps, which would race with\nthe now interrupt driven queue and may cause double completions.(CVE-2026-31523)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Clear stale exiting pointer in futex_lock_pi() retry path\n\nFuzzying/stressing futexes triggered:\n\n    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524\n\nWhen futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY\nand stores a refcounted task pointer in 'exiting'.\n\nAfter wait_for_owner_exiting() consumes that reference, the local pointer\nis never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a\ndifferent error, the bogus pointer is passed to wait_for_owner_exiting().\n\n  CPU0\t\t\t     CPU1\t\t       CPU2\n  futex_lock_pi(uaddr)\n  // acquires the PI futex\n  exit()\n    futex_cleanup_begin()\n      futex_state = EXITING;\n\t\t\t     futex_lock_pi(uaddr)\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t attach_to_pi_owner()\n\t\t\t\t   // observes EXITING\n\t\t\t\t   *exiting = owner;  // takes ref\n\t\t\t\t   return -EBUSY\n\t\t\t       wait_for_owner_exiting(-EBUSY, owner)\n\t\t\t\t put_task_struct();   // drops ref\n\t\t\t       // exiting still points to owner\n\t\t\t       goto retry;\n\t\t\t       futex_lock_pi_atomic()\n\t\t\t\t lock_pi_update_atomic()\n\t\t\t\t   cmpxchg(uaddr)\n\t\t\t\t\t*uaddr ^= WAITERS // whatever\n\t\t\t\t   // value changed\n\t\t\t\t return -EAGAIN;\n\t\t\t       wait_for_owner_exiting(-EAGAIN, exiting) // stale\n\t\t\t\t WARN_ON_ONCE(exiting)\n\nFix this by resetting upon retry, essentially aligning it with requeue_pi.(CVE-2026-31555)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-dw-dma: fix print error log when wait finish transaction\n\nIf an error occurs, the device may not have a current message. In this\ncase, the system will crash.\n\nIn this case, it's better to use dev from the struct ctlr (struct spi_controller*).(CVE-2026-31560)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock\n\nTake and hold kvm->lock for before checking sev_guest() in\nsev_mem_enc_register_region(), as sev_guest() isn't stable unless kvm->lock\nis held (or KVM can guarantee KVM_SEV_INIT{2} has completed and can't\nrollack state).  If KVM_SEV_INIT{2} fails, KVM can end up trying to add to\na not-yet-initialized sev->regions_list, e.g. triggering a #GP\n\n  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI\n  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\n  CPU: 110 UID: 0 PID: 72717 Comm: syz.15.11462 Tainted: G     U  W  O        6.16.0-smp-DEV #1 NONE\n  Tainted: [U]=USER, [W]=WARN, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024\n  RIP: 0010:sev_mem_enc_register_region+0x3f0/0x4f0 ../include/linux/list.h:83\n  Code: <41> 80 3c 04 00 74 08 4c 89 ff e8 f1 c7 a2 00 49 39 ed 0f 84 c6 00\n  RSP: 0018:ffff88838647fbb8 EFLAGS: 00010256\n  RAX: dffffc0000000000 RBX: 1ffff92015cf1e0b RCX: dffffc0000000000\n  RDX: 0000000000000000 RSI: 0000000000001000 RDI: ffff888367870000\n  RBP: ffffc900ae78f050 R08: ffffea000d9e0007 R09: 1ffffd4001b3c000\n  R10: dffffc0000000000 R11: fffff94001b3c001 R12: 0000000000000000\n  R13: ffff8982ab0bde00 R14: ffffc900ae78f058 R15: 0000000000000000\n  FS:  00007f34e9dc66c0(0000) GS:ffff89ee64d33000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007fe180adef98 CR3: 000000047210e000 CR4: 0000000000350ef0\n  Call Trace:\n   <TASK>\n   kvm_arch_vm_ioctl+0xa72/0x1240 ../arch/x86/kvm/x86.c:7371\n   kvm_vm_ioctl+0x649/0x990 ../virt/kvm/kvm_main.c:5363\n   __se_sys_ioctl+0x101/0x170 ../fs/ioctl.c:51\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x6f/0x1f0 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f34e9f7e9a9\n  Code: <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f34e9dc6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 00007f34ea1a6080 RCX: 00007f34e9f7e9a9\n  RDX: 0000200000000280 RSI: 000000008010aebb RDI: 0000000000000007\n  RBP: 00007f34ea000d69 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 0000000000000000 R14: 00007f34ea1a6080 R15: 00007ffce77197a8\n   </TASK>\n\nwith a syzlang reproducer that looks like:\n\n  syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000040)={0x0, &(0x7f0000000180)=ANY=[], 0x70}) (async)\n  syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000080)={0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="..."], 0x4f}) (async)\n  r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)\n  r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)\n  r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0)\n  r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)\n  ioctl$KVM_SET_CLOCK(r3, 0xc008aeba, &(0x7f0000000040)={0x1, 0x8, 0x0, 0x5625e9b0}) (async)\n  ioctl$KVM_SET_PIT2(r3, 0x8010aebb, &(0x7f0000000280)={[...], 0x5}) (async)\n  ioctl$KVM_SET_PIT2(r1, 0x4070aea0, 0x0) (async)\n  r4 = ioctl$KVM_CREATE_VM(0xffffffffffffffff, 0xae01, 0x0)\n  openat$kvm(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)\n  ioctl$KVM_SET_USER_MEMORY_REGION(r4, 0x4020ae46, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000001000/0x2000)=nil}) (async)\n  r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x2)\n  close(r0) (async)\n  openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x8000, 0x0) (async)\n  ioctl$KVM_SET_GUEST_DEBUG(r5, 0x4048ae9b, &(0x7f0000000300)={0x4376ea830d46549b, 0x0, [0x46, 0x0, 0x0, 0x0, 0x0, 0x1000]}) (async)\n  ioctl$KVM_RUN(r5, 0xae80, 0x0)\n\nOpportunistically use guard() to avoid having to define a new error label\nand goto usage.(CVE-2026-31592)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU: Fix FPDSS on Zen1\n\nZen1's hardware divider can leave, under certain circumstances, partial\nresults from previous operations.  Those results can be leaked by\nanother, attacker thread.\n\nFix that with a chicken bit.