CVE-2026-31772— Linux kernel 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-31772の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
ソース: NVD (National Vulnerability Database)
脆弱性説明
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync hci_le_big_create_sync() uses DEFINE_FLEX to allocate a struct hci_cp_le_big_create_sync on the stack with room for 0x11 (17) BIS entries. However, conn->num_bis can hold up to HCI_MAX_ISO_BIS (31) entries — validated against ISO_MAX_NUM_BIS (0x1f) in the caller hci_conn_big_create_sync(). When conn->num_bis is between 18 and 31, the memcpy that copies conn->bis into cp->bis writes up to 14 bytes past the stack buffer, corrupting adjacent stack memory. This is trivially reproducible: binding an ISO socket with bc_num_bis = ISO_MAX_NUM_BIS (31) and calling listen() will eventually trigger hci_le_big_create_sync() from the HCI command sync worker, causing a KASAN-detectable stack-out-of-bounds write: BUG: KASAN: stack-out-of-bounds in hci_le_big_create_sync+0x256/0x3b0 Write of size 31 at addr ffffc90000487b48 by task kworker/u9:0/71 Fix this by changing the DEFINE_FLEX count from the incorrect 0x11 to HCI_MAX_ISO_BIS, which matches the maximum number of BIS entries that conn->bis can actually carry.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Linux kernel 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于蓝牙HCI同步命令中栈缓冲区溢出,可能导致内存损坏。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2026-31772の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-31772のインテリジェンス情報
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-05-01 · 146 CVEs total
| CVE-2026-43037 | 9.8 CRITICAL | ip6_tunnel: clear skb2->cb[] in ip4ip6_err() |
| CVE-2026-43011 | 9.8 CRITICAL | net/x25: Fix potential double free of skb |
| CVE-2026-31705 | 9.8 CRITICAL | ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment |
| CVE-2026-43038 | 9.8 CRITICAL | ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() |
| CVE-2026-43039 | 9.8 CRITICAL | net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch |
| CVE-2026-31718 | 9.8 CRITICAL | ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger |
| CVE-2026-43018 | 8.8 HIGH | Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt |
| CVE-2026-31739 | 8.8 HIGH | crypto: tegra - Add missing CRYPTO_ALG_ASYNC |
| CVE-2026-31706 | 8.8 HIGH | ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() |
| CVE-2026-31709 | 8.8 HIGH | smb: client: validate the whole DACL before rewriting it in cifsacl |
| CVE-2026-43048 | 8.8 HIGH | HID: core: Mitigate potential OOB by removing bogus memset() |
| CVE-2026-31735 | 8.8 HIGH | iommupt: Fix short gather if the unmap goes into a large mapping |
| CVE-2026-31773 | 8.8 HIGH | Bluetooth: SMP: derive legacy responder STK authentication from MITM state |
| CVE-2026-31717 | 8.8 HIGH | ksmbd: validate owner of durable handle on reconnect |
| CVE-2026-31712 | 8.3 HIGH | ksmbd: require minimum ACE size in smb_check_perm_dacl() |
| CVE-2026-31779 | 8.1 HIGH | wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() |
| CVE-2026-31771 | 8.1 HIGH | Bluetooth: hci_event: move wake reason storage into validated event handlers |
| CVE-2026-43051 | 8.1 HIGH | HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq |
| CVE-2026-31708 | 8.1 HIGH | smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path |
| CVE-2026-31780 | 7.8 HIGH | wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation |
Showing 20 of 146 CVEs. View all on vendor page →
IV. 関連脆弱性
同じ製品: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
同じベンダー: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. CVE-2026-31772へのコメント
まだコメントはありません