CVE-2026-53321

CVE-2026-53321 : In the Linux kernel, the io_uring/napi path was missing a cap on the maximum polling time when no events are found. The issue arises from napi potentially polling for longer than reasonable times, leading to task stagnation without conditional rescheduling. A fix caps the total b...

CVE-2026-53319

CVE-2026-53319 documents a Linux kernel change where blk-wbt’s wbt_init_enable_default() no longer triggers WARN_ON_ONCE for expected failure paths from wbt_alloc() and wbt_init(). The underlying issues are that wbt_alloc() may return NULL under memory pressure, and wbt_init() may fail with -EBUS...

CVE-2026-53318

CVE-2026-53318 describes a fix in the Linux kernel’s wireless stack: for mt76/mt7925, a NULL pointer dereference in mt7925_tx_check_aggr() was mitigated by moving the NULL check for the 'sta' pointer before its dereference, preventing a possible crash. The vulnerability affects the mt7925 compone...

CVE-2026-53315

CVE-2026-53315 affects the Linux kernel code path in drm/amd/ras. The vulnerability arises in ras_core_get_utc_second_timestamp(), which retrieves the current UTC second timestamp via a platform-specific RAS callback. If ras_core is NULL, the function could dereference ras_core->dev, causing a...

CVE-2026-53316

The CVE affects the Linux kernel DRM/AMD ras subsystem. A NULL pointer dereference could occur in ras_core_ras_interrupt_detected when ras_core is NULL and ras_core->dev is accessed in the error path. The issue has been resolved with a fix in the kernel code (details referenced in the advisory...

CVE-2026-53306

CVE-2026-53306 : In the Linux kernel, a bounds-related off-by-one was fixed in the hvc_iucv path used by tty. The issue stems from MAX_HVC_IUCV_LINES == 8 and hvc_iucv_devices allowed values 0..8; when devices == 8, one code path could access hvc_iucv_table[8] due to mismatched checks (a) vs (b)....

CVE-2026-53304

Summary (CVE-2026-53304): In the Linux kernel, the SCSI generic driver (sg) could incur a soft lockup when opening /dev/sgX due to an overridable def_reserved_size parameter. The value can bypass sg_proc_write_dressz validation if set via the module parameter, triggering a watchdog soft lockup (o...

CVE-2026-53305

The CVE-2026-53305 issue is in the Linux kernel driver for ps883x USB Type-C retimers. When unbinding a device to bind to vfio-platform (for example via the platform driver unbind path), an Oops occurs due to a NULL pointer dereference. The root cause is that the driver retrieves its per-client d...

CVE-2026-53302

The CVE concerns the Linux kernel’s crypto/eip93 path. Specifically, eip93_hmac_setkey() creates a temporary ahash transform using a driver name (e.g., sha256-eip93) but passes CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms. Since EIP93 hash algorithms are inherently async, the loo...

CVE-2026-53300

The CVE-2026-53300 issue in the Linux kernel net: enetc driver concerns a DMA use-after-free when handling NTMP commands. If netc_xmit_ntmp_cmd() times out and a command is not explicitly aborted, ntmp_free_data_mem() frees the DMA buffer, which may have been reallocated. This could allow silent ...

CVE-2026-53299

CVE-2026-53299 concerns the Linux kernel net/airoha driver. The issue arises when queue entry list allocation fails inside airoha_qdma_init_tx_queue; due to an early initialization of ndesc, airoha_qdma_cleanup_tx_queue() may dereference a NULL queue entry array. The fix moves ndesc initializatio...

CVE-2026-53298

CVE-2026-53298 (net: airoha) - Linux kernel : The issue arises in the airoha_qdma_init_rx_queue path where ndesc is initialized too early, causing a NULL pointer dereference in airoha_qdma_cleanup() if queue entry or DMA descriptor list allocation fails because netif_napi_add() was never executed...

CVE-2026-53296

The CVE-2026-53296 entry concerns the Linux kernel mailbox subsystem, specifically the mailbox-test path where channels are freed on probe error. The underlying issue is that channels obtained prior to a probe error must be freed to prevent resource leaks and avoidance of use-after-free (UAF) bec...

CVE-2026-53294

The CVE-2026-53294 entry concerns the Linux kernel mailbox subsystem. The issue arises in mailbox-test where the RX channel can be aliased to the TX channel if they have different MMIO, creating a special case that can lead to a double-free when freeing channels. The public descriptions indicate ...

CVE-2026-53291

CVE-2026-53291 (Linux kernel: ALSA HDA/Conexant) is about a missing error check in cx_probe() for snd_hda_jack_detect_enable_callback(). The function can return an error pointer on failure (e.g., memory allocation), and the code was ignoring this return value. If registration fails, jack-detectio...

CVE-2026-53289

In the Linux kernel ice driver, CVE-2026-53289 describes a NULL pointer dereference in ice_reset_all_vfs caused by ignoring the return value of ice_vf_rebuild_vsi(). If a VSI rebuild fails (e.g., during NVM firmware update), ice_vsi_rebuild_vsi leaves txq_map/rxq_map NULL and ice_vf_post_vsi_rebu...

CVE-2026-53287

The CVE-2026-53287 issue affects the Linux kernel’s audit CAPSET handling. __audit_log_capset() incorrectly records the effective capability (cap_effective) into the inheritable field, due to a copy-paste error, causing CAPSET audit records to report cap_pi (process inheritable) with the value of...

CVE-2026-53282

The CVE concerns the Linux kernel x86/kexec purgatory code used by kexec-tools. The issue arises when, in non-kjump kexec, the code looks above the top of the stack to locate a return address for kjump. A fix previously changed behavior to stop pushing an unused return address, but that change ca...

CVE-2026-53281

CVE-2026-53281 concerns the Linux kernel IOMMU VT-d path. The issue could trigger a NULL pointer dereference or refcount corruption during teardown if dev_pasid is not found in the dev_pasids list (remains NULL) or if the domain is never attached (info is NULL). The fix returns early when dev_pas...

CVE-2026-53279

The CVE-2026-53279 entry concerns the Linux kernel component drm/gma500/oaktrail_lvds. The LVDS init path first calls i2c_get_adapter() to read EDID and may then allocate/register its own adapter. The error handling previously treated these paths indistinguishably, so a late init failure could tr...