238 matches found
CVE-2026-10665 Heap buffer overflow on WireGuard receive path via unbounded incoming packet length
In Zephyr's WireGuard subsystem subsys/net/lib/wireguard, wgprocessdatamessage in wgcrypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIGWIREGUARDBUFLEN bytes before decryption. The call netbuflinearizebuf-data, datalen, pkt-buffer, ..., datalen passed the...
CVE-2026-10665
CVE-2026-10665 concerns Zephyr’s WireGuard implementation (subsys/net/lib/wireguard). The flaw: wg_process_data_message() linearizes an inbound payload into a fixed pool buffer, passing the attacker-controlled data_len as both the destination capacity and copy length to net_buf_linearize, ignorin...
CVE-2026-45257
CVE-2026-45257 : FreeBSD KTLS receive path decrypts in place, enabling an unprivileged local user to overwrite a file’s page cache via sendfile(2) data over a loopback connection when KTLS receive is enabled. This can corrupt the backing file and allow privilege escalation by overwriting setuid/t...
CVE-2026-53235
In the Linux kernel, the following vulnerability has been resolved: net: add pskbmaypull to skbgroreceivelist skbgroreceivelist calls skbpullskb, skbgrooffsetskb without first ensuring the data is in the linear area via pskbmaypull. When the skb arrives via napigrofrags, skbheadlen can be 0 all...
UBUNTU-CVE-2026-53184
In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...
CVE-2026-53235 net: add pskb_may_pull() to skb_gro_receive_list()
In the Linux kernel, the following vulnerability has been resolved: net: add pskbmaypull to skbgroreceivelist skbgroreceivelist calls skbpullskb, skbgrooffsetskb without first ensuring the data is in the linear area via pskbmaypull. When the skb arrives via napigrofrags, skbheadlen can be 0 all...
CVE-2026-53215 net: mvpp2: refill RX buffers before XDP or skb use
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2rxrefill can fail after the...
CVE-2026-53184 udp: clear skb->dev before running a sockmap verdict
In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...
Linux Distros Unpatched Vulnerability : CVE-2026-53006
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ipv6: fix possible UAF in icmpv6rcv Caching saddr and daddr before pskbpull is problematic since skb-head can change. Remove these temporary variables: - We onl...
EUVD-2026-38941
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcildisc: Clear HCIUARTPROTOINIT on error When hciregisterdev fails in hciuartregisterdev HCIUARTPROTOINIT is not cleared before calling hu-proto-closehu and setting hu-hdev to NULL. This means incoming UART data will...
Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: fix potential skb-frags overflow in the RX path When receiving data in the DPMAIF RX path, the t7xxdpmaifsetfragtoskb function adds page fragments to an skb without checking whether the number of fragments has...
Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: e1000: fixed an out-of-bounds error in e1000tbishouldaccept In e1000tbishouldaccept, we read the last byte of the frame via “datalength - 1” to evaluate the TBI workaround. If the descriptor’s reported length is zero or greater...
Astra Linux – Vulnerability found in Linux 6.12, Linux 6.1
In the Linux kernel, the following vulnerabilities have been resolved: sctp: Linearize cloned GSO packets in sctprcv. The cloned headskb still shares these frag SKBs in the fraglist with the original headskb. Accessing these frag SKBs is not safe. syzbot reported two bugs caused by the use of...
PT-2026-51967
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Bluetooth component where HCI UART PROTO INIT is not cleared when hci register dev fails within the hci uart register dev function. This failure allows incoming UA...
CVE-2026-10658
btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...
Astra Linux – Vulnerability in Linux 5.15
A null pointer dereference issue was detected in the can protocol in the net/can/afcan.c file in Linux before Linux. The mlpriv variable may not be initialized in the receive path of CAN frames. A local user could exploit this flaw to crash the system or potentially cause a denial of service...
K000161576: Linux kernel vulnerabilities CVE-2025-39841 and CVE-2025-39727
Security Advisory Description CVE-2025-39841 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the ...
wifi: b43legacy: enforce bounds check on firmware key index in RX path
...
Linux Distros Unpatched Vulnerability : CVE-2026-46110
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC,...
CVE-2026-46188
In the Linux kernel, the following vulnerability has been resolved: octeonepvf: add NULL check for napibuildskb napibuildskb can return NULL on allocation failure. In octepvfoqprocessrx, the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading t...