224093 matches found
CVE-2026-46070
In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5crecoveryanalyzemetablock and r5lrecoveryverifydatachecksumformb iterate over payloads in a journal metadata block using on-disk payload size fields without...
EUVD-2026-32452
In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5crecoveryanalyzemetablock and r5lrecoveryverifydatachecksumformb iterate over payloads in a journal metadata block using on-disk payload size fields without...
CVE-2026-46070 md/raid5: validate payload size before accessing journal metadata
In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5crecoveryanalyzemetablock and r5lrecoveryverifydatachecksumformb iterate over payloads in a journal metadata block using on-disk payload size fields without...
CVE-2026-46069
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiexadaptercleanup The mwifiexadaptercleanup function uses timerdelete non-synchronous for the wakeuptimer before the adapter structure is freed. This is incorrect because timerdelete does...
CVE-2026-46069 wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiexadaptercleanup The mwifiexadaptercleanup function uses timerdelete non-synchronous for the wakeuptimer before the adapter structure is freed. This is incorrect because timerdelete does...
EUVD-2026-32451
In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiexadaptercleanup The mwifiexadaptercleanup function uses timerdelete non-synchronous for the wakeuptimer before the adapter structure is freed. This is incorrect because timerdelete does...
CVE-2026-46069
The CVE-2026-46069 entry describes a use-after-free in the Linux kernel WiFi mwifiex driver. In mwifiex_adapter_cleanup(), timer_delete() is used for the wakeup_timer before the adapter is freed, which does not wait for a running wakeup_timer_fn. If that callback is executing, it may access freed...
CVE-2026-46068
In the Linux kernel, the following vulnerability has been resolved: crypto: nx - fix bounce buffer leaks in nx842cryptoalloc,freectx The bounce buffers are allocated with getfreepages using BOUNCEBUFFERORDER order 2 = 4 pages, but both the allocation error path and nx842cryptofreectx release the...
EUVD-2026-32450
In the Linux kernel, the following vulnerability has been resolved: crypto: nx - fix bounce buffer leaks in nx842cryptoalloc,freectx The bounce buffers are allocated with getfreepages using BOUNCEBUFFERORDER order 2 = 4 pages, but both the allocation error path and nx842cryptofreectx release the...
CVE-2026-46068
The CVE-2026-46068 entry documents a Linux kernel crypto issue in the nx subsystem (nx842_crypto_alloc_ctx/nx842_crypto_free_ctx). Root cause: bounce buffers allocated with __get_free_pages() using BOUNCE_BUFFER_ORDER (order 2, 4 pages) were freed with free_page() instead of matching free_pages()...
CVE-2026-46067
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damosquotagoal-nid for nodememcgused,freebp Users can set damosquotagoal-nid with arbitrary value for nodememcgused,freebp. But DAMON core is using those for NODE-DATA without a validation of the value. Th...
EUVD-2026-32449
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damosquotagoal-nid for nodememcgused,freebp Users can set damosquotagoal-nid with arbitrary value for nodememcgused,freebp. But DAMON core is using those for NODE-DATA without a validation of the value. Th...
CVE-2026-46067 mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damosquotagoal-nid for nodememcgused,freebp Users can set damosquotagoal-nid with arbitrary value for nodememcgused,freebp. But DAMON core is using those for NODE-DATA without a validation of the value. Th...
CVE-2026-46066
In the Linux kernel, the following vulnerability has been resolved: ceph: fix numops off-by-one when crypto allocation fails movedirtyfolioinpagearray may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext...
CVE-2026-46066 ceph: fix num_ops off-by-one when crypto allocation fails
In the Linux kernel, the following vulnerability has been resolved: ceph: fix numops off-by-one when crypto allocation fails movedirtyfolioinpagearray may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext...
CVE-2026-46065
CVE-2026-46065 affects the Linux kernel framebuffer (fbdev) defio mechanism. The issue arises from disconnecting deferred I/O from the lifetime of struct fb_info, by holding state in struct fb_deferred_io_state and freeing the instance only after the final mapping closes. If fb_info/defio are fre...
CVE-2026-46065 fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fbinfo Hold state of deferred I/O in struct fbdeferrediostate. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping...
CVE-2026-46065
In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fbinfo Hold state of deferred I/O in struct fbdeferrediostate. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping...
CVE-2026-46064
In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasmsendi2omessage The ibmasmsendi2omessage function uses getdotcommandsize to compute the byte count for memcpytoio, but this value is derived from user-controlled fields in the dotcommandheader...
SUSE CVE-2026-45838
In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroupstoragegetnextkey listnextentry never returns NULL -- when the current element is the last entry it wraps to the list head via containerof. The subsequent NULL check is therefore dead code...