CVE-2026-46320

In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tapgetuserxdp tapgetuserxdp rejects a frame shorter than ETHHLEN with -EINVAL, and returns -ENOMEM when buildskb fails. Both paths jump to the err label without freeing the page that...

CVE-2026-46324

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use listdelrcu for netlink hooks nftnetdevunregisterhooks and nftunregisterflowtablenethooks need to use listdelrcu, this list can be walked by concurrent dumpers. Add a new helper and use it consistently...

CVE-2026-46319

In the Linux kernel, the following vulnerability has been resolved: net/sched: actct: Only release RCU read lock after ctft When looking up a flow table in actct in tcfctflowtableget, rhashtablelookupfast internally opens and closes an RCU read critical section before returning ctft. The...

CVE-2026-46318

In the Linux kernel, the following vulnerability has been resolved: Revert "mm/hugetlbfs: update hugetlbfs to use mmapprepare" This reverts commit ea52cb24cd3f "mm/hugetlbfs: update hugetlbfs to use mmapprepare" with conflict resolution to account for changes in commit ea52cb24cd3f "mm/hugetlbfs:...

CVE-2026-46323

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skbgroreceive can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFLMANAGEDFRAGREFS flag. When SKBFLMANAGEDFRAGREFS is set, the...

CVE-2026-46316

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgicitsinvalidatecache walks the per-ITS translation cache with xaforeach and drops the cache's reference on each entry with vgicputirq. It puts...

CVE-2026-52907

The CVE-2026-52907 entry concerns the Linux kernel media/rockchip/rkcif component with an off-by-one issue. The fix changes comparison logic from > to >= to prevent accessing one element beyond array bounds and, concurrently, replaces enum-based bounds checks with ARRAY_SIZE. This addresses...

CVE-2026-52907 media: rockchip: rkcif: fix off by one bugs

In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: fix off by one bugs Change these comparisons from vs = to avoid accessing one element beyond the end of the arrays. While at it, use ARRAYSIZE instead of the MAX enum values. fix cosmetic issues...

EUVD-2026-35416

In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: fix off by one bugs Change these comparisons from vs = to avoid accessing one element beyond the end of the arrays. While at it, use ARRAYSIZE instead of the MAX enum values. fix cosmetic issues...

CVE-2026-52906 9p: fix access mode flags being ORed instead of replaced

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb "9p: convert to the new mount API", v9fsapplyoptions applies parsed mount flags with |= onto flags already set by v9fssessioninit. For 9P2000.L,...

CVE-2026-52906

CVE-2026-52906 concerns the Linux kernel’s 9p (9p2000.L) file system implementation. The vulnerability arises because v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(), and the session defaults include V9FS_ACCESS_CLIENT. As a result, mounting w...

EUVD-2026-35415

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb "9p: convert to the new mount API", v9fsapplyoptions applies parsed mount flags with |= onto flags already set by v9fssessioninit. For 9P2000.L,...

EUVD-2026-35434

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two minregionsz on damonstart Commit d8f867fa0825 "mm/damon: add damonctx-minszregion" introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b "mm/damon/core:...

CVE-2026-52905 mm/damon/core: disallow non-power of two min_region_sz on damon_start()

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two minregionsz on damonstart Commit d8f867fa0825 "mm/damon: add damonctx-minszregion" introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b "mm/damon/core:...

CVE-2026-52905

The provided CVE-2026-52905 details a Linux kernel DAMON subsystem issue in mm/damon/core where a bug from damon_ctx->min_sz_region allowed damon_start() to emit non-power-of-two min_region_sz, despite an earlier fix for damon_commit_ctx(). The connected documents state that the path is now pr...

CVE-2026-52904 drm/nouveau: fix nvkm_device leak on aperture removal failure

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix nvkmdevice leak on aperture removal failure When apertureremoveconflictingpcidevices fails during probe, the error path returns directly without unwinding the nvkmdevice that was just allocated by nvkmdevicepcine...

CVE-2026-46332

The CVE-2026-46332 entry concerns the Linux kernel component for greybus gb-beagleplay. The vulnerability arises in cc1352_bootloader_rx(), which appends serdev chunks into a fixed rx_buffer and may retain leftover bytes across callbacks, allowing multiple packets to be processed in a single call...

EUVD-2026-35432

In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: bound bootloader receive buffering cc1352bootloaderrx appends each serdev chunk into the fixed rxbuffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may recei...

CVE-2026-46330

The CVE describes a Linux kernel design flaw in the net/smc TCP ULP support that was reverted and resolved. The issue arose from attempting to convert an active TCP socket into an SMC socket by in-place modifications to the underlying file structures (struct file, dentry, inode), which violates V...

EUVD-2026-35431

In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an acti...