225451 matches found
CVE-2026-53180
The CVE concerns the Linux kernel timers/migration code. The root cause is that tmigr_handle_remote_cpu() skipped timer_expire_remote() when cpu == smp_processor_id(), assuming the local softirq path already handled this CPU’s timers. Because jiffies can advance after handling the local/global ti...
CVE-2026-53178
The CVE-2026-53178 entry describes a Linux kernel issue in the staging/rtl8723bs driver (rtw_mlme) where ie_length could underflow when fixed IE offsets were subtracted. The fix adds guards to ensure ie_length is large enough before subtraction, preventing unsigned integer underflow. Affected are...
EUVD-2026-39269
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: rtwmlme: add bounds checks before ielength subtraction Add guards to ensure ielength is large enough before subtracting fixed IE offsets to prevent unsigned integer underflow...
CVE-2026-53179
In the Linux kernel (staging rtl8723bs), a buffer over-read was fixed in rtw_update_protection: a pointer offset into the ies buffer was used with the full ie_length, allowing over-read. The vulnerability affected the kernel's handling of 802.11 IEs in that path; the patch corrects the length usa...
EUVD-2026-39270
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix buffer over-read in rtwupdateprotection rtwupdateprotection is called with a pointer offset into the ies buffer but the full ielength is passed, causing a potential buffer over-read...
EUVD-2026-39268
In the Linux kernel, the following vulnerability has been resolved: bnxten: Fix NULL pointer dereference PCIe errors detected by a Root Port or Downstream Port cause error recovery services to run on all subordinate devices regardless of administrative state. The .errordetected callback,...
EUVD-2026-39266
In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdirpreexit flush On netns teardown, fqdirpreexit walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inetfragqueueflush. That helper frees all...
CVE-2026-53175
The CVE-2026-53175 entry documents a Linux kernel use-after-free in fragment reassembly during netns teardown. Specifically, fqdir_pre_exit() flushes fragment queues but may leave freed skbs referenced via fragments_tail and last_run_head, enabling a later dereference when a stalled fragment resu...
CVE-2026-53176
CVE-2026-53176 affects the Linux kernel ISERT driver (drivers/infiniband/ulp/isert/ib_isert.c). The vulnerability arises in isert_login_recv_done() where the login request payload length is computed as wc->byte_len minus ISER_HEADERS_LEN without a lower bound. A remote iSER initiator can send ...
EUVD-2026-39265
In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovlcacheget ovliteratemerged stores PTRERRcache in err before checking ISERRcache. On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot...
CVE-2026-53174
The CVE affects the Linux kernel’s overlay filesystem (ovl). A logic error in ovl_iterate_merged() caused PTR_ERR(cache) to be stored in err before IS_ERR(cache) was checked, so on success err could hold a bogus non‑zero value. The issue was resolved by ensuring PTR_ERR(cache) is computed only on...
EUVD-2026-39264
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosugemcmdstreamcopyandvalidate The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered bit 14 set, but does not re-check the loop bou...
EUVD-2026-39263
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPUSETIFMREGION extracts the region index with param & 0x7f, giving a maximum value of 127. However regionsize and outputregion in struct...
CVE-2026-53173
CVE-2026-53173 describes a Linux kernel vulnerability in accel/ethosu where an OOB write can occur in ethosu_gem_cmdstream_copy_and_validate(). The root cause is a loop that increments the index a second time when a 64-bit command word is encountered (bit 14 set) but does not re-check the bound b...
CVE-2026-53171
The CVE-2026-53171 entry concerns the Linux kernel’s accel/ethosu component. The issue arises in dma_length(), which derives DMA region usage from the command stream and updates region_size[]. The calculation len = ((len + stride[0]) * size0 + stride[1]) * size1 can suffer from signed underflow, ...
EUVD-2026-39260
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPUOPRESIZE commands from userspace NPUOPRESIZE is a U85-only command that the driver does not yet implement. The existing WARNON1 placeholder fires unconditionally whenever userspace submits this command via...
EUVD-2026-39261
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmdstateinit initializes the command state with memset0xff, leaving dma-len at U64MAX to signal missing setup. The only setter is NPUSETDMA0LEN; if userspace omits this...
CVE-2026-53170
CVE-2026-53170 – Linux kernel (accel/ethosu) : Concrete details show a vulnerability where DMA commands could run with uninitialized length. The issue stems from cmd_state_init() initializing dma->len to U64_MAX and the only setter being NPU_SET_DMA0_LEN; if userspace omits this, dma_start lea...
EUVD-2026-39259
In the Linux kernel, the following vulnerability has been resolved: fuse: reject fusenotify pagecache ops on directories The operations FUSENOTIFYSTORE and FUSENOTIFYRETRIEVE allow the FUSE daemon to actively write/read pagecache contents. For directories with FOPENCACHEDIR, the pagecache is used...
EUVD-2026-39258
In the Linux kernel, the following vulnerability has been resolved: fuse: limit FUSENOTIFYRETRIEVE to uptodate folios FUSENOTIFYRETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSENOTIFYRETRIEVE is intended to only return data that is already in...