CVE-2026-46099

A flaw was found in the Linux kernel's IPv6 networking implementation, specifically within the seg6 and rpl lwtunnels. A race condition can occur when handling destination cache entries, where a NOREF no reference destination object is used after it has been freed. This use-after-free vulnerabili...

CVE-2026-46102

A flaw was found in the Linux kernel's network stream parser. This vulnerability occurs when the stream parser is unexpectedly stopped, such as during a message assembly timeout. A partially processed network message is not properly released from memory, leading to a memory leak. An attacker coul...

EUVD-2026-32288

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1inurb at error path The previous fix for handling the error from setupcard missed that an internal URB cdev-ep1inurb might have been already submitted beforehand. In the normal case, this...

EUVD-2026-32291

In the Linux kernel, the following vulnerability has been resolved: iouring/zcrx: fix userstruct uaf iofreerbufring usees a struct userstruct, which iozcrxifqfree puts it down before destroying the ring...

EUVD-2026-32287

In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in partdescsloc. handlepartitiondescriptor deduplicates entries by partition...

EUVD-2026-32290

In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in commandfilewrite due to missing size checks The commandfilewrite handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot...

EUVD-2026-32263

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: clean up the amdgpucsparserbos In low memory conditions, kmalloc can fail. In such conditions unlock the mutex for a clean exit. We do not need to amdgpubolistput as it's been handled in the amdgpucsparserfini...

EUVD-2026-32267

In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix NULL pointer dereference in acpievaddressspacedispatch Cover a missed execution path with a new check...

EUVD-2026-32285

In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrvprobe The function testdrvprobe retrieves the devicenode from the PCI device, applies an overlay, and then immediately calls ofnodeputdn. This releases the reference held by the PCI core...

EUVD-2026-32259

In the Linux kernel, the following vulnerability has been resolved: ublk: use READONCE to read struct ublksrvctrlcmd struct ublksrvctrlcmd is part of the iouringsqe, which may lie in userspace-mapped memory. It's racy to access its fields with normal loads, as userspace may write to them...

EUVD-2026-32262

In the Linux kernel, the following vulnerability has been resolved: staging: greybus: lights: avoid NULL deref gblightslightconfig stores channelcount before allocating the channels array. If kcalloc fails, gblightsrelease iterates the non-zero count and dereferences light-channels, which is NULL...

EUVD-2026-32264

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2releaseresource Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes. Fix this by stopping job scheduling before...

EUVD-2026-32261

In the Linux kernel, the following vulnerability has been resolved: fbnic: close fwlog race between users and teardown Fixes a theoretical race on fwlog between the teardown path and fwlog write functions. fwlog is written inside fbnicfwlogwrite and can be reached from the mailbox handler...

EUVD-2026-32282

In the Linux kernel, the following vulnerability has been resolved: crypto: ccree - fix a memory leak in ccmacdigest Add ccunmapresult if ccmaphashrequestfinal fails to prevent potential memory leak...

EUVD-2026-32284

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry. Fix this by just discarding the packe...

EUVD-2026-32254

In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlbarprecv during bond up/down The ALB RX path may access rxhashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlbdeinitialize frees rxhashtbl while RX handlers are still running,...

EUVD-2026-32246

In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublkctrlcmddump accesses header sqe-cmd before IOURINGFSQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ublkctrluringcmd ...

EUVD-2026-32239

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpuref not resurrected on suspend timeout When llbitmapsuspendtimeout times out waiting for percpuref to become zero, it returns -ETIMEDOUT without resurrecting the percpuref. The caller mdllbitmapdaemonfn...

EUVD-2026-32247

In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: 1984.896308 BUG: unable to...

EUVD-2026-32250

In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL pointer dereference in unixneedsrevalidation When receiving file descriptors via SCMRIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer...