MontaVista CVE List and Response
MontaVista continually monitors the security community and customers for threats. We follow the community on CVE scoring (NVD) and set fix priority accordingly for affected products. Please view the following CVEs that have been remediated or are in process by clicking the CVE Year to the left or use the CVE Filters below.
For inquiries regarding Security Vulnerabilities, please see our Vulnerability Response Policy or email our PSIRT team security@mvista.com. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.
| CVE | Score | Severity | Package | Description | Published |
|---|---|---|---|---|---|
| CVE-2026-35334 |
7.5 (i)
| HIGH | strongswan | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | 2026-06-11 |
| CVE-2026-42014 |
4.0 (i)
| MEDIUM | gnutls | ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. | 2026-06-08 |
| CVE-2026-50219 |
5.9 (i)
| MEDIUM | libexpat | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, | 2026-06-04 |
| CVE-2026-48681 |
8.1 (i)
| HIGH | ironic | OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. | 2026-06-04 |
| CVE-2026-46447 |
7.7 (i)
| HIGH | ironic | OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | 2026-06-03 |
| CVE-2026-45702 |
5.5 (i)
| MEDIUM | op-tee | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue. | 2026-06-03 |
| CVE-2026-46272 |
4.7 (i)
| MEDIUM | kernel | In the Linux kernel, the following vulnerability has been resolved:coresight: tmc-etr: Fix race condition between sysfs and perf modeWhen trying to run perf and sysfs mode simultaneously, the WARN_ON()in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]---Since the enablement of sysfs mode is separeted into two critical regions,one for sysfs buffer allocation and another for hardware enablement, it'spossible to race with the perf mode. Fix this by double check whetherthe perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock)With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf.This ensures we verify whether the perf mode's already running before weactually allocate the buffer. Then we can save the time ofallocating/freeing the sysfs buffer if race with the perf mode. | 2026-06-03 |
| CVE-2026-46269 |
5.5 (i)
| MEDIUM | kernel | In the Linux kernel, the following vulnerability has been resolved:pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetreeWhen probing the k230 pinctrl driver, the kernel triggers a NULL pointerdereference. The crash trace showed:[ 0.732084] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068[ 0.740737] ...[ 0.776296] epc : k230_pinctrl_probe+0x1be/0x4fcIn k230_pinctrl_parse_functions(), we attempt to retrieve the devicepointer via info->pctl_dev->dev, but info->pctl_dev is only initializedafter k230_pinctrl_parse_dt() completes.At the time of DT parsing, info->pctl_dev is still NULL, leading tothe invalid dereference of info->pctl_dev->dev.Use the already available device pointer from platform_deviceinstead of accessing through uninitialized pctl_dev. | 2026-06-03 |
| CVE-2026-46268 |
5.5 (i)
| MEDIUM | kernel | In the Linux kernel, the following vulnerability has been resolved:PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning conditionCommit b7e282378773 has already changed the initial page refcount ofp2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses"VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial pagerefcount should not be zero and the following will be reported whenCONFIG_DEBUG_VM is enabled: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000 flags: 0x20000000002000(reserved|node=0|zone=4) raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) ------------[ cut here ]------------ WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60Fix by using "page_ref_count(page)" as the assertion condition. | 2026-06-03 |
| CVE-2026-46267 |
7.8 (i)
| MEDIUM | kernel | In the Linux kernel, the following vulnerability has been resolved:nfc: hci: shdlc: Stop timers and work before freeing contextllc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlcstructure while its timers and state machine work may still be active.Timer callbacks can schedule sm_work, and sm_work accesses SHDLC stateand the skb queues. If teardown happens in parallel with a queued/runningwork item, it can lead to UAF and other shutdown races.Stop all SHDLC timers and cancel sm_work synchronously before purging thequeues and freeing the context.Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-06-03 |