EUVD-2026-39888

In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Bounds-check devid in rlookupamdiommu iommudeviceregister walks every device on the PCI bus via busforeachdev and calls amdiommuprobedevice for each. The inlined checkdevice path computes the device's sbdf, calls...

CVE-2026-53283

CVE-2026-53283 covers a bounds-check failure in the Linux kernel AMD IOMMU path. The issue arises in __rlookup_amd_iommu(): rlookup_table[devid] is indexed without an internal bounds check, and iommu_device_register() iterates all PCI devices, calling amd_iommu_probe_device() for each. If a devic...

EUVD-2026-39886

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid NULL pointer dereference or refcount corruption Commit 60f030f7418d "iommu/vt-d: Avoid use of NULL after WARNONONCE" fixed a NULL pointer dereference in an unlikely situation partly. If devpasid is not found in...

EUVD-2026-39885

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix NULL group-domain dereference in pcidevresetiommudone Local sashiko review pointed it out that group-domain could be NULL when a default domain fails to allocate during the first probe, which can crash at...

CVE-2026-52953

A flaw was found in the Linux kernel's input/output memory management unit IOMMU virtualized directed I/O VT-d subsystem. This vulnerability occurs due to an out-of-scope memory access when a QEMU process is terminated. An attacker could potentially trigger a general protection fault, leading to ...

CVE-2026-52952

A flaw was found in the Linux kernel's Input/Output Memory Management Unit IOMMU subsystem, which manages how devices access system memory. A race condition, a situation where multiple operations occur in an unpredictable order, exists during device recovery when multiple memory domains are being...

CVE-2026-53189

A flaw was found in the Linux kernel's memory management, specifically within the huge page mechanism. When a huge page is split, the system updates a counter after releasing a reference to the memory. This timing issue can lead to the system attempting to read from memory that has already been...

CVE-2026-53164

A flaw was found in the Linux kernel's input/output memory management unit IOMMU Direct Memory Access DMA subsystem, specifically within the software IOMMU bounce buffer SWIOTLB mechanism. This vulnerability occurs when the system attempts to map a zero-length memory region, which can be triggere...

CVE-2026-53207

A flaw was found in the Linux kernel's memory management, specifically concerning huge pages. When two concurrent memory poisoning operations madviseMADVHWPOISON occur on the same huge page while it is also being unmapped, a recursive spinlock self-deadlock can be triggered. This can lead to a...

CVE-2026-53045

A flaw was found in the Linux kernel's memory management for the tegra124-emc component. The code responsible for checking whether a specified memory timing enables the Delay-Locked Loop DLL in the EMRS register was reversed. This logic error could lead to incorrect memory timing configurations...

CVE-2026-53000

A flaw was found in the Linux kernel's netfilter component, specifically within the Network Address Translation NAT subsystem. This vulnerability involves improper memory management when releasing network filter operation structures. This could potentially allow an attacker to cause a system cras...

EUVD-2026-39198

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown mtkfreedev calls metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...

CVE-2026-53189

In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: update file PMD counter before folioput splithugepmdlocked updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folioput drops the last reference, mmcounterfile can later read fre...

EUVD-2026-39248

In the Linux kernel, the following vulnerability has been resolved: net: phonet: free phonetdevice after RCU grace period phonetdevicedestroy removes a phonetdevice from the per-net device list with listdelrcu, but frees it immediately. RCU readers walking the same list can still hold a pointer t...

CVE-2026-53156

In the Linux kernel, the nvmem core had use-after-free bugs exposed in error paths where __nvmem_device_put() could free memory/resources and the code would continue to use the nvmem structure. The fix ensures the reference to the nvmem device is always released as the last step before returning ...

EUVD-2026-38820

In the Linux kernel, the following vulnerability has been resolved: iommu: Fix WARNON in iommugroupsetdomainnofail due to reset In iommugroupsetdomaininternal, concurrent domain attachments are rejected when any device in the group is recovering. This is necessary to fence concurrent attachments ...

EUVD-2026-38953

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded taskvma iterator The open-coded taskvma iterator reads task-mm locklessly and acquires mmapreadtrylock but never calls mmget. If the task exits concurrently, the mmstruct can be freed as it is...

CVE-2026-53067

In the Linux kernel PCI endpoint code, the issue was in pci_epf_alloc_doorbell(): it stored the allocated doorbell message array in epf->db_msg/epf->num_db before requesting MSI vectors. If MSI allocation failed, the array was freed but EPF state could still reference freed memory. The fix ...

CVE-2026-53057

Summary of CVE-2026-53057 : In the Linux kernel, the iommu/riscv path now performs required TLB and context cache invalidations after updating DDT or PDT entries. The fix introduces riscv_iommu_iodir_iotinval() to carry out the necessary IOTINVAL operations in accordance with the RISC-V IOMMU spe...

CVE-2026-52965

The CVE-2026-52965 entry pertains to the Linux kernel DRM/TTM path and fixes an infinite LRU walk during swapout. Specifically, when ttm_tt_swapout() fails, the code previously added the resource to bulk_move and then moved it to the LRU tail, which could place it ahead of the hitch and cause lis...