225376 matches found
CVE-2026-53306
CVE-2026-53306 : In the Linux kernel, a bounds-related off-by-one was fixed in the hvc_iucv path used by tty. The issue stems from MAX_HVC_IUCV_LINES == 8 and hvc_iucv_devices allowed values 0..8; when devices == 8, one code path could access hvc_iucv_table[8] due to mismatched checks (a) vs (b)....
EUVD-2026-39841
In the Linux kernel, the following vulnerability has been resolved: tty: hvciucv: fix off-by-one in number of supported devices MAXHVCIUCVLINES == HVCALLOCTTYADAPTERS == 8. This is the number of entries in: static struct hvciucvprivate hvciucvtableMAXHVCIUCVLINES; Sometimes hvciucvtable is limite...
CVE-2026-53305
The CVE-2026-53305 issue is in the Linux kernel driver for ps883x USB Type-C retimers. When unbinding a device to bind to vfio-platform (for example via the platform driver unbind path), an Oops occurs due to a NULL pointer dereference. The root cause is that the driver retrieves its per-client d...
CVE-2026-53304
Summary (CVE-2026-53304): In the Linux kernel, the SCSI generic driver (sg) could incur a soft lockup when opening /dev/sgX due to an overridable def_reserved_size parameter. The value can bypass sg_proc_write_dressz validation if set via the module parameter, triggering a watchdog soft lockup (o...
EUVD-2026-39839
In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Resolve soft lockup issue when opening /dev/sgX The parameter defreservedsize defines the default buffer size reserved for each Sgfd and should be restricted to a range between 0 and 1,048,576 see...
EUVD-2026-39838
In the Linux kernel, the following vulnerability has been resolved: f2fs: protect extensionlist reading with sblock in f2fssbishow In f2fssbishow, the extensionlist, extensioncount and hotextcount are read without holding sbi-sblock. If a concurrent sysfs store modifies the extension list via...
CVE-2026-53302
The CVE concerns the Linux kernel’s crypto/eip93 path. Specifically, eip93_hmac_setkey() creates a temporary ahash transform using a driver name (e.g., sha256-eip93) but passes CRYPTO_ALG_ASYNC as the mask, which excludes async algorithms. Since EIP93 hash algorithms are inherently async, the loo...
CVE-2026-53300
The CVE-2026-53300 issue in the Linux kernel net: enetc driver concerns a DMA use-after-free when handling NTMP commands. If netc_xmit_ntmp_cmd() times out and a command is not explicitly aborted, ntmp_free_data_mem() frees the DMA buffer, which may have been reallocated. This could allow silent ...
EUVD-2026-39836
In the Linux kernel, the following vulnerability has been resolved: reset: amlogic: t7: Fix null reset ops Fix missing reset ops causing kernel null pointer dereference. This SOC's reset is currently not used yet...
CVE-2026-53299
CVE-2026-53299 concerns the Linux kernel net/airoha driver. The issue arises when queue entry list allocation fails inside airoha_qdma_init_tx_queue; due to an early initialization of ndesc, airoha_qdma_cleanup_tx_queue() may dereference a NULL queue entry array. The fix moves ndesc initializatio...
EUVD-2026-39834
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airohaqdmainittx If queue entry list allocation fails in airohaqdmainittxqueue routine, airohaqdmacleanuptxqueue will trigger a NULL pointer dereference accessing the queue entry...
CVE-2026-53298
CVE-2026-53298 (net: airoha) - Linux kernel : The issue arises in the airoha_qdma_init_rx_queue path where ndesc is initialized too early, causing a NULL pointer dereference in airoha_qdma_cleanup() if queue entry or DMA descriptor list allocation fails because netif_napi_add() was never executed...
EUVD-2026-39902
In the Linux kernel, the following vulnerability has been resolved: net: mana: Guard manaremove against double invocation If PM resume fails e.g., manaattach returns an error, manaprobe calls manaremove, which tears down the device and sets gd-gdmacontext = NULL and gd-driverdata = NULL. However,...
EUVD-2026-39833
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airohaqdmainitrxqueue If queue entry or DMA descriptor list allocation fails in airohaqdmainitrxqueue routine, airohaqdmacleanup will trigger a NULL pointer dereference running...
CVE-2026-53296
The CVE-2026-53296 entry concerns the Linux kernel mailbox subsystem, specifically the mailbox-test path where channels are freed on probe error. The underlying issue is that channels obtained prior to a probe error must be freed to prevent resource leaks and avoidance of use-after-free (UAF) bec...
EUVD-2026-39901
In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: free channels on probe error On probe error, free the previously obtained channels. This not only prevents a leak, but also UAF scenarios because the client structure will be removed nonetheless because it...
EUVD-2026-39900
In the Linux kernel, the following vulnerability has been resolved: mailbox: add sanity check for channel array Fail gracefully if there is no channel array attached to the mailbox controller. Otherwise the later dereference will cause an OOPS which might not be seen because mailbox controllers...
CVE-2026-53294
The CVE-2026-53294 entry concerns the Linux kernel mailbox subsystem. The issue arises in mailbox-test where the RX channel can be aliased to the TX channel if they have different MMIO, creating a special case that can lead to a double-free when freeing channels. The public descriptions indicate ...
EUVD-2026-39899
In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: don't free the reused channel The RX channel can be aliased to the TX channel if it has a different MMIO. This special case needs to be handled when freeing the channels otherwise a double-free occurs...
EUVD-2026-39898
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix AMDGPUINFOREADMMRREG There were multiple issues in that code. First of all the order between the reset semaphore and the mmlock was wrong e.g. copytouser was called while holding the lock. Then we allocated memory...