kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result

A flaw was found in the Linux kernel's Wi-Fi mac80211 subsystem. The ieee80211invokefastrx function uses a static variable for rxresult, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly...

CVE-2026-0149

In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0141

In decodeAppPacket of RtcpAppPacket.cpp, there is a possible OOB read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0141

CVE-2026-0141 describes a likely out-of-bounds read in decodeAppPacket of RtcpAppPacket.cpp caused by a missing bounds check. The vulnerability enables a remote information disclosure without requiring additional execution privileges and without user interaction. Public references in the provided...

CVE-2026-0140

CVE-2026-0140 describes a potential out-of-bounds read in RtpPacket::decodePacket caused by an integer overflow that could lead to remote information disclosure. Exploitation requires user interaction; no remote code execution is stated. Connected sources (NVD, ENISA EUVD, OSV, PT-OSSecurity, And...

CVE-2026-0131

In RtpPacket::decodePacket, there is a possible out of bounds access due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2026-0131

The CVE-2026-0131 entry affects the code path In RtpPacket::decodePacket, where an integer overflow can cause an out-of-bounds access. This vulnerability could enable local escalation of privilege with no additional execution privileges required, and exploitation requires user interaction. Connec...

CVE-2026-0129

The CVE-2026-0129 entry concerns RtcpByePacket::decodeByePacket with a missing bounds check that can lead to remote information disclosure. The available sources (NVD, OSV, PT security, Android Pixel bulletin) indicate this is related to libpixelimsmedia and triggers information disclosure withou...

CVE-2026-0128

CVE-2026-0128 affects code in RtcpFbPacket::decodeRtcpFbPacket, where an integer overflow can trigger an out-of-bounds read. This could lead to remote information disclosure without extra privileges. Exploitation requires user interaction. The connected documents consistently describe the same is...

CVE-2026-0129

In RtcpByePacket::decodeByePacket, there is a possible due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation...

kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result

A flaw was found in the Linux kernel's Wi-Fi mac80211 subsystem. The ieee80211invokefastrx function uses a static variable for rxresult, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly...

gnutls: gnutls: Denial of Service via DTLS packet reordering vulnerability

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security DTLS packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This...

CVE-2026-10638

subsys/net/ip/icmpv6.c reads the network interface from a netpkt after that packet has been handed to nettrysenddata. In icmpv6handleechorequest and neticmpv6senderror, the post-send statistics update calls netpktifacereply/netpktifacepkt on the just-sent packet. The send path nettrysenddata -...

CVE-2026-10637

subsys/net/ip/ipv6mld.c:mldsend read the packet interface via netpktifacepkt after netsenddatapkt returned successfully. Per the network stack's ownership contract include/zephyr/net/netcore.h, and the explicit warning in subsys/net/ip/netcore.c:453-460 'do not use pkt after that call', a...

CVE-2026-10640 Use-after-free reading `net_pkt` `iface` after send in IPv6 Neighbor Discovery (`ipv6_nbr.c`)

Zephyr's IPv6 Neighbor Discovery send paths netipv6sendna, netipv6sendns, netipv6sendrs in subsys/net/ip/ipv6nbr.c updated the per-interface ICMP-sent statistics by calling netpktifacepkt after netsenddatapkt had already returned successfully. On the success path the network stack owns and releas...

CVE-2026-10639 Use-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`

In Zephyr's native IPv4 stack, icmpv4handleechorequest in subsys/net/ip/icmpv4.c builds an echo-reply packet reply, hands it to nettrysenddata, and then, on success, calls netstatsupdateicmpsentnetpktifacereply. nettrysenddata transfers ownership of reply to the TX path netiftryqueuetx - netiftx ...

CVE-2026-10639

Summary: Zephyr’s native IPv4 icmpv4_handle_echo_request() can perform a use-after-free when updating per-interface statistics after sending an ICMP echo reply. The code hands the echo-reply to the TX path, which may drop the packet and free the net_pkt before the post-send stats update runs. As ...

CVE-2026-10637 Use-after-free of net_pkt in IPv6 MLD send path triggerable by a link-local MLD Query

subsys/net/ip/ipv6mld.c:mldsend read the packet interface via netpktifacepkt after netsenddatapkt returned successfully. Per the network stack's ownership contract include/zephyr/net/netcore.h, and the explicit warning in subsys/net/ip/netcore.c:453-460 'do not use pkt after that call', a...

CVE-2026-10637

CVE-2026-10637 describes a use-after-free in Zephyr’s IPv6 MLD send path: after net_send_data(pkt) returns, mld_send() reads net_pkt_iface(pkt), which may point to freed memory because ownership transfers to the L2 driver and the packet is returned to the k_mem_slab. If the freed slot has been re...

CVE-2026-10636 Use-after-free in Zephyr IPv4 IGMP send path (igmp_send)

In Zephyr's IPv4 IGMP implementation, igmpsend in subsys/net/ip/igmp.c read the network interface back out of the packet via netpktifacepkt after the packet had been handed to netsenddata. On the successful-send path the packet's last reference may already have been released by the L2 driver or b...