EUVD-2026-39198

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown mtkfreedev calls metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...

EUVD-2026-39196

In the Linux kernel, the following vulnerability has been resolved: net/802/mrp: fix vector attribute parsing in mrppduparsevecattr In mrppduparsevecattr, vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after...

CVE-2026-53245

CVE-2026-53245 affects the Linux kernel net/802/mrp component, specifically the MRPs vector attribute parsing in mrp_pdu_parse_vecattr. The bug decodes vector attributes three events per byte and tracks remaining events with valen. It decrements valen after the first two events but not after the ...

CVE-2026-53246

CVE-2026-53246 affects the Linux kernel SCTP implementation. When a listening SCTP server processes a COOKIE_ECHO chunk, a cached peer INIT chunk embedded after the cookie could have its header length inflated beyond the remaining COOKIE_ECHO data. This allowed the parameter walk performed by sct...

EUVD-2026-39195

In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfsd4createfile atomiccreate in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentrycreate so that it will drop the reference if an...

CVE-2026-53244

The CVE-2026-53244 issue concerns the Linux kernel VFS path handling in nfds4_create_file(). A race/ordering problem occurred when a filesystem uses ->atomic_create: if atomic_create() returns an error, end_creating() could unlock the parent with a bad/dentry reference because the dentry handl...

EUVD-2026-39194

In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an uninitialized stack variable in rseqexituserupdate There is an bug in which an uninitialized stack variable is used in rseqexituserupdate as reported by syzbot: BUG: KMSAN: kernel-infoleak in rseqsetidsgetcsadd...

CVE-2026-53243

The CVE-2026-53243 entry describes a Linux kernel issue in rseq_exit_user_update() where an uninitialized stack variable is used during initialization of ids in the rseq_ids struct. The bug arises because the inline initialization of struct rseq_ids ids can evaluate cpu_to_node(ids.cpu_id) before...

CVE-2026-53242

Summary of CVE-2026-53242 (Linux kernel) : The ALSA PCM code path in snd_pcm_drain() had a wait-queue handling flaw that could corrupt wait queue lists during linked-stream drain operations. Specifically, using init_waitqueue_entry without clearing prev/next, coupled with conditional add_wait_que...

EUVD-2026-39192

In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: dummy: fix UMP event stack overread The dummy sequencer port forwards events by copying an incoming struct sndseqevent into a stack temporary, rewriting source and destination, and dispatching the temporary to...

CVE-2026-53241

CVE-2026-53241 concerns the Linux kernel ALSA: seq (dummy) port handling of UMP events. The issue arises when a UMP event is copied into a stack temporary and then dispatched; the temporary storage is legacy-sized, while the UMP packet is larger, leading to a read past the end of the temporary. T...

EUVD-2026-39191

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on firstskb in inputprocesspayload inputprocesspayload stores firstskb into xtfs-ranewskb under droplock when starting partial reassembly, then unlocks and breaks out of the processing loop. The...

EUVD-2026-39330

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrmpolicybyselctx Fix the race by pruning the bin while still holding xfrmpolicylock, before dropping it. Use xfrmpolicyinexactprunebin directly since the lock is already held...

CVE-2026-53239

The CVE-2026-53239 entry documents a Linux kernel race in the xfrm policy subsystem leading to a use-after-free of an inexact bin in xfrm_policy_bysel_ctx(). The issue arises when CPU0 handles XFRM_MSG_DELPOLICY and CPU1 handles XFRM_MSG_NEWSPDINFO, with a window where a freed bin is referenced a...

CVE-2026-53238

CVE-2026-53238 affects the Linux kernel netlabel handling of unlabeled address and mask attributes. The bug occurs in netlbl_unlabel_addrinfo_get(), which used the address attribute length to decide if data could be read as IPv4 or IPv6, but did not independently validate the corresponding mask a...

EUVD-2026-39328

In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix NULL pointer dereference in suspend/resume mvebupwmsuspend and mvebupwmresume are called for all GPIO banks during suspend/resume, but not all banks have PWM functionality. GPIO banks without PWM have mvchip-mvpw...

EUVD-2026-39326

In the Linux kernel, the following vulnerability has been resolved: net: add pskbmaypull to skbgroreceivelist skbgroreceivelist calls skbpullskb, skbgrooffsetskb without first ensuring the data is in the linear area via pskbmaypull. When the skb arrives via napigrofrags, skbheadlen can be 0 all...

CVE-2026-53235

The CVE-2026-53235 issue affects the Linux kernel: skb_gro_receive_list() called skb_pull() without ensuring the data is in the linear area via pskb_may_pull(), which can occur when packets arrive via napi_gro_frags() and data is in page fragments with a non-zero skb_gro_offset. This can lead to ...

EUVD-2026-39325

In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devmregisternetdev which causes unregisternetdev to be deferred until the devres cleanup phase, which runs after emacremove returns. This creates a...

CVE-2026-53234

The CVE-2026-53234 entry describes a Linux kernel net/ibm emac use-after-free caused by using devm_register_netdev(), which defers unregister_netdev() to the devres cleanup phase after emac_remove() returns, creating a window where handlers may access freed resources (dev->emacp, dev->mal)....