(CVE-2026-31628)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: proc: size address buffers for %pISpc output\n\nThe AF_RXRPC procfs helpers format local and remote socket addresses into\nfixed 50-byte stack buffers with "%pISpc".\n\nThat is too small for the longest current-tree IPv6-with-port form the\nformatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a\ndotted-quad tail not only for v4mapped addresses, but also for ISATAP\naddresses via ipv6_addr_is_isatap().\n\nAs a result, a case such as\n\n  [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535\n\nis possible with the current formatter. That is 50 visible characters, so\n51 bytes including the trailing NUL, which does not fit in the existing\nchar[50] buffers used by net/rxrpc/proc.c.\n\nSize the buffers from the formatter's maximum textual form and switch the\ncall sites to scnprintf().\n\nChanges since v1:\n- correct the changelog to cite the actual maximum current-tree case\n  explicitly\n- frame the proof around the ISATAP formatting path instead of the earlier\n  mapped-v4 example(CVE-2026-31630)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nInput: uinput - fix circular locking dependency with ff-core\n\nA lockdep circular locking dependency warning can be triggered\nreproducibly when using a force-feedback gamepad with uinput (for\nexample, playing ELDEN RING under Wine with a Flydigi Vader 5\ncontroller):\n\n  ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex\n\nThe cycle is caused by four lock acquisition paths:\n\n1. ff upload: input_ff_upload() holds ff->mutex and calls\n   uinput_dev_upload_effect() -> uinput_request_submit() ->\n   uinput_request_send(), which acquires udev->mutex.\n\n2. device create: uinput_ioctl_handler() holds udev->mutex and calls\n   uinput_create_device() -> input_register_device(), which acquires\n   input_mutex.\n\n3. device register: input_register_device() holds input_mutex and\n   calls kbd_connect() -> input_register_handle(), which acquires\n   dev->mutex.\n\n4. evdev release: evdev_release() calls input_flush_device() under\n   dev->mutex, which calls input_ff_flush() acquiring ff->mutex.\n\nFix this by introducing a new state_lock spinlock to protect\nudev->state and udev->dev access in uinput_request_send() instead of\nacquiring udev->mutex.  The function only needs to atomically check\ndevice state and queue an input event into the ring buffer via\nuinput_dev_event() -- both operations are safe under a spinlock\n(ktime_get_ts64() and wake_up_interruptible() do not sleep).  This\nbreaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in\nthe lock ordering and cannot form cycles with mutexes.\n\nTo keep state transitions visible to uinput_request_send(), protect\nwrites to udev->state in uinput_create_device() and\nuinput_destroy_device() with the same state_lock spinlock.\n\nAdditionally, move init_completion(&request->done) from\nuinput_request_send() to uinput_request_submit() before\nuinput_request_reserve_slot().  Once the slot is allocated,\nuinput_flush_requests() may call complete() on it at any time from\nthe destroy path, so the completion must be initialised before the\nrequest becomes visible.\n\nLock ordering after the fix:\n\n  ff->mutex -> state_lock (spinlock, leaf)\n  udev->mutex -> state_lock (spinlock, leaf)\n  udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge)(CVE-2026-31667)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: read UNIX_DIAG_VFS data under unix_state_lock\n\nExact UNIX diag lookups hold a reference to the socket, but not to\nu->path. Meanwhile, unix_release_sock() clears u->path under\nunix_state_lock() and drops the path reference after unlocking.\n\nRead the inode and device numbers for UNIX_DIAG_VFS while holding\nunix_state_lock(), then emit the netlink attribute after dropping the\nlock.\n\nThis keeps the VFS data stable while the reply is being built.(CVE-2026-31673)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()\n\nReject rt match rules whose addrnr exceeds IP6T_RT_HOPS.\n\nrt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[].\nValidate addrnr during rule installation so malformed rules are rejected\nbefore the match logic can use an out-of-range value.(CVE-2026-31674)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nopenvswitch: validate MPLS set/set_masked payload length\n\nvalidate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for\nSET/SET_MASKED actions. In action handling, OVS expects fixed-size\nMPLS key data (struct ovs_key_mpls).\n\nUse the already normalized key_len (masked case included) and reject\nnon-matching MPLS action key sizes.\n\nReject invalid MPLS action payload lengths early.(CVE-2026-31679)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbridge: br_nd_send: linearize skb before parsing ND options\n\nbr_nd_send() parses neighbour discovery options from ns->opt[] and\nassumes that these options are in the linear part of request.\n\nIts callers only guarantee that the ICMPv6 header and target address\nare available, so the option area can still be non-linear. Parsing\nns->opt[] in that case can access data past the linear buffer.\n\nLinearize request before option parsing and derive ns from the linear\nnetwork header.(CVE-2026-31682)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy ID to userspace if PSP command failed\n\nWhen retrieving the ID for the CPU, don't attempt to copy the ID blob to\nuserspace if the firmware command failed.  If the failure was due to an\ninvalid length, i.e. the userspace buffer+length was too small, copying\nthe number of bytes _firmware_ requires will overflow the kernel-allocated\nbuffer and leak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388\n\n  CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222\n   sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.