CVE-2026-52906

CVE-2026-52906 concerns the Linux kernel’s 9p (9p2000.L) file system implementation. The vulnerability arises because v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(), and the session defaults include V9FS_ACCESS_CLIENT. As a result, mounting w...

EUVD-2026-35415

In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb "9p: convert to the new mount API", v9fsapplyoptions applies parsed mount flags with |= onto flags already set by v9fssessioninit. For 9P2000.L,...

CVE-2026-52905 mm/damon/core: disallow non-power of two min_region_sz on damon_start()

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two minregionsz on damonstart Commit d8f867fa0825 "mm/damon: add damonctx-minszregion" introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b "mm/damon/core:...

CVE-2026-52905

The provided CVE-2026-52905 details a Linux kernel DAMON subsystem issue in mm/damon/core where a bug from damon_ctx->min_sz_region allowed damon_start() to emit non-power-of-two min_region_sz, despite an earlier fix for damon_commit_ctx(). The connected documents state that the path is now pr...

EUVD-2026-35434

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two minregionsz on damonstart Commit d8f867fa0825 "mm/damon: add damonctx-minszregion" introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b "mm/damon/core:...

EUVD-2026-35432

In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: bound bootloader receive buffering cc1352bootloaderrx appends each serdev chunk into the fixed rxbuffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may recei...

CVE-2026-46330

The CVE describes a Linux kernel design flaw in the net/smc TCP ULP support that was reverted and resolved. The issue arose from attempting to convert an active TCP socket into an SMC socket by in-place modifications to the underlying file structures (struct file, dentry, inode), which violates V...

EUVD-2026-35431

In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an acti...

EUVD-2026-35430

In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed out, similar to loopback devices and that is what we expect...

CVE-2026-46328 apparmor: fix rlimit for posix cpu timers

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers wh...

EUVD-2026-35428

In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dmsuspendedmd The function dmblkreportzones tests if the device is suspended with the "dmsuspendedmd" call. However, this function is called without holding any locks, so the device may be suspended just...

CVE-2026-46326 iio: pressure: mprls0025pa: fix spi_transfer struct initialisation

In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spitransfer struct initialisation Make sure that the spitransfer struct is zeroed out before use...

EUVD-2026-35427

In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spitransfer struct initialisation Make sure that the spitransfer struct is zeroed out before use...

EUVD-2026-35426

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGESIZE The current implementation incorrectly handles memory regions MRs with page sizes different from the system PAGESIZE. The core issue is that rxesetpage is called...

EUVD-2026-35414

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: use listdelrcu for netlink hooks nftnetdevunregisterhooks and nftunregisterflowtablenethooks need to use listdelrcu, this list can be walked by concurrent dumpers. Add a new helper and use it consistently...

EUVD-2026-35413

In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skbgroreceive can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFLMANAGEDFRAGREFS flag. When SKBFLMANAGEDFRAGREFS is set, the...

CVE-2026-46322

The CVE pertains to the Linux kernel tun driver (tun_xdp_one) where a page allocated for a frame by vhost_net_build_xdp() is not freed when build_skb() fails, causing a memory leak. Specifically, if build_skb() fails, ret is set to -ENOMEM and the code jumps to the error path without freeing the ...

CVE-2026-46322 tun: free page on build_skb failure in tun_xdp_one()

In the Linux kernel, the following vulnerability has been resolved: tun: free page on buildskb failure in tunxdpone When buildskb fails in tunxdpone, the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhostnetbuildxdp allocated for the frame. ...

EUVD-2026-35411

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tunxdpone tunxdpone returns -EINVAL on a frame shorter than ETHHLEN without freeing the page that vhostnetbuildxdp allocated for it. tunsendmsg discards that -EINVAL and still returns...

CVE-2026-46321

The CVE-2026-46321 entry concerns the Linux kernel tun_xdp_one() path. A frame shorter than ETH_HLEN may return -EINVAL without freeing the page allocated by vhost_net_build_xdp(), causing a leak when vhost_tx_batch() follows the success path. This happens in scenarios where a local process opens...