From a82565f2a706527b681b9fa506caea6949bfcb11 Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 8 May 2026 15:40:32 +0100
Subject: [PATCH 1/5] Analysis for CVE-2026-23193.yml

---
 vulns/CVE-2026-23193.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 vulns/CVE-2026-23193.yml

diff --git a/vulns/CVE-2026-23193.yml b/vulns/CVE-2026-23193.yml
new file mode 100644
index 0000000..faa61d8
--- /dev/null
+++ b/vulns/CVE-2026-23193.yml
@@ -0,0 +1,10 @@
+reachability: Remote
+memory_corruption: true
+bug_class: UaF
+impact: LPE
+privileges_required: false
+notes: |-
+  | memory corruption and LPE. Reachable only from host that an admin has
+  configured as an iSCSI target
+author: Oracle Corporation
+version: v0.1

From 779c4106402f37bf1d4601cf015f683863229c6b Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 8 May 2026 15:40:32 +0100
Subject: [PATCH 2/5] Analysis for CVE-2026-23216.yml

---
 vulns/CVE-2026-23216.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 vulns/CVE-2026-23216.yml

diff --git a/vulns/CVE-2026-23216.yml b/vulns/CVE-2026-23216.yml
new file mode 100644
index 0000000..5b07a91
--- /dev/null
+++ b/vulns/CVE-2026-23216.yml
@@ -0,0 +1,11 @@
+reachability: Remote
+memory_corruption: true
+bug_class: UaF
+impact: LPE, RCE
+privileges_required: false
+notes: |-
+  | unauthenticated remote DoS, memory corruption and potentially RCE.
+  Exploitable only if the host is configured and exposed as an iSCSI target
+  (TCP/3260)
+author: Oracle Corporation
+version: v0.1

From 083351bafc292bfe9e620375bf6bb9846174fadb Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 8 May 2026 15:40:32 +0100
Subject: [PATCH 3/5] Analysis for CVE-2026-23270.yml

---
 vulns/CVE-2026-23270.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 vulns/CVE-2026-23270.yml

diff --git a/vulns/CVE-2026-23270.yml b/vulns/CVE-2026-23270.yml
new file mode 100644
index 0000000..8c257fc
--- /dev/null
+++ b/vulns/CVE-2026-23270.yml
@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: UAF
+impact: LPE
+privileges_required: false
+notes: |2-
+   unprivileged user can create a user + net namespace, obtain CAP_NET_ADMIN,
+  program tc filters, and hit a UAF that yields kernel memory corruption
+author: Oracle Corporation
+version: v0.1

From 20327511abe927f2f7d07ad3585fbce9287936e8 Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 8 May 2026 15:40:32 +0100
Subject: [PATCH 4/5] Analysis for CVE-2026-23278.yml

---
 vulns/CVE-2026-23278.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 vulns/CVE-2026-23278.yml

diff --git a/vulns/CVE-2026-23278.yml b/vulns/CVE-2026-23278.yml
new file mode 100644
index 0000000..efb39ef
--- /dev/null
+++ b/vulns/CVE-2026-23278.yml
@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: true
+bug_class: Refcount Underflow
+impact: LPE
+privileges_required: false
+notes: |2-
+   local nf_tables catchall-map lifetime/refcount bug where incomplete
+  transaction cleanup can cause a refcoutn underflow.
+author: Oracle Corporation
+version: v0.1

From 8b2e261b8c8aa4b30dc81750f7c6a31301fc533c Mon Sep 17 00:00:00 2001
From: Oracle Linux CVE analysis bot <ora-linux-cve-analysis_mb@oracle.com>
Date: Fri, 8 May 2026 15:40:32 +0100
Subject: [PATCH 5/5] Analysis for CVE-2026-31402.yml

---
 vulns/CVE-2026-31402.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 vulns/CVE-2026-31402.yml

diff --git a/vulns/CVE-2026-31402.yml b/vulns/CVE-2026-31402.yml
new file mode 100644
index 0000000..766316d
--- /dev/null
+++ b/vulns/CVE-2026-31402.yml
@@ -0,0 +1,11 @@
+reachability: Remote
+memory_corruption: true
+bug_class: Buffer Overflow
+impact: RCE or DOS
+privileges_required: false
+notes: |2-
+   Heap out-of-bounds write in nfsd NFSv4 LOCK replay cache.  Remote,
+  unauthenticated attacker can overflow the 112-byte rp_ibuf with up to ~944
+  bytes via a crafted pair of LOCK requests.
+author: Oracle Corporation
+version: v0.1