(CVE-2026-31697)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed\n\nWhen retrieving the PDH cert, don't attempt to copy the blobs to userspace\nif the firmware command failed.  If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033\n\n  CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc.                                                       Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347\n   sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.(CVE-2026-31698)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed\n\nWhen retrieving the PEK CSR, don't attempt to copy the blob to userspace\nif the firmware command failed.  If the failure was due to an invalid\nlength, i.e. the userspace buffer+length was too small, copying the number\nof bytes _firmware_ requires will overflow the kernel-allocated buffer and\nleak data to userspace.\n\n  BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n  BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n  BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n  Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405\n\n  CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G     U     O        7.0.0-smp-DEV #28 PREEMPTLAZY\n  Tainted: [U]=USER, [O]=OOT_MODULE\n  Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025\n  Call Trace:\n   <TASK>\n   dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120\n   print_address_description ../mm/kasan/report.c:378 [inline]\n   print_report+0xbc/0x260 ../mm/kasan/report.c:482\n   kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595\n   check_region_inline ../mm/kasan/generic.c:-1 [inline]\n   kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200\n   instrument_copy_to_user ../include/linux/instrumented.h:129 [inline]\n   _inline_copy_to_user ../include/linux/uaccess.h:205 [inline]\n   _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26\n   copy_to_user ../include/linux/uaccess.h:236 [inline]\n   sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872\n   sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562\n   vfs_ioctl ../fs/ioctl.c:51 [inline]\n   __do_sys_ioctl ../fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583\n   do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n   </TASK>\n\nWARN if the driver says the command succeeded, but the firmware error code\nsays otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any\nfirwmware error.(CVE-2026-31699)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SMP: derive legacy responder STK authentication from MITM state\n\nThe legacy responder path in smp_random() currently labels the stored\nSTK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH.\nThat reflects what the local service requested, not what the pairing\nflow actually achieved.\n\nFor Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear\nand the resulting STK should remain unauthenticated even if the local\nside requested HIGH security. Use the established MITM state when\nstoring the responder STK so the key metadata matches the pairing result.\n\nThis also keeps the legacy path aligned with the Secure Connections code,\nwhich already treats JUST_WORKS/JUST_CFM as unauthenticated.(CVE-2026-31773)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nxen/privcmd: fix double free via VMA splitting\n\nprivcmd_vm_ops defines .close (privcmd_close), but neither .may_split\nnor .open. When userspace does a partial munmap() on a privcmd mapping,\nthe kernel splits the VMA via __split_vma(). Since may_split is NULL,\nthe split is allowed. vm_area_dup() copies vm_private_data (a pages\narray allocated in alloc_empty_pages()) into the new VMA without any\nfixup, because there is no .open callback.\n\nBoth VMAs now point to the same pages array. When the unmapped portion\nis closed, privcmd_close() calls:\n    - xen_unmap_domain_gfn_range()\n    - xen_free_unpopulated_pages()\n    - kvfree(pages)\n\nThe surviving VMA still holds the dangling pointer. When it is later\ndestroyed, the same sequence runs again, which leads to a double free.\n\nFix this issue by adding a .may_split callback denying the VMA split.\n\nThis is XSA-487 / CVE-2026-31787(CVE-2026-31787)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate LTK enc_size on load\n\nLoad Long Term Keys stores the user-provided enc_size and later uses\nit to size fixed-size stack operations when replying to LE LTK\nrequests. An enc_size larger than the 16-byte key buffer can therefore\noverflow the reply stack buffer.\n\nReject oversized enc_size values while validating the management LTK\nrecord so invalid keys never reach the stored key state.(CVE-2026-43020)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nHID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure\n\nPresently, if the force feedback initialisation fails when probing the\nLogitech G920 Driving Force Racing Wheel for Xbox One, an error number\nwill be returned and propagated before the userspace infrastructure\n(sysfs and /dev/input) has been torn down.  If userspace ignores the\nerrors and continues to use its references to these dangling entities, a\nUAF will promptly follow.\n\nWe have 2 options; continue to return the error, but ensure that all of\nthe infrastructure is torn down accordingly or continue to treat this\ncondition as a warning by emitting the message but returning success.\nIt is thought that the original author's intention was to emit the\nwarning but keep the device functional, less the force feedback feature,\nso let's go with that.(CVE-2026-43049)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix not releasing workqueue on .release()\n\nThe workqueue associated with an DSA/IAA device is not released when\nthe object is freed.