CVE-2026-46201 drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xegemprimeimport When xedmabufinitobj fails, the attachment from dmabufdynamicattach is not detached. Add dmabufdetach before returning the error. Note: we cannot use goto outerr here becaus...

CVE-2026-46201

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xegemprimeimport When xedmabufinitobj fails, the attachment from dmabufdynamicattach is not detached. Add dmabufdetach before returning the error. Note: we cannot use goto outerr here becaus...

CVE-2026-46201

CVE-2026-46201 affects the Linux kernel drm/xe: an error path in xe_gem_prime_import() leaks a dma_buf attachment when xe_dma_buf_init_obj() fails, because the attachment from dma_buf_dynamic_attach() is not detached. The fix explicitly detaches via dma_buf_detach() before returning an error, avo...

EUVD-2026-32826

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg...

CVE-2026-46198

The CVE-2026-46198 issue affects the Linux kernel’s batman-adv component. A mismatch between integer types caused an integer overflow in batadv_iv_ogm_send_to_if, where buff_pos is s16 while the size check uses an int in batadv_iv_ogm_aggr_packet, potentially enabling an out-of-bounds read. The v...

CVE-2026-46197

The CVE-2026-46197 issue affects the Linux kernel DRM/AMDKFD component, where the nattr field validation for SVM ioctl was insufficient against the reported buffer size, enabling out-of-bounds access via a user-controlled attribute count. The root cause is input size validation failure in the SVM...

CVE-2026-46197 drm/amdkfd: validate SVM ioctl nattr against buffer size

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. cherry picked from commit...

EUVD-2026-32824

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. cherry picked from commit...

CVE-2026-46197

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. cherry picked from commit...

CVE-2026-46191

CVE-2026-46191 affects the Linux kernel framebuffer console (fbcon). The issue arises in fbcon_rotate_font() when a reallocation during console rotation fails; the old buffer is kept but becomes too small for the rotated font, enabling out-of-bounds font access for high-character codes. The fix c...

CVE-2026-46191

In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbconrotatefont. The putcs implementations for the rotated buffer will return early in this case. S...

CVE-2026-46191 fbcon: Avoid OOB font access if console rotation fails

In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbconrotatefont. The putcs implementations for the rotated buffer will return early in this case. S...

CVE-2026-46188 octeon_ep_vf: add NULL check for napi_build_skb()

In the Linux kernel, the following vulnerability has been resolved: octeonepvf: add NULL check for napibuildskb napibuildskb can return NULL on allocation failure. In octepvfoqprocessrx, the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading t...

EUVD-2026-32794

In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblpctrlmsg will collapse the usbcontrolmsg return value to 0/-errno, discarding the actual number of bytes transferre...

CVE-2026-46167

In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblpctrlmsg will collapse the usbcontrolmsg return value to 0/-errno, discarding the actual number of bytes transferre...

CVE-2026-46167

In the Linux kernel driver usb/usblp, CVE-2026-46167 fixes an uninitialized heap leak exposed via LPGETSTATUS. The bug arises because usblp_ctrl_msg() collapses usb_control_msg() return values to 0/-errno, leaving statusbuf (kmalloc(8)) uninitialized before the first LPGETSTATUS ioctl. If a print...

EUVD-2026-32782

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2compoundop If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, checkwsleas returns success without validating that the entire...

CVE-2026-46155

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2compoundop If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, checkwsleas returns success without validating that the entire...

CVE-2026-46155 smb/client: fix out-of-bounds read in smb2_compound_op()

In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2compoundop If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, checkwsleas returns success without validating that the entire...

CVE-2026-46155

CVE-2026-46155 affects the Linux kernel SMB client. The vulnerability is an out-of-bounds read in smb2_compound_op() caused by memcpy reading size[0] (OutputBufferLength) when iov_len is smaller than that length after a truncated server response. This can leak adjacent kernel heap memory. Impact ...