CVE-2026-52997

A flaw was found in the Linux kernel's schdualpi2 qdisc queueing discipline component. When dualpi2change attempts to enforce updated limit and memory limit values, it may incorrectly try to dequeue packets from an empty C-queue while packets are present in the L-queue. This can lead to a NULL sk...

CVE-2026-52981

A flaw was found in the Linux kernel. The neighxmit function, when called with an uninitialized neighbor table such as NEIGHNDTABLE when IPv6 is disabled, can return an error without properly releasing the allocated skb socket buffer. This can lead to a memory leak, potentially impacting system...

CVE-2026-53227

A flaw was found in the Linux kernel's Open vSwitch OVS component. This issue occurs due to incorrect error handling during the allocation of a 'reply' skb socket buffer after locking the ovsmutex. If the allocation fails, an invalid pointer may be passed to kfreeskb, leading to a system crash an...

CVE-2026-53009

A flaw was found in the Linux kernel's ice network driver. An error in the driver's handling of network packet transmission, specifically when icetso or icetxcsum functions fail, can lead to a double-free of a network buffer skb. This occurs because a transmit buffer txbuf may still point to an...

EUVD-2026-39337

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential unbounded skb queue virtiotransportincrxpkt checks vvs-rxbytes + len vvs-bufalloc. virtiotransportrecvenqueue skips coalescing for packets with VIRTIOVSOCKSEQEOM. If fed with packets with len == 0 and...

EUVD-2026-39201

In the Linux kernel, the following vulnerability has been resolved: xsk: cache csumstart/csumoffset to fix TOCTOU in xskskbmetadata The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xskskbmetadata, csumstart and csumoffset are read...

EUVD-2026-39191

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on firstskb in inputprocesspayload inputprocesspayload stores firstskb into xtfs-ranewskb under droplock when starting partial reassembly, then unlocks and breaks out of the processing loop. The...

CVE-2026-53217

In CVE-2026-53217, the Linux kernel fix targets mvpp2 RX data synchronization. The issue arises when mvpp2 programs the RX queue offset and hardware writes data at dma_addr + MVPP2_SKB_HEADROOM, while the CPU sync starting at dma_addr only covers rx_bytes + MVPP2_MH_SIZE. On non-coherent DMA, thi...

EUVD-2026-39306

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2rxrefill can fail after the...

CVE-2026-53184

In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...

EUVD-2026-39242

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix the ACK parser to extract the SACK table for parsing Fix modification of the received skbuff in rxrpcinputsoftacks and a potential incorrect access of the buffer in a fragmented UDP packet the packet would probably hav...

CVE-2026-53151

The CVE-2026-53151 entry concerns the Linux kernel’s rxrpc path. The fixed issue centers on the ACK parser’s handling of the SACK table: rxrpc_input_soft_acks() could modify the received skbuff and an access to the SACK data in a fragmented UDP scenario could be invalid if the SACK table was copi...

CVE-2026-53132

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential unbounded skb queue virtiotransportincrxpkt checks vvs-rxbytes + len vvs-bufalloc. virtiotransportrecvenqueue skips coalescing for packets with VIRTIOVSOCKSEQEOM. If fed with packets with len == 0 and...

CVE-2026-52912

A flaw was found in the Linux kernel's netfilter component. This vulnerability occurs because a queued bridge packet can retain a freed bridge master in its skb-dev field until it is reinjected. When the packet is later reinjected, the system attempts to use the freed bridge master, leading to a...

EUVD-2026-38877

In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of txbuf skb If icetso or icetxcsum fail, the error path in icexmitframering frees the skb, but the 'first' txbuf still points to it and is marked as valid ICETXBUFSKB. 'nexttouse' remains unchanged, so the...

EUVD-2026-38842

In the Linux kernel, the following vulnerability has been resolved: net: tls: fix strparser anchor skb leak on offload RX setup failure When tlssetdeviceoffloadrx fails at tlsdevadd, the error path calls tlsswfreeresourcesrx to clean up the SW context that was initialized by tlssetswoffload. This...

EUVD-2026-38979

In the Linux kernel, the following vulnerability has been resolved: bpf: testrun: Fix the null pointer dereference issue in bpflwtxmitpushencap The bpflwtxmitpushencap helper needs to access skbdstskb-dev to calculate the needed headroom: err = skbcowheadskb, len + LLRESERVEDSPACEskbdstskb-dev; B...

EUVD-2026-38947

In the Linux kernel, the following vulnerability has been resolved: netsched: fix skb memory leak in deferred qdisc drops When the network stack cleans up the deferred list via qdiscrunend, it operates on the root qdisc. If the root qdisc do not implement the TCQFDEQUEUEDROPS flag the packets que...

EUVD-2026-38712

In the Linux kernel, the following vulnerability has been resolved: netfilter: nflog: validate MAC header was set before dumping it The fallback path of dumpmacheader guards the MAC header access only with "skb-macheader != skb-networkheader", without checking skbmacheaderwasset. When the MAC...

CVE-2026-52912

The CVE-2026-52912 entry describes a Linux kernel netfilter NFQUEUE use-after-free caused by br_pass_frame_up() rewriting skb->dev to the bridge master, leading to a freed device being observed on reinjection via br_netif_receive_skb(). The fix stores skb->dev in the queue entry and maintai...