10766 matches found
UBUNTU-CVE-2026-45847
In the Linux kernel, the following vulnerability has been resolved: net: remove WARNONONCE when accessing forward path array Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARNONONCE if userspace manages to build a sufficiently long forward path. Remove it...
CVE-2026-47104
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parseiadarray in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer...
CVE-2026-47104
CVE-2026-47104 affects libusb before 1.0.30. The vulnerability is a one-byte out-of-bounds read in parse_iad_array() in descriptor.c, allowing a denial of service when a malformed USB descriptor is supplied with bLength equal to size minus one, causing the bounds check to use the original buffer ...
EUVD-2026-32500
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parseiadarray in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer...
CVE-2026-47104 libusb < 1.0.30 Out-of-Bounds Read in parse_iad_array()
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parseiadarray in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer...
CVE-2026-47104
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parseiadarray in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer...
CVE-2026-47104
libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parseiadarray in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer...
EUVD-2026-32448
In the Linux kernel, the following vulnerability has been resolved: ceph: fix numops off-by-one when crypto allocation fails movedirtyfolioinpagearray may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext...
SUSE CVE-2026-45840
In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsgnewNLMSGDEFAULTSIZE, ... but serialize the full upcall PID array via ovsvportgetupcallportids...
CVE-2026-46050
CVE-2026-46050 affects the Linux kernel md/raid10 code. A deadlock can occur when a check operation runs concurrently with NOWAIT I/O on the same array: barrier raises, normal requests block, nr_pending underflows, and the md resync thread may stall waiting for nr_pending == 0. The root cause inv...
CVE-2026-46037 ipv4: icmp: validate reply type before using icmp_pointers
In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmppointers Extended echo replies use ICMPEXTECHOREPLY as the outbound reply type. That value is outside the range covered by icmppointers, which only describes the traditional ICMP...
CVE-2026-46037
In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmppointers Extended echo replies use ICMPEXTECHOREPLY as the outbound reply type. That value is outside the range covered by icmppointers, which only describes the traditional ICMP...
CVE-2026-46037
The CVE-2026-46037 issue affects the Linux kernel IPv4 ICMP component. Extended echo replies could use ICMP_EXT_ECHOREPLY outside the icmp_pointers[] range; the fix avoids icmp_pointers[] lookups for out-of-range types and uses array_index_nospec() for in-range lookups. Multiple OS feeds report p...
CVE-2026-45840
A flaw was found in the Linux kernel's Open vSwitch component. A local attacker, with administrative network capabilities, could exploit this by providing an overly large Process ID PID array. This action triggers a buffer overflow within the network link netlink reply mechanism, leading to a...
CVE-2026-45967
CVE-2026-45967 pertains to the Linux kernel BPF subsystem. The vulnerability stems from map_direct_value_addr() in the instruction array map, where an offset was incorrectly added to the resulting address, and later the offset was re-applied by resolve_pseudo_ldimm64(). The issue has been fixed; ...
CVE-2026-45967
In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The mapdirectvalueaddr function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolvepseudoldimm64...
CVE-2026-45967 bpf: Return proper address for non-zero offsets in insn array
In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The mapdirectvalueaddr function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolvepseudoldimm64...
CVE-2026-45953 md/raid5: fix IO hang with degraded array with llbitmap
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmapops-blockssynced is checked in handlestripedirtying. However, later the same check is...
CVE-2026-45953
The CVE affects the Linux kernel md/raid5, where an IO hang can occur on degraded arrays using llbitmap. Root cause: the check bitmap_ops->blocks_synced() is present in handle_stripe_dirtying() but is missing in need_this_block(), causing stripe handling to deadlock as handle_stripe() routes t...
CVE-2026-45953
In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmapops-blockssynced is checked in handlestripedirtying. However, later the same check is...