[Bug 2154172] Re: GRO managed-frag use-after-free leading to local privilege escalation

Thu, 28 May 2026 08:35:52 -0700 

This bug was fixed in the package linux - 6.8.0-124.124

---------------
linux (6.8.0-124.124) noble; urgency=medium

  * GRO managed-frag use-after-free leading to local privilege escalation
    (LP: #2154172)
    - net: gro: don't merge zcopy skbs

linux (6.8.0-121.121) noble; urgency=medium

  * apparmor (LP: #2151747)
    - apparmor: Fix incorrect profile->signal range check
    - SAUCE: apparmor: pass big_resp to handler
    - SAUCE: apparmor: remove redundant kref_init for listener->count
    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb

  * apparmor (LP: #2151747) // CVE-2026-47337
    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr

  * apparmor (LP: #2151747) // CVE-2026-47336
    - SAUCE: apparmor: fix use of unintialized variable in net opt level

  * apparmor (LP: #2151747) // CVE-2026-47335
    - SAUCE: apparmor: fix possible NULL pointer dereference by adding a NULL
      check

  * apparmor (LP: #2151747) // CVE-2026-47334
    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock

  * apparmor (LP: #2151747) // CVE-2026-47333
    - SAUCE: apparmor: fix dfa unpacking size of the notification filter

  * apparmor (LP: #2151747) // CVE-2026-47332
    - SAUCE: apparmor: fix size check against type instead of pointer

  * apparmor (LP: #2151747) // CVE-2026-47331
    - SAUCE: apparmor: fix changing rules list without a lock

  * apparmor: LLVM/clang build failure due to uninitialized variable in
    notify.c (LP: #2148809) // CVE-2026-47330
    - SAUCE: apparmor: initialize variable used in uninitialized context

  * apparmor (LP: #2151747) // CVE-2026-47329
    - SAUCE: apparmor: fix name validation bypass on notification

  * apparmor (LP: #2151747) // CVE-2026-47327 // CVE-2026-47328
    - SAUCE: apparmor: fix glob memory leak after kstrdup

  * apparmor (LP: #2151747) // CVE-2026-47326
    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer

linux (6.8.0-120.120) noble; urgency=medium

  * noble/linux: 6.8.0-120.120 -proposed tracker (LP: #2153733)

  * Packaging resync (LP: #1786013)
    - [Packaging] update annotations scripts

  * CVE-2026-46300
    - net: skbuff: preserve shared-frag marker during coalescing
    - net: skbuff: propagate shared-frag marker through frag-transfer helpers

  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)
    - net/rds: reset op_nents when zerocopy page pin fails

  * CVE-2026-46333
    - ptrace: slightly saner 'get_dumpable()' logic

  * CVE-2026-43500
    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
    - rxrpc: Parse received packets before dealing with timeouts
    - rxrpc: Fix potential UAF after skb_unshare() failure
    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present

  * CVE-2026-31676 // CVE-2026-43500
    - rxrpc: only handle RESPONSE during service challenge

  * CVE-2026-43284
    - xfrm: esp: avoid in-place decrypt on shared skb frags

 -- Manuel Diewald <[email protected]>  Tue, 26 May 2026
11:55:59 +0200

** Changed in: linux (Ubuntu Noble)
       Status: In Progress => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2026-31676

** CVE added: https://cve.org/CVERecord?id=CVE-2026-43284

** CVE added: https://cve.org/CVERecord?id=CVE-2026-43500

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46300

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46333

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47326

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47327

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47328

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47329

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47330

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47331

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47332

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47333

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47334

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47335

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47336

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47337

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154172

Title:
  GRO managed-frag use-after-free leading to local privilege escalation

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2154172/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to