UBUNTU-CVE-2026-46019

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-aes - Fix 3-page memory leak in atmelaesbuffcleanup atmelaesbuffinit allocates 4 pages using getfreepages with ATMELAESBUFFERORDER, but atmelaesbuffcleanup frees only the first page using freepage, leaking the...

UBUNTU-CVE-2026-45889

In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcprcvbufgrow MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcprcvbufgrow...

UBUNTU-CVE-2026-45898

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing worklist The commit e1168f0 "RDMA/iwcm: Simplify cmeventhandler" changed the work submission logic to unconditionally call queuework with the expectation that queuework would...

UBUNTU-CVE-2026-45914

In the Linux kernel, the following vulnerability has been resolved: Revert "hwmon: ibmpex fix use-after-free in high/low store" This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d. Jean Delvare points out that the patch does not completely fix the reported problem, that it in fact...

UBUNTU-CVE-2026-46021

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermalzonedeviceregisterwithtrips fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which ma...

CVE-2026-45867

In the Linux kernel, the following vulnerability has been resolved: power: supply: act8945a: Fix use-after-free in powersupplychanged Using the devm variant for requesting IRQ before the devm variant for allocating/registering the powersupply handle, means that the powersupply handle will be...

CVE-2026-45869

In the Linux kernel, the following vulnerability has been resolved: power: supply: wm97xx: Fix NULL pointer dereference in powersupplychanged In probe, requestirq is called before allocating/registering a powersupply handle. If an interrupt is fired between the call to requestirq and...

CVE-2026-45870

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: authgss: fix memory leaks in XDR decoding error paths The gssxdecctx, gssxdecstatus, and gssxdecname functions allocate memory via gssxdecbuffer, which calls kmemdup. When a subsequent decode operation fails, these...

CVE-2026-45874

In the Linux kernel, the following vulnerability has been resolved: phy: freescale: imx8qm-hsio: fix NULL pointer dereference During the probe the refclkpad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imxhsioconfigureclkpad this point...

CVE-2026-45871

In the Linux kernel, the following vulnerability has been resolved: tpm: st33zp24: Fix missing cleanup on getburstcount error getburstcount can return -EBUSY on timeout. When this happens, st33zp24send returns directly without releasing the locality acquired earlier. Use goto outerr to ensure...

CVE-2026-45873

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsetrbtree: check for partial overlaps in anonymous sets Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted. The existing partial overlap detection logic...

CVE-2026-45872

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqireportphysluns pqireportphysluns fails to release the rpllist buffer when encountering an unsupported data format or when the allocation for rpl16bytewwidlist fails. These early returns bypas...

UBUNTU-CVE-2026-45953

In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmapops-blockssynced is checked in handlestripedirtying. However, later the same check is...

UBUNTU-CVE-2026-45935

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'doaction' function, the entry size 'esize' is retrieved from the log record without adequate bounds checking. Specifically,...

UBUNTU-CVE-2026-45875

In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Fix regulator resource leak on wm5102clearwritesequencer failure The wm5102clearwritesequencer helper may return an error and just return, bypassing the cleanup sequence and causing regulators to remain enabled,...

UBUNTU-CVE-2026-45921

In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: Fix memory leak in mtdparsertplinksafeloaderparse The function mtdparsertplinksafeloaderparse allocates buf via mtdparsertplinksafeloaderreadtable. If the allocation for partsidx.name fails inside the loop, the code...

UBUNTU-CVE-2026-46090

In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopbackcheckformat may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 "ALSA: aloop: Fix...

UBUNTU-CVE-2026-45962

In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublkctrlcmddump accesses header sqe-cmd before IOURINGFSQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ublkctrluringcmd ...

UBUNTU-CVE-2026-45967

In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The mapdirectvalueaddr function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolvepseudoldimm64...

UBUNTU-CVE-2026-46094

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in checkxattrs to prevent out-of-bounds access The bounds check for the next xattr entry in checkxattrs uses void next = end, which allows next to point within sizeofu32 bytes of end. On the next loop...