46235 matches found
CVE-2026-64081
In the Linux kernel, the following vulnerability has been resolved: firmware: armffa: Validate framework notification message layout Framework notifications carry an indirect message in the shared RX buffer. Validate the reported offset and size before using them, reject zero-length payloads, and...
CVE-2026-63909
In the Linux kernel, the following vulnerability has been resolved: ksmbd: OOB read regression in smbcheckpermdacl ACE-walk loops Commit d07b26f39246 "ksmbd: require minimum ACE size in smbcheckpermdacl" introduced a transposed bounds check: if offsetofstruct smbace, sid + acessize size offset 2...
CVE-2026-64097 drm/amd/display: Validate GPIO pin LUT table size before iterating
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate GPIO pin LUT table size before iterating Why&How The GPIO pin table parsers in getgpioi2cinfo and biosparsergetgpiopininfo derive an element count from the VBIOS tableheader.structuresize field, then...
CVE-2026-64097
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate GPIO pin LUT table size before iterating Why&How The GPIO pin table parsers in getgpioi2cinfo and biosparsergetgpiopininfo derive an element count from the VBIOS tableheader.structuresize field, then...
CVE-2026-63949 auxdisplay: line-display: fix OOB read on zero-length message_store()
In the Linux kernel, the following vulnerability has been resolved: auxdisplay: line-display: fix OOB read on zero-length messagestore linedispdisplay unconditionally reads msgcount - 1 before checking whether count is zero, so a write of zero bytes to the message sysfs attribute hits msg-1:...
CVE-2026-63947 Bluetooth: HIDP: fix missing length checks in hidp_input_report()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: fix missing length checks in hidpinputreport hidpinputreport reads keyboard and mouse payload data from an skb without first verifying that skb-len contains enough data. hidprecvintrframe pulls the 1-byte HIDP...
EUVD-2026-45688
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: fix out-of-bounds read in HCP header parsing Both nfchcirecvfromllc and ncihcidatareceivedcb read packet-header from skb-data at function entry without first checking that the buffer holds at least one byte. A malicious...
CVE-2026-63915
The CVE concerns the Linux kernel NFC HCI code: nfc_hci_recv_from_llc() and nci_hci_data_received_cb() read packet->header from skb->data at entry without verifying buffer length, enabling an out-of-bounds heap read from a 0-byte HCP frame and risking skb_over_panic if fragmented. The fix a...
CVE-2026-63915 nfc: hci: fix out-of-bounds read in HCP header parsing
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: fix out-of-bounds read in HCP header parsing Both nfchcirecvfromllc and ncihcidatareceivedcb read packet-header from skb-data at function entry without first checking that the buffer holds at least one byte. A malicious...
CVE-2026-63909 ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
In the Linux kernel, the following vulnerability has been resolved: ksmbd: OOB read regression in smbcheckpermdacl ACE-walk loops Commit d07b26f39246 "ksmbd: require minimum ACE size in smbcheckpermdacl" introduced a transposed bounds check: if offsetofstruct smbace, sid + acessize size offset 2...
CVE-2026-63902
The CVE-2026-63902 issue affects the Linux kernel USB-serial Cypress M8 driver. cypress_read_int_callback() parses the interrupt-in buffer for two Cypress packet formats (format 1: two-byte status/count header; format 2: one-byte combined header). The interrupt buffer is sized from the endpoint w...
CVE-2026-63903
The CVE-2026-63903 entry concerns the Linux kernel USB-serial Belkin sa driver. The vulnerability arises from belkin_sa_read_int_callback() treating the interrupt data as a four-byte status report and reading LSR/MSR fields from offsets 2 and 3, with the interrupt-in buffer length derived from en...
CVE-2026-63902 USB: serial: cypress_m8: validate interrupt packet headers
In the Linux kernel, the following vulnerability has been resolved: USB: serial: cypressm8: validate interrupt packet headers cypressreadintcallback parses the interrupt-in buffer according to the selected Cypress packet format. Format 1 has a two-byte status/count header and format 2 has a...
CVE-2026-63815
In the Linux kernel, the following vulnerability has been resolved: f2fs: bound iinlinexattrsize for non-inline-xattr inodes When the flexibleinlinexattr feature is enabled, doreadinode loads the on-disk iinlinexattrsize unconditionally: if f2fssbhasflexibleinlinexattrsbi fi-iinlinexattrsize =...
CVE-2026-53402
In the Linux kernel, the following vulnerability has been resolved: fbdev: fbcon: fix out-of-bounds read in errout of fbcondosetfont When fbcondosetfont fails e.g., due to a memory allocation failure inside vcresize under heavy memory pressure, it jumps to the errout label to roll back the consol...
CVE-2026-53402
The CVE-2026-53402 vulnerability affects the Linux kernel fbdev/fbcon path. When fbcon_do_set_font() fails and jumps to err_out to rollback the console state, the rollback omits restoring hi_font state (vc_hi_font_mask) and the screen buffer. This can leave the terminal desynchronized and cause v...
CVE-2026-53390
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds read in smbcheckpermdacl The permission-check ACE walk in smbcheckpermdacl validates the ACE header size and caps sid.numsubauth at SIDMAXSUBAUTHORITIES, but it never checks that ace-size is actually larg...
PT-2026-61107
In the Linux kernel, the following vulnerability has been resolved: fbdev: fbcon: fix out-of-bounds read in err out of fbcon do set font When fbcon do set font fails e.g., due to a memory allocation failure inside vc resize under heavy memory pressure, it jumps to the err out label to roll back t...
PT-2026-61232
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: fix out-of-bounds read in HCP header parsing Both nfc hci recv from llc and nci hci data received cb read packet-header from skb-data at function entry without first checking that the buffer holds at least one byte. A...
PT-2026-61331
In the Linux kernel, the following vulnerability has been resolved: Input: usbtouchscreen - clamp NEXIO data len/x len to URB buffer size nexio read data pulls data len and x len from a packed be16 header in the device's interrupt packet and then walks packet-data0..x len and packet-datax len..da...