CVE-2026-46026 net: qrtr: ns: Limit the maximum number of lookups

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum number of lookups Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a...

CVE-2026-46025 mm/damon/core: fix damon_call() vs kdamond_fn() exit race

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damoncall vs kdamondfn exit race Patch series "mm/damon/core: fix damoncall/damoswalk vs kdmond exit race". damoncall and damoswalk can leak memory and/or deadlock when they race with kdamond terminations. Fix...

CVE-2026-46024

In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in cephhandleauthreply If a message of type CEPHMSGAUTHREPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac-negotiating == tr...

EUVD-2026-32404

In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in createdirtylog The argument count calculation in createdirtylog performs argsused = 2 + paramcount before validating against argc. When a user provides a paramcount close to UINTMAX via the devi...

CVE-2026-46023

CVE-2026-46023 is a Linux kernel vulnerability in dm-mirror where create_dirty_log() could bypass argc checks due to an unsigned add of 2 + param_count, allowing an out-of-bounds read in argv when param_count is near UINT_MAX. The root cause is an overflow in argument count calculation before val...

EUVD-2026-32403

In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasmhandlemouseinterrupt ibmasmhandlemouseinterrupt performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTEQUEUESIZE 60. A compromised service...

CVE-2026-46022

CVE-2026-46022 relates to the Linux kernel code in misc: ibmasm where an OOB MMIO read occurs in ibmasm_handle_mouse_interrupt due to unbounded queue index usage. The root cause is unbounded values from get_queue_reader()/get_queue_writer() fed into get_queue_entry(), producing a potentially inva...

CVE-2026-46021 thermal: core: Fix thermal zone governor cleanup issues

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermalzonedeviceregisterwithtrips fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which ma...

EUVD-2026-32400

In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-aes - Fix 3-page memory leak in atmelaesbuffcleanup atmelaesbuffinit allocates 4 pages using getfreepages with ATMELAESBUFFERORDER, but atmelaesbuffcleanup frees only the first page using freepage, leaking the...

EUVD-2026-32401

In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damosquotagoal-nid for nodememused,freebp Patch series "mm/damon/core: validate damosquotagoal-nid". nodememcgused,freebp DAMOS quota goals receive the node id. The node id is used for simeminfonode and...

CVE-2026-46018 ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAXNRRATES parseuac2sampleraterange caps the number of enumerated rates at MAXNRRATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional...

CVE-2026-46018

CVE-2026-46018 is a Linux kernel issue in ALSA: usb-audio (UAC2) where parse_uac2_sample_rate_range() capped at MAX_NR_RATES but only broke the inner loop; a malformed UAC2 RANGE could continue parsing and flood with "invalid uac2 rates". The fix stops the whole parse at the cap and returns the c...

EUVD-2026-32399

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAXNRRATES parseuac2sampleraterange caps the number of enumerated rates at MAXNRRATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional...

EUVD-2026-32398

In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migratefoliomove records the deferred split queue state from src and replays it on dst. Replaying it after removemigrationptessrc, dst, 0 makes dst visible before it is requeued...

CVE-2026-46015 tcp: call sk_data_ready() after listener migration

In the Linux kernel, the following vulnerability has been resolved: tcp: call skdataready after listener migration When inetcsklistenstop migrates an established child socket from a closing listener to another socket in the same SOREUSEPORT group, the target listener gets a new accept-queue entry...

EUVD-2026-32396

In the Linux kernel, the following vulnerability has been resolved: tcp: call skdataready after listener migration When inetcsklistenstop migrates an established child socket from a closing listener to another socket in the same SOREUSEPORT group, the target listener gets a new accept-queue entry...

CVE-2026-46015

The CVE-2026-46015 issue affects the Linux kernel TCP path when migrating an established child socket between listeners in the same SO_REUSEPORT group. After inet_csk_listen_stop() migrates, the target listener can obtain a new accept-queue entry via inet_csk_reqsk_queue_add(), but the path does ...

CVE-2026-46016 remoteproc: xlnx: Only access buffer information if IPI is buffered

In the Linux kernel, the following vulnerability has been resolved: remoteproc: xlnx: Only access buffer information if IPI is buffered In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing...

EUVD-2026-32397

In the Linux kernel, the following vulnerability has been resolved: remoteproc: xlnx: Only access buffer information if IPI is buffered In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing...

CVE-2026-46014 KVM: SVM: Add missing save/restore handling of LBR MSRs

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Add missing save/restore handling of LBR MSRs MSRIA32DEBUGCTLMSR and LBR MSRs are currently not enumerated by KVMGETMSRINDEXLIST, and LBR MSRs cannot be set with KVMSETMSRS. So save/restore is completely broken. Fix it ...