EUVD-2026-39288

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix ABBA deadlock in iptfsdestroystate iptfsdestroystate calls hrtimercancel while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems. For the output timer iptfstimer...

CVE-2026-53197

The CVE-2026-53197 entry documents a Linux kernel ABBA deadlock in xfrm/iptfs due to iptfs_destroy_state() calling hrtimer_cancel() while holding locks that the timer callbacks also acquire. The fix implemented is to call hrtimer_cancel() before acquiring either the output timer lock (x->lock)...

EUVD-2026-39287

In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...

CVE-2026-53196

CVE-2026-53196 : In the Linux kernel USB serial driver for TI devices (io_ti), a heap overflow can occur in get_manuf_info() when reading descriptor data from the device I2C EEPROM. The descriptor size (rom_desc->Size) is read and copied into a buffer allocated as 10 bytes (struct edge_ti_manu...

EUVD-2026-39285

In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...

EUVD-2026-39286

In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...

EUVD-2026-39284

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When sndtimer object is freed via sndtimerfree and still pending sndtimerinstance objects are assigned to the timer object, it tries to unlink all instances and just set NULL...

CVE-2026-53193

An ALSA timer vulnerability in the Linux kernel: when snd_timer is freed with pending snd_timer_instance objects, slave instances may still point to the freed timer, risking a user-after-free. The fix forces snd_timer_close_locked for each pending timer instance and adds a SNDRV_TIMER_IFLG_DEAD c...

EUVD-2026-39283

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at sndtimeruserparams At releasing a timer object, e.g. when a userspace timer CONFIGSNDUTIMER gets closed and sndtimerfree is called, it tries to detach the timer instances and release the resources. However...

CVE-2026-53191

The CVE affects the Linux kernel io_uring net path in bundle recv retries. The bug arises when merging cflags during io_recv_finish(): IORING_CQE_F_BUF_MORE was not included in CQE_F_MASK, so the buf-more flag could be dropped or mis-carryed across iterations, causing userspace to advance the rin...

EUVD-2026-39280

In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: update file PMD counter before folioput splithugepmdlocked updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folioput drops the last reference, mmcounterfile can later read fre...

EUVD-2026-39278

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate cpuid against nrcpuids in DMAH alloc The cpuid attribute supplied by user space through UVERBSATTRALLOCDMAHCPUID is passed directly to cpumasktestcpu without first verifying that the value is within the valid...

EUVD-2026-39279

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate the passed in fops for ibgetucaps Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same devt it can masquerade as a ucap cdev fd...

EUVD-2026-39277

In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: bound SRPRSP sense copy by the received length srpprocessrsp copies sense data from rsp-data + respdatalen, where respdatalen is the full 32-bit value supplied by the SRP target and is never checked against the number o...

CVE-2026-53186

The CVE-2026-53186 issue affects the Linux kernel RDMA/srp path. srp_process_rsp() copies sense data using resp_data_len (provided by the SRP target) without bounding against the actual received bytes (wc->byte_len). Although the copy length is limited to SCSI_SENSE_BUFFERSIZE (96 bytes), the ...

EUVD-2026-39275

In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...

EUVD-2026-39273

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211parsernrelems stores the parsed element count in a u8-backed cfg80211rnrelems::cnt field and uses that count to size the flexible array allocation. Reject nested...

CVE-2026-53182

The CVE-2026-53182 entry describes a Linux kernel wifi issue in nl80211: the parser for EMA RNR elements stores the parsed count in a u8 cfg80211_rnr_elems::cnt and uses that to size the flexible array. The fix rejects nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches 255, before inc...

EUVD-2026-39271

In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix livelock in tmigrhandleremoteup tmigrhandleremotecpu skips timerexpireremote when cpu == smpprocessorid, assuming the local softirq path already handled this CPU's timers. This assumption is wrong because...

EUVD-2026-39272

In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: fix skackbacklog leak on failed handshake When vmcitransportrecvconnectingserver returns an error, vmcitransportrecvlisten calls vsockremovepending but never calls skacceptqremoved. This leaves skackbacklog incremente...