GHSA-4RQF-GRM6-VF75 free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

Summary free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks , ok =...

GHSA-44QJ-CGHF-9P97 free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)

Summary free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware same root cause as free5gc/free5gc887. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration, which calls...

free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)

Summary free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications, the notifier calls NnefPFDmanagementNotify... and on any delivery error invokes logger.PFDManageLog.Fatalerr, which is os.Exit1-equivalent in Go...

GHSA-RXRQ-FV76-26PR free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)

Summary free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications, the notifier calls NnefPFDmanagementNotify... and on any delivery error invokes logger.PFDManageLog.Fatalerr, which is os.Exit1-equivalent in Go...

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the HandleCreateSmPolicyRequest process when a downstream OpenAPI consumer call returns a 404 error and the response struct is nil. An attacker can cause the application to panic a...

free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference

Summary free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler HandleCreateSmPolicyRequest panics with a nil-pointer dereference when a downstream OpenAPI consumer call UDR lookup returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The...

CVE-2026-43395

A flaw was found in the Linux kernel's drm/xe/sync subsystem. When processing synchronization entries, the xesyncentryparse function may fail to properly clean up partially initialized resources. This improper handling of error paths can lead to a resource leak. A local attacker could potentially...

CVE-2026-43393

A flaw was found in the Linux kernel's btrfs file system. This vulnerability, a memory leak, occurs in the btrfsmapblock function. When an early error return -EINVAL happens, the allocated chunk map is not properly freed, leading to a resource leak. This can potentially lead to system instability...

CVE-2026-43388

A flaw was found in the Linux kernel's DAMON Data Access MONitor subsystem. The damoswalk function in mm/damon/core fails to clear a dangling pointer when a context is inactive and an error occurs. This issue can lead to a temporary denial of service DoS for subsequent calls to damoswalk,...

github.com/sirupsen/logrus: github.com/sirupsen/logrus: Denial-of-Service due to large single-line payload

A denial-of-service vulnerability in github.com/sirupsen/logrus occurs when Entry.Writer processes a single-line payload larger than 64KB with no newline characters. Due to a limitation in Go’s internal bufio.Scanner, the read operation fails with a “token too long” error, causing the underlying...

CVE-2026-43358

A flaw was found in the Linux kernel's btrfs filesystem. A missing Read-Copy Update RCU unlock in an error path within the tryreleasesubpageextentbuffer function could lead to system instability. This issue, identified by a thread-safety analyzer, may result in a denial of service condition,...

CVE-2026-43355

A flaw was found in the Linux kernel's bh1780 light sensor driver. This vulnerability occurs due to a Power Management PM runtime leak, where the system's reference count for power management is not always properly decremented. An attacker could exploit this by repeatedly triggering the error pat...

CVE-2026-43310

A flaw was found in the Linux kernel's Verisilicon media driver. On the i.MX8MQ platform, simultaneous decoding of H.264 and HEVC video streams by the g1 and g2 Video Processing Units VPUs can lead to a bus error. This issue can result in corrupted video output and potentially cause a system hang...

CVE-2025-71299

A flaw was found in the Linux kernel's spi-cadence-quadspi driver. When processing Device Tree DT descriptions for attached flash devices, a missing or broken DT description can lead to a runtime power management PM disable in the error handling path of the probe function. This can result in...

EUVD-2026-28776

In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3proccreate if dalias is a dir If we found an alias through nfs3docreate/nfsaddorobtain /dsplicealias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but t...

EUVD-2026-28769

In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpckernellookuppeer rxrpckernellookuppeer can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: 1 Changing...

EUVD-2026-28768

In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emactxmemmap The DMA mappings were leaked on mapping error. Free them with the existing emacfreetxbuf function...

EUVD-2026-28772

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5eresettxqsqccpc resets dmafifocc to 0 but not dmafifopc, desyncing the DMA FIFO producer and consumer. After...

EUVD-2026-28757

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinkqueue: fix entry leak in bridge verdict error path nfqnlrecvverdict calls finddequeueentry to remove the queue entry from the queue data structures, taking ownership of the entry. For PFBRIDGE packets, it then...

EUVD-2026-28751

In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will...