1699 matches found
CVE-2026-44640
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-provdata is stored as nniquicconn during dialing, but read as exquicconn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
CVE-2026-44640 NanoMQ: QUIC Dialer Close Type Confusion
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-provdata is stored as nniquicconn during dialing, but read as exquicconn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
CVE-2026-44640
CVE-2026-44640 affects NanoMQ (MQTT Broker). The issue is a type confusion in the QUIC dialer: aio->prov_data is stored as nni_quic_conn * during dialing but read as ex_quic_conn * during dialer close, leading to invalid object interpretation and a close-path hang/crash. This describes the vul...
EUVD-2026-33428
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-provdata is stored as nniquicconn during dialing, but read as exquicconn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
CVE-2026-44640
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-provdata is stored as nniquicconn during dialing, but read as exquicconn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
CVE-2026-44640 NanoMQ: QUIC Dialer Close Type Confusion
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-provdata is stored as nniquicconn during dialing, but read as exquicconn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
SUSE CVE-2026-46215
In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in changehandle There was a potential race condition in changehandle. The ioctl briefly had a single object with two idr entries; a concurrent gemclose could delete the object and...
PT-2026-44985
NanoMQ MQTT Broker NanoMQ is an all-around Edge Messaging Platform. Prior to 0.24.14, aio-prov data is stored as nni quic conn during dialing, but read as ex quic conn during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This...
CVE-2026-46215
A flaw was found in the Linux kernel. A race condition in the Direct Rendering Manager DRM subsystem's changehandle function could allow a local attacker to trigger a use-after-free vulnerability. This occurs when a concurrent gemclose operation removes one handle while another remains dangling...
SUSE CVE-2026-45866
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...
CVE-2026-46090
A flaw was found in the Linux kernel's ALSA Advanced Linux Sound Architecture aloop driver. This Use-After-Free UAF vulnerability occurs when loopbackcheckformat stops the capture side during a format change, while a concurrent close operation detaches or frees the runtime. An attacker could...
EUVD-2026-32332
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...
CVE-2026-45918
In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - don't deref NULL sksocket member after tcpclose When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing...
CVE-2026-45866
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...
CVE-2026-45837
A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the arenavmclose function during a fork operation. This occurs because the child's Virtual Memory Area VMA is not correctly registered, leading to a dangling pointer. If a child process attempts to access this stale...
CVE-2026-45918
The CVE-2026-45918 entry describes a race condition in the Linux kernel related to OpenVPN keepalive processing. When a peer is removed from the hashtable and placed on a release list, the code detaches from the socket by restoring the original protocol and socket callbacks. If userspace closes t...
CVE-2026-45866
The CVE-2026-45866 issue is a use-after-free in caif_serial within the Linux kernel where handle_tx() may access ser->tty after the tty is freed due to tty_kref_put() occurring in ldisc_close() while the network device is still active. The race between ldisc_close() and packet transmission can...
CVE-2026-45866
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...
CVE-2026-45866 serial: caif: fix use-after-free in caif_serial ldisc_close()
In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...
UBUNTU-CVE-2026-45837
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arenavmclose on fork arenavmopen only bumps vml-mmapcount but never registers the child VMA in arena-vmalist. The vml-vma always points at the parent VMA, so after parent munmap the pointer dangles. If...