CVE-2026-46000

CVE-2026-46000 in the Linux kernel: rxrpc vulnerability where security checks decrypt bits of a packet in place while the skb may be shared with a packet sniffer, potentially exposing a decrypted (apparently corrupted) packet. The fix: when a packet was cloned, the kernel now hands a copy of the ...

EUVD-2026-32296

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the skbuff may be shared with a packet sniffer, which would lead to...

CVE-2026-46000 rxrpc: Fix conn-level packet handling to unshare RESPONSE packets

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the skbuff may be shared with a packet sniffer, which would lead to...

EUVD-2026-32294

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skbunshare failure If skbunshare fails to unshare a packet due to allocation failure in rxrpcinputpacket, the skb pointer in the parent rxrpciothread will be NULL'd out. This will likely cause the...

CVE-2026-45997

CVE-2026-45997 concerns the Linux kernel SCSI disk driver (sd). The issue arises when device_add(&sdkp->disk_dev) fails during sd_probe; as a result, put_device() calls lead to scsi_disk_release() freeing the scsi_disk but leaving the gendisk referenced. The fix adds a missing put_disk(gd) in ...

EUVD-2026-32293

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing putdisk when deviceadd&diskdev fails If deviceadd&sdkp-diskdev fails, putdevice runs scsidiskrelease, which frees the scsidisk but leaves the gendisk referenced. The deviceadddisk error path in sdprobe calls...

CVE-2026-45996 spi: imx: fix use-after-free on unbind

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration unless the allocation is device managed. Take another reference before deregistering...

CVE-2026-45993

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Add spectre boundry for syscall dispatch table The LoongArch syscall number is directly controlled by userspace, but does not have a arrayindexnospec boundry to prevent access past the syscall function pointer tables...

CVE-2026-45992

...

CVE-2026-45991

The CVE-2026-45991 entry concerns the Linux kernel UDF filesystem. The root cause is in handle_partition_descriptor() where partition descriptors are deduplicated by partition number, but appended slots do not record partnum, allowing repeated Partition Descriptors to accumulate and grow num_part...

CVE-2026-45991 udf: fix partition descriptor append bookkeeping

In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in partdescsloc. handlepartitiondescriptor deduplicates entries by partition...

CVE-2026-45990

In the Linux kernel, the following vulnerability has been resolved: slub: fix data loss and overflow in krealloc Commit 2cd8231796b5 "mm/slub: allow to set node and align in kvrealloc" introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA nod...

CVE-2026-45988

The CVE-2026-45988 issue affects the Linux kernel rxrpc subsystem: a RESPONSE packet that experiences a temporary failure could end up partially decrypted and be retried, risking communication disruption or resource exhaustion. The published fix discards the problematic packet and triggers a new ...

CVE-2026-45988 rxrpc: Fix re-decryption of RESPONSE packets

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry. Fix this by just discarding the packe...

CVE-2026-45986 crypto: ccree - fix a memory leak in cc_mac_digest()

In the Linux kernel, the following vulnerability has been resolved: crypto: ccree - fix a memory leak in ccmacdigest Add ccunmapresult if ccmaphashrequestfinal fails to prevent potential memory leak...

CVE-2026-45986

The CVE-2026-45986 issue affects the Linux kernel crypto/ccree path, specifically a memory leak in cc_mac_digest. The root cause is a path where cc_map_hash_request_final() failures could leave memory unreleased; the fix adds cc_unmap_result() to prevent leaks. The vulnerability is locally exploi...

CVE-2026-45836

A flaw was found in the Linux kernel's Bluetooth L2CAP subsystem. This vulnerability, a null-pointer dereference, occurs due to a missing NULL guard in the l2capsockgetsndtimeocb function. A local attacker could exploit this flaw to trigger a system crash, leading to a Denial of Service DoS...

CVE-2026-45834

A flaw was found in the Linux kernel's Bluetooth L2CAP Logical Link Control and Adaptation Protocol implementation. A missing null pointer guard in the l2capsockstatechangecb function can lead to a null pointer dereference. This vulnerability could allow an attacker to cause a system crash,...

CVE-2026-45839

A flaw was found in the Linux kernel's BPF Berkeley Packet Filter CO-RE Compile Once - Run Everywhere accessor parsing. A local attacker with CAPBPF capabilities could craft a malicious BPF program that uses negative CO-RE accessor indices. This input validation vulnerability allows for an...

CVE-2026-45837

A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the arenavmclose function during a fork operation. This occurs because the child's Virtual Memory Area VMA is not correctly registered, leading to a dangling pointer. If a child process attempts to access this stale...