CVE-2026-46330 Revert "net/smc: Introduce TCP ULP support"

In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an acti...

EUVD-2026-35430

In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed out, similar to loopback devices and that is what we expect...

CVE-2026-46328

The CVE-2026-46328 entry describes a Linux kernel/AppArmor issue where Posix CPU timers required an additional step beyond setting the rlimit. The fix refactors the code to make explicit when code is setting the limit and conditionally updates posix cpu timers only when appropriate, addressing th...

CVE-2026-46328 apparmor: fix rlimit for posix cpu timers

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers wh...

EUVD-2026-35429

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers wh...

EUVD-2026-35428

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

CVE-2026-46327 dm: fix unlocked test for dm_suspended_md

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

CVE-2026-46327

The CVE-2026-46327 entry concerns the Linux kernel. The vulnerable behavior involved dm_blk_report_zones calling dm_suspended_md without holding locks, allowing a race where the device could be suspended immediately after the suspended state test. The fix relocates the dm_suspended_md call to aft...

CVE-2026-46326 iio: pressure: mprls0025pa: fix spi_transfer struct initialisation

In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spitransfer struct initialisation Make sure that the spitransfer struct is zeroed out before use...

EUVD-2026-35427

In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spitransfer struct initialisation Make sure that the spitransfer struct is zeroed out before use...

EUVD-2026-35426

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGESIZE The current implementation incorrectly handles memory regions MRs with page sizes different from the system PAGESIZE. The core issue is that rxesetpage is called...

CVE-2026-46325

The CVE CVE-2026-46325 affects Linux kernel RDMA/rxe where iova-to-va conversion is incorrect when MR page size differs from system PAGE_SIZE. Root cause: rxe_set_page() advances with mr->page_size steps but the page_list stores PAGE_SIZE pages, causing wrong VA calculation for two cases: MR p...

EUVD-2026-35414

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use listdelrcu for netlink hooks nftnetdevunregisterhooks and nftunregisterflowtablenethooks need to use listdelrcu, this list can be walked by concurrent dumpers. Add a new helper and use it consistently...

CVE-2026-46323 net: gro: don't merge zcopy skbs

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skbgroreceive can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFLMANAGEDFRAGREFS flag. When SKBFLMANAGEDFRAGREFS is set, the...

EUVD-2026-35413

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skbgroreceive can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFLMANAGEDFRAGREFS flag. When SKBFLMANAGEDFRAGREFS is set, the...

CVE-2026-46322

The CVE pertains to the Linux kernel tun driver (tun_xdp_one) where a page allocated for a frame by vhost_net_build_xdp() is not freed when build_skb() fails, causing a memory leak. Specifically, if build_skb() fails, ret is set to -ENOMEM and the code jumps to the error path without freeing the ...

CVE-2026-46322 tun: free page on build_skb failure in tun_xdp_one()

In the Linux kernel, the following vulnerability has been resolved: tun: free page on buildskb failure in tunxdpone When buildskb fails in tunxdpone, the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhostnetbuildxdp allocated for the frame. ...

EUVD-2026-35411

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tunxdpone tunxdpone returns -EINVAL on a frame shorter than ETHHLEN without freeing the page that vhostnetbuildxdp allocated for it. tunsendmsg discards that -EINVAL and still returns...

CVE-2026-46321

The CVE-2026-46321 entry concerns the Linux kernel tun_xdp_one() path. A frame shorter than ETH_HLEN may return -EINVAL without freeing the page allocated by vhost_net_build_xdp(), causing a leak when vhost_tx_batch() follows the success path. This happens in scenarios where a local process opens...

CVE-2026-46321 tun: free page on short-frame rejection in tun_xdp_one()

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tunxdpone tunxdpone returns -EINVAL on a frame shorter than ETHHLEN without freeing the page that vhostnetbuildxdp allocated for it. tunsendmsg discards that -EINVAL and still returns...