EUVD-2026-38977

In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in ptefragdestroy powerpc uses ptfragrefcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16...

Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence...

CVE-2026-49287 Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: drm/amdkfd: Fixed error handling in kfdprocessdeviceinitvm It is necessary to only destroy the ibmem and let the process cleanup worker free the outstanding BOs. Reset the pointer in the pdd-qpd structure to avoid NULL pointer...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: nvmet: A possible leak has been fixed when destroying a ctrl during qp establishment. In nvmetsqdestroy, we capture sq-ctrl early. If it is not NULL, we know that a ctrl was allocated during the admin connect request handling. We...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: Firmware: armscmi: Balances the device reference count when destroying devices. Using devicefindchild to find the appropriate SCMI device to destroy causes an imbalance in the device reference count. This occurs because...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fixed the destruction of kthread workers in polling mode. The cleanup order in polling mode irq worklist and WARNON!listempty&worker-delayedworklist. The original code called kthreadDestroyWorker before...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: cgroup: Split cgroupdestroywq into 3 workqueues A hang can occur during 1 LTP cgroup testing when repeatedly mounting/unmounting perfevent and netprio controllers with systemd.unifiedcgrouphierarchy=1. The hang manifests in...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: RDMA/hns: Fixed double destruction of rsvqp RSVQP may be double destroyed during error flow, first in freemrinit, and then in hnsroceexit. This issue was fixed by moving the freemrinit call into hnsrocev2init. List corruption:...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: Net: tun: Unlinking the NAPI from the device upon destruction. Syzbot identified a race condition between the tun file and the device destruction process. NAPIs reside in the structtunfile structure, and this structure may be...

Astra Linux – Vulnerability found in Linux 6.1, Linux 5.10, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fixed a UAF in blkcgunpinonline. blkcgunpinonline traverses the blkcg hierarchy to set the object as online. To traverse this hierarchy, it uses blkcgparentblkcg, but this call occurs after blkcgDestroyBlksblkcg, whic...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronized bitmapgetstats with the lifetime of the bitmap. After the commit with the code ec6bb299c7c3 “md/md-bitmap: add ‘syncsize’ into struct mdbitmapstats, a panic is reported: Oops: General Protection Fault,...

Astra Linux – Vulnerability in Linux 5.10, Linux

In the Linux kernel, the following vulnerability has been resolved: xen/netfront: Destroy queues before realnumtxqueues is zeroed xennetDestroyQueues relies on info-netdev-realnumtxqueues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 “net-sysfs: Update the queue counts in the...

Astra Linux – Vulnerability in Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: drm/i915: Fixed potential context UAFs. The gemcontextregister function makes the context visible to user space, and a separate thread can trigger the I915GEMCONTEXTDESTROY ioctl command. Therefore, we need to ensure that...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: net: ena: Fixed error handling in enainit The enainit function no longer destroys the workqueue created by createsinglethreadworkqueue when pciregisterdriver fails. Calling destroyworkqueue when pciregisterdriver fails prevents...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Clear the driver reference in usb-phy dev For the dual-role port, the phy device will be assigned to the usb-phy device, and the port device driver will be used as the dev driver for usb-phy. When we attempt to...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: cfg80211: fixed a race condition in the netlink owner interface destruction process. My previous fix to address this issue created a deadlock situation, and there was a race condition where the exact same deadlock could occur...

xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free in miSyncDestroyFence()

A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence. A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection...

CVE-2026-11846

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption...

MAL-2026-5555 Malicious code in express-timer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683 express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on...