CVE-2026-45882

In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916bmsvm: Fix use-after-free in powersupplychanged Using the devm variant for requesting IRQ before the devm variant for allocating/registering the powersupply handle, means that the powersupply handle will be...

CVE-2026-45884

In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aagetbuffer When aagetbuffer pulls from the per-cpu list it unconditionally decrements cache-hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINTMAX...

CVE-2026-45889

In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcprcvbufgrow MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcprcvbufgrow...

CVE-2026-45888

In the Linux kernel, the following vulnerability has been resolved: md/raid1: fix memory leak in raid1run raid1run calls setupconf which registers a thread via mdregisterthread. If raid1setlimits fails, the previously registered thread is not unregistered, resulting in a memory leak of the mdthre...

CVE-2026-45881

In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: svs: Fix memory leak in svsenabledebugwrite In svsenabledebugwrite, the buf allocated by memdupusernul is leaked if kstrtoint fails. Fix this by using freekfree to automatically free buf, eliminating the need for...

CVE-2026-45877

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtpbusremoveallclients During a warm reset flow, the cl-device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl-device-referencecount witho...

CVE-2026-45878

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watchid bounds checking in debug address watch v2 The address watch clear code receives watchid as an unsigned value u32, but some helper functions were using a signed int and checked bits by shifting with watchid...

CVE-2026-45875

In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Fix regulator resource leak on wm5102clearwritesequencer failure The wm5102clearwritesequencer helper may return an error and just return, bypassing the cleanup sequence and causing regulators to remain enabled,...

CVE-2026-45876

In the Linux kernel, the following vulnerability has been resolved: arm64/gcs: Fix error handling in archsetshadowstackstatus allocgcs returns an error-encoded pointer on failure, which comes from dommap, not NULL. The current NULL check fails to detect errors, which could lead to using an invali...

CVE-2026-45880

In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Release per-CPU pgmap ref when vminsertpage fails When vminsertpage fails in p2pmemallocmmap, p2pmemallocmmap doesn't invoke percpurefput to free the per-CPU ref of pgmap acquired after genpoolallocowner, and...

CVE-2026-45879

In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25980: Fix use-after-free in powersupplychanged Using the devm variant for requesting IRQ before the devm variant for allocating/registering the powersupply handle, means that the powersupply handle will be...

UBUNTU-CVE-2026-45963

In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: 1984.896308 BUG: unable to...

CVE-2026-45869

In the Linux kernel, the following vulnerability has been resolved: power: supply: wm97xx: Fix NULL pointer dereference in powersupplychanged In probe, requestirq is called before allocating/registering a powersupply handle. If an interrupt is fired between the call to requestirq and...

CVE-2026-45870

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: authgss: fix memory leaks in XDR decoding error paths The gssxdecctx, gssxdecstatus, and gssxdecname functions allocate memory via gssxdecbuffer, which calls kmemdup. When a subsequent decode operation fails, these...

UBUNTU-CVE-2026-45940

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully fill...

UBUNTU-CVE-2026-46009

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epfntbepcdestroy duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allowlink fails or when .droplink is performed. Remove t...

UBUNTU-CVE-2026-46023

In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in createdirtylog The argument count calculation in createdirtylog performs argsused = 2 + paramcount before validating against argc. When a user provides a paramcount close to UINTMAX via the devi...

UBUNTU-CVE-2026-46039

In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgkextracttoken when checking the length of the ticket. Rather than rounding up the value to be tested which might overflow, round down the...

UBUNTU-CVE-2026-46096

In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpmbufdestroy in tpm2readpublic tpm2readpublic calls tpmbufinit but fails to call tpmbufdestroy on two exit paths, leaking a page allocation: 1. When namesize returns an error unrecognized hash algorith...

UBUNTU-CVE-2026-45898

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing worklist The commit e1168f0 "RDMA/iwcm: Simplify cmeventhandler" changed the work submission logic to unconditionally call queuework with the expectation that queuework would...