336201 matches found
EUVD-2026-32883
In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofsexportiget isofsfhtodentry and isofsfhtoparent pass an attacker- controlled block number ifid-block or ifid-parentblock from the NFS file handle to isofsexportiget, which...
EUVD-2026-32882
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtiobt: clamp rx length before skbput virtbtrxwork calls skbputskb, len where len comes directly from virtqueuegetbuf with no validation against the buffer we posted to the device. The RX skb is allocated in...
CVE-2026-46122
In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43rx The firmware-controlled key index in b43rx can exceed the dev-key array size 58 entries. The existing B43WARNON is non-enforcing in production builds, allowing an...
CVE-2026-46122 wifi: b43: enforce bounds check on firmware key index in b43_rx()
In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43rx The firmware-controlled key index in b43rx can exceed the dev-key array size 58 entries. The existing B43WARNON is non-enforcing in production builds, allowing an...
CVE-2026-46122
The CVE-2026-46122 issue affects the Linux kernel b43 Wi-Fi driver (b43_rx). A firmware-controlled key index could exceed the dev->key[] array (58 entries), and the non-enforcing B43_WARN_ON allowed an out-of-bounds read. The fix enforces the check by dropping frames when the firmware returns ...
CVE-2026-46121
The CVE-2026-46121 entry maps to a Linux kernel fix in mm/damon/sysfs-schemes: protecting memcg_path kfree() with damon_sysfs_lock to prevent use-after-free when reading/writing the DAMON sysfs memcg_path). The issue arose because user-driven reads/writes of memcg_path were not synchronized with ...
EUVD-2026-32879
In the Linux kernel, the following vulnerability has been resolved: ip6gre: Use cached t-net in ip6erspanchangelink. After commit 5e72ce3e3980 "net: ipv6: Use link netns in newlink of rtnllinkops", ip6erspannewlink correctly resolves the per-netns ip6gre hash via linknet. ip6erspanchangelink was...
CVE-2026-46120
In the Linux kernel, the following vulnerability has been resolved: ip6gre: Use cached t-net in ip6erspanchangelink. After commit 5e72ce3e3980 "net: ipv6: Use link netns in newlink of rtnllinkops", ip6erspannewlink correctly resolves the per-netns ip6gre hash via linknet. ip6erspanchangelink was...
CVE-2026-46120
Concrete details found: CVE-2026-46120 affects the Linux kernel ip6_gre machinery. The issue is in ip6erspan_changelink(), which wrongly uses dev_net(dev) instead of the correct per-netns hash resolved by link_net, after a patch series that fixed per-netns resolution in ip6erspan_newlink(). This ...
CVE-2026-46120
In the Linux kernel, the following vulnerability has been resolved: ip6gre: Use cached t-net in ip6erspanchangelink. After commit 5e72ce3e3980 "net: ipv6: Use link netns in newlink of rtnllinkops", ip6erspannewlink correctly resolves the per-netns ip6gre hash via linknet. ip6erspanchangelink was...
CVE-2026-46119
In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a potentially corrupted message of type CEPHMSGAUTHREPLY contains a positive value in its result field, it is treated as an error code by cephhandleauthreply an...
EUVD-2026-32877
In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix null ptr deref in paprhvpipedevcreatehandle commit 6d3789d347a7 "papr-hvpipe: convert paprhvpipedevcreatehandle to FDPREPARE", changed the create handle to FDPREPARE, but it caused kernel null-ptr-deref...
CVE-2026-46117
CVE-2026-46117 affects the Linux kernel RDMA/mana component. The issue arises when a user can configure Work Queues to share the same Completion Queue via the uAPI, which triggers a user-writable WARN_ON() and can lead to kernel corruption. The vulnerability has been resolved by removing the trig...
EUVD-2026-32876
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARNON in manaibcreateqprss Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARNON then go on to corrupt the kernel. Just...
CVE-2026-46116 xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrmstate lists in xfrmstatedelete KASAN reproduces a slab-use-after-free in xfrmstatedelete's hlistdelrcu calls under syzkaller load on linux-6.12.y stable reproduced on 6.12.47, also reachable via the...
EUVD-2026-32875
In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrmstate lists in xfrmstatedelete KASAN reproduces a slab-use-after-free in xfrmstatedelete's hlistdelrcu calls under syzkaller load on linux-6.12.y stable reproduced on 6.12.47, also reachable via the...
CVE-2026-46116
CVE-2026-46116 affects the Linux kernel xfrm subsystem (xfrm_state). The root cause is a local-use-after-free in __xfrm_state_delete due to unsafe deletions from byseq/byspi hash chains. The patch changes deletions to hlist_del_init_rcu and uses hlist_unhashed() checks, preventing writes after LI...
EUVD-2026-32874
In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovecphysmergeable biovecphysmergeable is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently h...
CVE-2026-46115 block: add pgmap check to biovec_phys_mergeable
In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovecphysmergeable biovecphysmergeable is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently h...
CVE-2026-46114 RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMICWRITE payloads atomicwritereply at drivers/infiniband/sw/rxe/rxeresp.c unconditionally dereferences 8 bytes at payloadaddrpkt: value = u64 payloadaddrpkt; checkrkey previously accepted an...