CVE-2026-46099 net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6inputcore and rplinput call ip6routeinput which sets a NOREF dst on the skb, then pass it to dstcachesetip6 invoking dsthold unconditionally. On PREEMPTRT, ksoftirqd is...

EUVD-2026-32482

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6inputcore and rplinput call ip6routeinput which sets a NOREF dst on the skb, then pass it to dstcachesetip6 invoking dsthold unconditionally. On PREEMPTRT, ksoftirqd is...

CVE-2026-46099

The CVE-2026-46099 entry describes a use-after-free race in Linux kernel IPv6 handling for seg6 and rpl lightweight tunnels. A NOREF destination cached during ip6_route_input() can be freed by a concurrent FIB lookup on a shared nexthop under PREEMPT_RT, leading to a WARN or potential instability...

CVE-2026-46098

CVE-2026-46098 affects the Linux kernel’s CAIF net subsystem. The issue arises when caif_connect() tears down a client via caif_disconnect_client() and caif_free_client(), where caif_free_client() releases the service layer pointer (adap_layer->dn) but leaves the pointer stale. If the socket i...

CVE-2026-46098 net: caif: clear client service pointer on teardown

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown caifconnect can tear down an existing client after remote shutdown by calling caifdisconnectclient followed by caiffreeclient. caiffreeclient releases the service layer referenc...

CVE-2026-46098

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown caifconnect can tear down an existing client after remote shutdown by calling caifdisconnectclient followed by caiffreeclient. caiffreeclient releases the service layer referenc...

EUVD-2026-32481

In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown caifconnect can tear down an existing client after remote shutdown by calling caifdisconnectclient followed by caiffreeclient. caiffreeclient releases the service layer referenc...

EUVD-2026-32480

In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 - fix use-after-free in debugfs teardown The commit 68743c500c6e "Input: edt-ft5x06 - use per-client debugfs directory" removed the manual debugfs teardown, relying on the I2C core to handle it. However, this...

CVE-2026-46097

In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 - fix use-after-free in debugfs teardown The commit 68743c500c6e "Input: edt-ft5x06 - use per-client debugfs directory" removed the manual debugfs teardown, relying on the I2C core to handle it. However, this...

EUVD-2026-32479

In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpmbufdestroy in tpm2readpublic tpm2readpublic calls tpmbufinit but fails to call tpmbufdestroy on two exit paths, leaking a page allocation: 1. When namesize returns an error unrecognized hash algorith...

CVE-2026-46096

The CVE affects the Linux kernel’s tpm2-sessions code, specifically tpm2_read_public(). It leaks a page allocation due to missing tpm_buf_destroy() on two exit paths: (1) when name_size() returns an error, the function returns without destroying the buffer; (2) on the success path, the buffer is ...

EUVD-2026-32478

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: raise barrier before state machine transition Move the barrier raise operation before calling llbitmapstatemachine in both llbitmapstartwrite and llbitmapstartdiscard. This ensures the barrier is in place before a...

CVE-2026-46095

CVE-2026-46095 refers to a Linux kernel issue in the md/md-llbitmap area. The vulnerability was mitigated by moving the barrier raise operation to occur before any state transitions, ensuring the barrier is in place prior to calling llbitmap_state_machine() in both llbitmap_start_write() and llbi...

CVE-2026-46095 md/md-llbitmap: raise barrier before state machine transition

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: raise barrier before state machine transition Move the barrier raise operation before calling llbitmapstatemachine in both llbitmapstartwrite and llbitmapstartdiscard. This ensures the barrier is in place before a...

CVE-2026-46095

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: raise barrier before state machine transition Move the barrier raise operation before calling llbitmapstatemachine in both llbitmapstartwrite and llbitmapstartdiscard. This ensures the barrier is in place before a...

CVE-2026-46094 ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in checkxattrs to prevent out-of-bounds access The bounds check for the next xattr entry in checkxattrs uses void next = end, which allows next to point within sizeofu32 bytes of end. On the next loop...

CVE-2026-46094

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in checkxattrs to prevent out-of-bounds access The bounds check for the next xattr entry in checkxattrs uses void next = end, which allows next to point within sizeofu32 bytes of end. On the next loop...

EUVD-2026-32477

In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in checkxattrs to prevent out-of-bounds access The bounds check for the next xattr entry in checkxattrs uses void next = end, which allows next to point within sizeofu32 bytes of end. On the next loop...

CVE-2026-46093

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmappurgelock in shrinker decayvapoolnode can be invoked concurrently from two paths: purgevmaparealazy when pools are being purged, and the shrinker via vmapnodeshrinkscan. However, decayvapoolnode is not safe t...

CVE-2026-46093 mm/vmalloc: take vmap_purge_lock in shrinker

In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmappurgelock in shrinker decayvapoolnode can be invoked concurrently from two paths: purgevmaparealazy when pools are being purged, and the shrinker via vmapnodeshrinkscan. However, decayvapoolnode is not safe t...