CVE-2026-53093

A flaw was found in the Linux kernel's Broadcom FullMAC wireless driver brcmfmac. The brcmfchipaddcore function does not properly check for error pointers, leading to a dereference of a possible error pointer. This vulnerability could allow a local attacker to cause a system crash, resulting in a...

CVE-2026-53200

A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM for ARM64 architectures. This vulnerability arises from incorrect handling of the Execute Never XN bit, a memory protection feature, when the FEATXNX feature is not enabled. This error can lead to execute permissions being...

CVE-2026-53274

The CVE-2026-53274 issue affects the Linux kernel net/smc implementation. A logic flaw in __smc_setsockopt() performs copy_from_sockptr() while holding lock_sock(sk), enabling a local unprivileged user to block the socket lock and cause a DoS by tying up kernel work queues, especially with shutdo...

EUVD-2026-39199

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airohametadatadstfree runs metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...

CVE-2026-53226

In the Linux kernel, CVE-2026-53226 affects the rockchip GPIO IRQ domain. During probe, domain generic chips are allocated with irq_alloc_domain_generic_chips(), but on driver removal the generic chips aren’t automatically freed since IRQ_DOMAIN_FLAG_DESTROY_GC isn’t set. This causes leakage of t...

CVE-2026-53224

The CVE-2026-53224 entry pertains to the Linux kernel SCTP cookie parsing. The vulnerability arises because sctp_unpack_cookie() only validated that an embedded INIT chunk’s length did not exceed the remaining cookie payload, but did not ensure the INIT header fit, allowing a malformed COOKIE_ECH...

CVE-2026-53212

CVE-2026-53212 affects the Linux kernel’s netfilter nft_tunnel subsystem. The vulnerability arises in nft_tunnel_obj_destroy(), which calls metadata_dst_free() to free a metadata_dst directly with kfree(), bypassing the dst_entry reference counting. Packets that hold a dst reference via dst_hold(...

EUVD-2026-39299

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig net/bluetooth/l2capcore.c:l2capsigchannel accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU MTUsig...

CVE-2026-53205

CVE-2026-53205 concerns the Linux kernel’s accel/ivpu component. The issue arises from firmware log index handling in the firmware log buffer, where read/write indices could be out of bounds. The root cause is insufficient bounds validation, which could lead to invalid offsets. The published fix ...

CVE-2026-53184

The CVE describes a Linux kernel bug on the UDP receive path when a socket is in a sockmap. skb->dev is repurposed as dev_scratch and is not cleared before running the attached SK_SKB verdict program; if the verdict calls socket-lookup helpers (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), skb-&...

CVE-2026-53167

In the Linux kernel, CVE-2026-53167 concerns FUSE_NOTIFY_RETRIEVE: the operation must be limited to uptodate folios because !uptodate folios may contain uninitialized data. The fix ensures FUSE_NOTIFY_RETRIEVE only returns data already present in the page cache and does not wait for data from the...

CVE-2026-53159

The CVE-2026-53159 entry describes a Linux kernel vulnerability in the fastrpc path where fastrpc_get_args() uses find_vma() to locate the VMA for a user pointer and compute a DMA address offset. If the address lies in a gap before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows...

EUVD-2026-39238

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tbxdphandlerequest casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer...

CVE-2026-53134

The CVE concerns the Linux kernel netfilter nft_fib handling, where NFT_FIB_RESULT_OIFNAME’s destination register span could leak uninitialized kernel stack on lookup-fail paths due to incomplete writes. The fix replaces a bare dest = 0 with nft_fib_store_result(), padding the entire IFNAMSIZ, an...

EUVD-2026-38857

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmettcpbuildpduiovec errors to its callers Currently, when nvmettcpbuildpduiovec detects an out-of-bounds PDU length or offset, it triggers nvmettcpfatalerrorcmd-queue and returns early. However, because the...

EUVD-2026-38841

In the Linux kernel, the following vulnerability has been resolved: futex: Drop CLONETHREAD requirement for private default hash alloc Currently needfutexhashallocatedefault depends on strict pthread semantics, abusing CLONETHREAD. This breaks the non-concurrency assumptions when doing the...

UBUNTU-CVE-2026-53039

In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate group add input before caching BUG OCFS2IOCGROUPADD can trigger a BUGON in ocfs2setnewbufferuptodate: kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 1 SMP KASAN NOPTI RIP:...

UBUNTU-CVE-2026-52964

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans The USB MIDI 2.0 endpoint parser has the same descriptor walking pattern as the legacy MIDI parser. It validates bLength against bNumGrpTrmBlock before reading...

UBUNTU-CVE-2026-52987

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid double drmexecfini in userq validate When newaddition is true, amdgpuuserqvmvalidate calls drmexecfini&exec before iterating over the collected HMM ranges and calling amdgputtmttgetuserpages. If...

UBUNTU-CVE-2026-52999

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkosf: fix out-of-bounds read on option matching In nfosfmatch, the nfosfhdrctx structure is initialized once and passed by reference to nfosfmatchone for each fingerprint checked. During TCP option parsing,...