CVE-2026-45997 scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing putdisk when deviceadd&diskdev fails If deviceadd&sdkp-diskdev fails, putdevice runs scsidiskrelease, which frees the scsidisk but leaves the gendisk referenced. The deviceadddisk error path in sdprobe calls...

CVE-2026-45996 spi: imx: fix use-after-free on unbind

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration unless the allocation is device managed. Take another reference before deregistering...

EUVD-2026-32292

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration unless the allocation is device managed. Take another reference before deregistering...

CVE-2026-45996

The CVE-2026-45996 entry concerns a use-after-free in the Linux kernel SPI IMX driver (on unbind/deregistration). The root cause is that upon deregistering the SPI controller, driver data may be freed while still referenced, requiring an extra reference before deregistration to ensure data remain...

CVE-2026-45989

CVE-2026-45989: Linux kernel use-after-free in unittest testdrv_probe() is mitigated in openSUSE/Root environments by updating kernel-devel to 7.0.11-1.1. The initial description explains that testdrv_probe() retrieves a device_node from the PCI device, applies an overlay, and then calls of_node_...

CVE-2026-45984 gfs2: Fix use-after-free in iomap inline data write path

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head dibh is being released prematurely in gfs2iomapbegin via releasemetapath while iomap-inlinedata still points to dibh-bdata. This causes a...

CVE-2026-45981

CVE-2026-45981 (Linux kernel, s390/cio): The vulnerability stems from device lifecycle mismanagement in css_alloc_subchannel() where, if dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel without proper device model reference counting. After device_initialize() i...

CVE-2026-45964 SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gssauth kref leak in gssallocmsg error path Commit 5940d1cf9f42 "SUNRPC: Rebalance a kref in authgss.c" added a krefget&gssauth-kref call to balance the gssputauth done in gssreleasemsg, but forgot to add a...

CVE-2026-45955 md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpuref not resurrected on suspend timeout When llbitmapsuspendtimeout times out waiting for percpuref to become zero, it returns -ETIMEDOUT without resurrecting the percpuref. The caller mdllbitmapdaemonfn...

CVE-2026-45955

Summary (CVE-2026-45955): In the Linux kernel, the md/md-llbitmap path suffers a logic error where llbitmap_suspend_timeout() times out waiting for percpu_ref to reach zero and returns -ETIMEDOUT without resurrecting percpu_ref. This leaves the page control structure in a killed state, potentiall...

CVE-2026-45951

The CVE-2026-45951 issue affects the Linux kernel BPF subsystem, caused by incorrect reference counting in check_pseudo_btf_id() that could cause a use-after-free of a BTF object. The mitigation is a kernel patch that fixes the refcount handling (and related code). RedHat notes potential privileg...

CVE-2026-45951 bpf: Fix a potential use-after-free of BTF object

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the checkpseudobtfid function is incorrect: the checkpseudobtfid function might get called with a zero refcounted btf. Fix this, and patch related code accordingly...

CVE-2026-45931 accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommusvaunbinddevice Some tests trigger a crash in iommusvaunbinddevice due to accessing iommumm after the associated mm structure has been freed. Fix this by taking an explicit reference t...

CVE-2026-45931

The CVE-2026-45931 issue affects the Linux kernel’s accel/amdxdna module. A crash can occur in iommu_sva_unbind_device() when it accesses iommu_mm after the associated mm structure has been freed. The fix is to take an explicit reference to the mm structure after successfully binding the device a...

CVE-2026-45925 thermal/of: Fix reference leak in thermal_of_cm_lookup()

In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermalofcmlookup In thermalofcmlookup, trnp is obtained via ofparsephandle, but never released. Use the freedevicenode cleanup attribute to automatically release the node and fix the leak. rjw:...

CVE-2026-45925

CVE-2026-45925 affects the Linux kernel thermal subsystem. In thermal_of_cm_lookup(), a device node pointer (tr_np) obtained via of_parse_phandle() is not released, causing a reference leak. The documented fix is to release the node automatically using the __free(device_node) cleanup attribute to...

CVE-2026-45925

In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermalofcmlookup In thermalofcmlookup, trnp is obtained via ofparsephandle, but never released. Use the freedevicenode cleanup attribute to automatically release the node and fix the leak. rjw:...

CVE-2026-45910

The CVE-2026-45910 issue affects the Linux kernel RDMA/rxe driver, caused by a race between retransmit_timer() and rxe_destroy_qp that can drop a Queue Pair (QP) reference count to zero during timer handling. Public documents describe a use-after-free risk and refcount underflow in affected flows...

CVE-2026-45880 PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails

In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Release per-CPU pgmap ref when vminsertpage fails When vminsertpage fails in p2pmemallocmmap, p2pmemallocmmap doesn't invoke percpurefput to free the per-CPU ref of pgmap acquired after genpoolallocowner, and...

CVE-2026-45880

CVE-2026-45880 – Linux kernel PCI/P2PDMA issue : When vm_insert_page() fails during p2pmem_alloc_mmap(), the code does not release the per-CPU ref for pgmap acquired after gen_pool_alloc_owner(), causing memunmap_pages() to hang when removing a PCI device. The patch fixes this by adding the missi...