1335 matches found
CVE-2026-64147
In the Linux kernel, the following vulnerability has been resolved: pdscore: fix debugfslookup dentry leak and error handling debugfslookup returns a dentry with an elevated reference count that must be released with dput. The current code discards the returned dentry without calling dput, causin...
CVE-2026-64108
In the Linux kernel, the following vulnerability has been resolved: cifs: Fix busy dentry used after unmounting Since commit 340cea84f691c "cifs: open files should not hold ref on superblock", cifs file only holds the dentry refcnt, the cifs file close workcfile-deferred could be executed after...
CVE-2026-64044
In Linux kernel networking code related to the OpenVPN (ovpn) subsystem, CVE-2026-64044 fixes a race where ovpn_nl_peer_new_doit() released a peer directly via ovpn_peer_release() instead of using ovpn_peer_put(), bypassing the kref refcount mechanism. This allowed a concurrent caller holding a p...
EUVD-2026-45617
In the Linux kernel, the following vulnerability has been resolved: ovpn: respect peer refcount in CMDNEWPEER error path ovpnnlpeernewdoit's error path calls ovpnpeerrelease directly rather than ovpnpeerput, bypassing the kref. The accompanying comment "peer was not yet hashed, thus it is not use...
EUVD-2026-45752
In the Linux kernel, the following vulnerability has been resolved: net/handshake: hand off the pinned file reference to acceptdoit handshakereqnext removes the request from the per-net pending list and drops hnlock before handshakenlacceptdoit reads req-hrsk-sksocket and dereferences sock-file...
CVE-2026-63946
CVE-2026-63946 describes a Linux kernel Bluetooth ISO UAF in iso_recv_frame. The bug occurs when iso_recv_frame reads conn->sk under iso_conn_lock but releases the lock before using sk, with no reference held, allowing a concurrent iso_sock_kill() to free sk and cause a use-after-free on sk-&g...
CVE-2026-63918
CVE-2026-63918 affects the Linux kernel l2tp subsystem: l2tp_session_get_by_ifname previously returned a pointer to a session whose refcount could already be zero due to a race with l2tp_session_free()/kfree_rcu. The code used refcount_inc() in this getter, while other getters (l2tp_v2_session_ge...
EUVD-2026-45691
In the Linux kernel, the following vulnerability has been resolved: l2tp: use refcountincnotzero in l2tpsessiongetbyifname A reader in l2tpsessiongetbyifname can return a pointer to a session whose refcount has reached zero. The getter takes its reference with plain refcountinc, but every other...
CVE-2026-63827
The CVE-2026-63827 issue is a Linux kernel AppArmor use-after-free in the rawdata dedup loop within aa_replace_profiles. The root cause was a refcount handling change: aa_get_profile_loaddata() performed plain kref_get() on pcount, allowing a 0-refcount entry to be dereferenced. The fix introduce...
EUVD-2026-45493
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix use-after-free in rawdata dedup loop aareplaceprofiles walks ns-rawdatalist to dedup the incoming policy blob against entries already attached to existing profiles. Per the kernel-doc on struct aaloaddata, list...
CVE-2026-63823 keys: Pin request_key_auth payload in instantiate paths
In the Linux kernel, the following vulnerability has been resolved: keys: Pin requestkeyauth payload in instantiate paths A: requestkey B: KEYCTLINSTANTIATEIOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy...
CVE-2026-63795 9p: avoid putting oldfid in p9_client_walk() error path
In the Linux kernel, the following vulnerability has been resolved: 9p: avoid putting oldfid in p9clientwalk error path When p9clientwalk is called with clone set to false, fid aliases oldfid. If the walk subsequently fails after the request has been sent, the error path jumps to clunkfid, which...
CVE-2026-63795
In the Linux kernel, the following vulnerability has been resolved: 9p: avoid putting oldfid in p9clientwalk error path When p9clientwalk is called with clone set to false, fid aliases oldfid. If the walk subsequently fails after the request has been sent, the error path jumps to clunkfid, which...
CVE-2026-53378
Summary: CVE-2026-53378 affects the Linux kernel DRM colorop path. The issue is memory leaks in blob property handling during state lifecycle (duplication, destruction, reset) due to not releasing blob references and improper destruction of old state. What’s affected: drm/colorop code in the Linu...
EUVD-2026-45451
In the Linux kernel, the following vulnerability has been resolved: drm/colorop: Fix blob property reference tracking in state lifecycle The colorop state blob property handling had memory leaks during state duplication, destruction, and reset operations. The implementation failed to follow the...
PT-2026-61296
In the Linux kernel, the following vulnerability has been resolved: net/handshake: hand off the pinned file reference to accept doit handshake req next removes the request from the per-net pending list and drops hn lock before handshake nl accept doit reads req-hr sk-sk socket and dereferences...
CVE-2026-49834
sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised...
Oracle Linux 10 : glibc (ELSA-2026-500006)
The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-500006 advisory. - resolv: Check hostname for validity CVE-2026-4438 - resolv: Count records correctly CVE-2026-4437 Tenable has extracted the preceding description...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to improper validation in the threshold counting process. An attacker can bypass multi-log threshold requirements by compromising a single log and forging multiple entries or...
netfilter: synproxy: add mutex to guard hook reference counting
...