15971 matches found
UBUNTU-CVE-2026-43016
In the Linux kernel, the following vulnerability has been resolved: bpf: sockmap: Fix use-after-free of sk-sksocket in skpsockverdictdataready. syzbot reported use-after-free of AFUNIX socket's sk-sksocket in skpsockverdictdataready. 0 In unixstreamsendmsg, the peer socket's -skdataready is calle...
UBUNTU-CVE-2026-43029
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix soft lockup in mptcprecvmsg syzbot reported a soft lockup in mptcprecvmsg 0. When receiving data with MSGPEEK | MSGWAITALL flags, the skb is not removed from the skreceivequeue. This causes skwaitdata to always find...
UBUNTU-CVE-2026-31775
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Don't enumerate SPDIF1 at DAIO initialization The recent refactoring of xfi driver changed the assignment of atc-daios at atcgetresources; now it loops over all enum DAIOTYP entries while it looped formerly only a pa...
UBUNTU-CVE-2026-43031
In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors scatter-gather, axienetfreetxchain sums the per-BD actual length from descriptor status into a caller-provided...
UBUNTU-CVE-2026-31774
In the Linux kernel, the following vulnerability has been resolved: iouring/net: fix slab-out-of-bounds read in iobundlenbufs sqe-len is u32 but gets stored into sr-len which is int. When userspace passes sqe-len values exceeding INTMAX e.g. 0xFFFFFFFF, sr-len overflows to a negative value. This...
UBUNTU-CVE-2026-31733
In the Linux kernel, the following vulnerability has been resolved: schedext: Fix stale direct dispatch state in ddspdsqid @p-scx.ddspdsqid can be left set non-SCXDSQINVALID triggering a spurious warning in markdirectdispatch when the next wakeup's ops.selectcpu calls scxbpfdsqinsert, such as:...
UBUNTU-CVE-2026-31722
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: frndis: Fix netdevice lifecycle with devicemove The netdevice is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds,...
UBUNTU-CVE-2026-43039
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch emacdispatchskbzc allocates a new skb via napiallocskb but never copies the packet data from the XDP buffer into it. The skb is passed up the stack...
UBUNTU-CVE-2026-43004
In the Linux kernel, the following vulnerability has been resolved: spi: stm32-ospi: Fix resource leak in remove callback The remove callback returned early if pmruntimeresumeandget failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes...
CVE-2026-31787
A flaw was found in the Linux kernel's xen/privcmd module. A local user could exploit this by performing a partial unmapping of a privcmd memory region. This action causes a Virtual Memory Area VMA to split, leading to duplicated internal memory pointers. As a result, the same memory can be freed...
CVE-2026-31708
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB read in smb2ioctlqueryinfo QUERYINFO path smb2ioctlqueryinfo has two response-copy branches: PASSTHRUFSCTL and the default QUERYINFO path. The QUERYINFO branch clamps qi.inputbufferlength to the server-report...
CVE-2026-31709
In the Linux kernel, the following vulnerability has been resolved: smb: client: validate the whole DACL before rewriting it in cifsacl buildsecdesc and idmodetocifsacl derive a DACL pointer from a server-supplied dacloffset and then use the incoming ACL to rebuild the chmod/chown security...
CVE-2026-31699
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e...
CVE-2026-31719
In the Linux kernel, the following vulnerability has been resolved: crypto: krb5enc - fix async decrypt skipping hash verification krb5encdispatchdecrypt sets req-base.complete as the skcipher callback, which is the caller's own completion handler. When the skcipher completes asynchronously, this...
CVE-2026-31717
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate owner of durable handle on reconnect Currently, ksmbd does not verify if the user attempting to reconnect to a durable handle is the same user who originally opened the file. This allows any authenticated user to...
CVE-2026-31718
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbdclosefd via durable scavenger When a durable file handle survives session disconnect TCP close without SMB2LOGOFF, sessionfdcheck sets fp-conn = NULL to preserve the handle for later reconnection...
UBUNTU-CVE-2026-31703
In the Linux kernel, the following vulnerability has been resolved: writeback: Fix use after free in inodeswitchwbsworkfn inodeswitchwbsworkfn has a loop like: wbgetnewwb; while 1 list = llistdelall&newwb-switchwbsctxs; / Nothing to do? / if !list break; ... process the items ... Now adding of...
UBUNTU-CVE-2026-31713
In the Linux kernel, the following vulnerability has been resolved: fuse: abort on fatal signal during sync init When sync init is used and the server exits for some reason error, crash while processing FUSEINIT, the filesystem creation will hang. The reason is that while all other threads will...
UBUNTU-CVE-2026-31699
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e...
UBUNTU-CVE-2026-31701
In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: take a reference on the USB device in createcard The caiaq driver stores a pointer to the parent USB device in cdev-chip.dev but never takes a reference on it. The card's privatefree callback, sndusbcaiaqcardfree, ca...