(CVE-2026-43064)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel/uncore: Skip discovery table for offline dies\n\nThis warning can be triggered if NUMA is disabled and the system\nboots with fewer CPUs than the number of CPUs in die 0.\n\nWARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore]\n\nCurrently, the discovery table continues to be parsed even if all CPUs\nin the associated die are offline.  This can lead to an array overflow\nat "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may\ntrigger the warning above or cause other issues.(CVE-2026-43079)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\npstore: ram_core: fix incorrect success return when vmap() fails\n\nIn persistent_ram_vmap(), vmap() may return NULL on failure.\n\nIf offset is non-zero, adding offset_in_page(start) causes the function\nto return a non-NULL pointer even though the mapping failed.\npersistent_ram_buffer_map() therefore incorrectly returns success.\n\nSubsequent access to prz->buffer may dereference an invalid address\nand cause crashes.\n\nAdd proper NULL checking for vmap() failures.(CVE-2026-43124)\n\nIn the Linux kernel xfrm/ESP (IPsec) subsystem, when appending pipe pages to network packets (skb) via zero-copy mechanisms such as splice() / MSG_SPLICE_PAGES, IPv4/IPv6 datagram paths are not correctly marked with the SKBFL_SHARED_FRAG flag. The ESP receive path incorrectly treats these externally owned shared pages as private data, skipping the COW (copy-on-write) step and performing in-place decryption directly, allowing an attacker to pollute otherwise read-only pages in the page cache. Combined with CVE-2026-43500, a complete exploit chain can be formed, allowing local unprivileged users to obtain root privileges. This vulnerability affects almost all Linux distributions since 2017 (kernel ~ 4.10), including Ubuntu, RHEL, AlmaLinux, Debian, Fedora, etc. A public PoC has been released and signs of active exploitation have been observed.(CVE-2026-43284)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-314.0.0.217.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","bpftool-debuginfo-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-debuginfo-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-debugsource-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-devel-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-headers-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-source-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-tools-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-tools-debuginfo-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","kernel-tools-devel-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","perf-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","perf-debuginfo-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","python3-perf-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm","python3-perf-debuginfo-5.10.0-314.0.0.217.oe2203sp4.aarch64.rpm"],"src":["kernel-5.10.0-314.0.0.217.oe2203sp4.src.rpm"],"x86_64":["bpftool-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","bpftool-debuginfo-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-debuginfo-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-debugsource-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-devel-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-headers-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-source-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-tools-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-tools-debuginfo-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","kernel-tools-devel-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","perf-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","perf-debuginfo-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","python3-perf-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm","python3-perf-debuginfo-5.10.0-314.0.0.217.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2311"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23317"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31404"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31419"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31441"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31448"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31476"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31504"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31515"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31521"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31523"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31555"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31560"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31592"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31628"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31630"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31667"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31673"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31674"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31679"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31682"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31697"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31698"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31699"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31773"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31787"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43020"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43049"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43064"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43079"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43124"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43284"}],"database_specific":{"severity":"Critical"}}