EUVD-2026-39324

In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdevnlbindrxdoit Sashiko flags that genlmsgreply always consumes the skb. The error path calls nlmsgfreersp so we can't jump directly to it. Let's not unbind, just propagate the error to the user. Thi...

CVE-2026-53233

In the Linux kernel, CVE-2026-53233 concerns a double-free in netdev_nl_bind_rx_doit(). The fix addresses a faulty interaction with genlmsg_reply(), where genlmsg_reply() is expected to consume the skb. The error path previously invoked nlmsg_free(rsp), which was incompatible with unbinding flow;...

EUVD-2026-39323

In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy probing fails Sashiko reported that we don't call sfpbusdelupstream in the probe failure path, so let's add it, otherwise the sfp-bus is left with a dangling 'upstream' field, that may be...

CVE-2026-53232

In the Linux kernel, this CVE covers a fix in net: phy: clean the sfp upstream if phy probing fails. Sashiko noted that sfp_bus_del_upstream() was not invoked on probe failure, leaving the sfp-bus with a dangling upstream field that could be used later during SFP events. The issue predates the ge...

EUVD-2026-39322

In the Linux kernel, the following vulnerability has been resolved: net: phy: don't try to setup PHY-driven SFP cages when using genphy We don't have support for PHY-driver SFP cages with the genphy code. On top of that, it was found by sashiko that running sfpbusaddupstream for genphy deadlocks,...

CVE-2026-53231

The CVE describes a Linux kernel vulnerability in the net: phy subsystem where PHY-driven SFP cages were being initialized for genphy, which is not supported, leading to a potential RTNL deadlock. Root cause: genphy PHY probing runs under RTNL, unlike non-genphy drivers, allowing sfp_bus probing ...

EUVD-2026-39321

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix slab-out-of-bounds in mlx5querynicvportmaclist mlx5querynicvportmaclist sizes its firmware command buffer using the PF's logmaxcurrentuc/mclist capabilities. When querying a VF vport with a larger configured max via...

CVE-2026-53230

The CVE-2026-53230 entry concerns the Linux kernel mlx5 driver (net/mlx5) where mlx5_query_nic_vport_mac_list() incorrectly sizes the firmware command buffer using the PF caps, risking a slab-out-of-bounds read when querying a VF vport with a larger max configured via devlink. The issue manifests...

EUVD-2026-39320

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdpframe leak on XDPTX xmit failure In the XSK branch of mlx5exmitxdpbuff, when sq-xmitxdpframe returns false e.g. XDPSQ is full, the function returns without unmapping the DMA address or freeing the...

EUVD-2026-39318

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible kfreeskb of ERRPTR After the patch in the "Fixes" tag, the allocation of the "reply" skb can happen either before or after locking the ovsmutex. However, error cleanups still follow the classical...

EUVD-2026-39316

In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in sctprcvasconflookup sctprcvasconflookup in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af-fromaddrparam, which reads the full address 1...

CVE-2026-53223

CVE-2026-53223 (Linux kernel) resolves an issue in the net layer where skb_is_err_queue() treated PACKET_OUTGOING as the sole marker for error-queue skbs. This misclassification does not hold for AF_PACKET sockets, where outgoing taps can also be delivered to packet sockets with skb->pkt_type ...

EUVD-2026-39314

In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skbiserrqueue treats PACKETOUTGOING as the sole marker for an skb from skerrorqueue. That assumption is not true for AFPACKET sockets: outgoing packet taps are also delivered to...

CVE-2026-53221

The CVE-2026-53221 issue affects the Linux kernel’s IPsec/tunnel implementation, specifically ip6_vti in vti6_tnl_lookup. The vulnerability arises when an exact tunnel match fails and a fallback search for wildcard tunnels is performed; tunnels of different types are stored together in a single h...

EUVD-2026-39312

In the Linux kernel, the following vulnerability has been resolved: ip6vti: fix incorrect tunnel matching in vti6tnllookup In vti6tnllookup, when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remot...

EUVD-2026-39313

In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix resource freeing order Commit a60fc3294a37 "ptp: rework ptpclockunregister to disable events" added a call to ptpdisableallevents which changes the configuration of pins if they support EXTTS events. In ptpocpdetach...

CVE-2026-53220

In the Linux kernel, CVE-2026-53220 affects netfilter bridge handling. The function ebt_redirect_tg() dereferences br_port_get_rcu() without a NULL check, leading to a kernel panic if the bridge port was removed between the original hook and an NFQUEUE reinject. The work-around uses the _upper AP...

EUVD-2026-39310

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid leaking percpu counter pointers The native and compat get-entries paths copy the fixed rule entry header from the kernelized rule blob to userspace before overwriting the entry's counter fields with a...

CVE-2026-53219

CVE-2026-53219 affects the Linux kernel netfilter x_tables; the native and compat get-entries paths could leak a percpu counter pointer from the rule blob to userspace when the fixed-header is copied before counters are sanitized. On SMP systems, entry->counters.pcnt held the percpu allocation...

CVE-2026-53218

The vulnerability CVE-2026-53218 affects the Linux kernel netfilter nft_exthdr code. The root cause is in register tracking when the NFT_EXTHDR_F_PRESENT flag is used: nft_exthdr_init() passes user-controlled priv->len to nft_parse_register_store(), which marks that many bytes in the register ...