126566 matches found
CVE-2026-64186
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs In iommummiowrite and iommucapabilitywrite, the variables dbgmmiooffset and dbgcapoffset are declared as int. However, they are populated using kstrtou32fromuser. If ...
CVE-2026-64133
In the Linux kernel, the following vulnerability has been resolved: ALSA: asihpi: Fix potential OOB array access at reading cache findcontrol to retrieve a cached info accesses the array with the given index blindly, which may lead to an OOB array access. Add a sanity check for avoiding it...
CVE-2026-64126
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate Add Extended Advertising Data length MGMTOPADDEXTADVDATA is registered as a variable-length command, with MGMTADDEXTADVDATASIZE as the fixed header size. The handler then uses cp-advdatalen and...
CVE-2026-64121
In the Linux kernel, the following vulnerability has been resolved: net: ifb: report ethtool stats over numtxqueues ifbdevinit allocates dp-txprivate to dev-numtxqueues entries via kzallocobjstxp, dev-numtxqueues. Both IFB per-queue RX and TX stats live in those entries: ifbxmit updates txp-rxsta...
CVE-2026-64114
In the Linux kernel, the following vulnerability has been resolved: ipv4: raw: reject IPHDRINCL packets with ihl ihl 4; err = -EINVAL; if iphlen length goto errorfree; if iphlen = sizeofiph / fix up saddr, totlen, id, csum, transportheader / It does not, however, reject ihl = sizeofiph" branch is...
CVE-2026-64081
In the Linux kernel, the following vulnerability has been resolved: firmware: armffa: Validate framework notification message layout Framework notifications carry an indirect message in the shared RX buffer. Validate the reported offset and size before using them, reject zero-length payloads, and...
CVE-2026-64014
In the Linux kernel, the following vulnerability has been resolved: Input: usbtouchscreen - clamp NEXIO datalen/xlen to URB buffer size nexioreaddata pulls datalen and xlen from a packed be16 header in the device's interrupt packet and then walks packet-data0..xlen and packet-dataxlen..datalen...
CVE-2026-64018
In the Linux kernel, the following vulnerability has been resolved: net: mana: validate rxreqidx to prevent out-of-bounds array access In manahwcrxeventhandler, rxreqidx is derived from sge-address in DMA-coherent memory. In Confidential VMs SEV-SNP/TDX, this memory is shared unencrypted and HW c...
CVE-2026-64009
In the Linux kernel, the following vulnerability has been resolved: xfrm: Check for underflow in xfrmstatemtu Leo Lin reported OOB write issue in esp component: xfrmstatemtu returns u32 but performs its arithmetic in unsigned modulo-2^32 space using an attacker-influenced "headerlen + authsize +...
CVE-2026-64000
In the Linux kernel, the following vulnerability has been resolved: net: hsr: fix potential OOB access in supervision frame handling Ensure the entire TLV header is linearized before access by adding sizeofstruct hsrsuptlv to the pskbmaypull calls. Without this, a truncated frame could cause an...
CVE-2026-63996
In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis: require exact CDB reply length Malicious SFP module could respond with rpllen longer than what cmiscdbprocessreply expected, leading to OOB writes. Malicious HW is a bit theoretical but some modules may just be bug...
CVE-2026-63958
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsiconnectorchange The connector number in a UCSI CCI notification is a 7-bit field supplied by the PPM. ucsiconnectorchange uses it to index the ucsi-connector array without checki...
CVE-2026-63947
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: fix missing length checks in hidpinputreport hidpinputreport reads keyboard and mouse payload data from an skb without first verifying that skb-len contains enough data. hidprecvintrframe pulls the 1-byte HIDP...
CVE-2026-63943
In the Linux kernel, the following vulnerability has been resolved: Input: xpad - fix out-of-bounds access for Share button xpadoneprocesspacket receives len directly from urb-actuallength and uses it to index the share-button byte at datalen - 18 or datalen - 26. Since both len and data0 are und...
CVE-2026-63923
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: validate body pcifunc in rvumboxhandlerrepeventnotify rvumboxhandlerrepeventnotify in drivers/net/ethernet/marvell/ octeontx2/af/rvurep.c queues a sender-controlled REPEVENTNOTIFY request body verbatim, and...
CVE-2026-63915
In the Linux kernel, the following vulnerability has been resolved: nfc: hci: fix out-of-bounds read in HCP header parsing Both nfchcirecvfromllc and ncihcidatareceivedcb read packet-header from skb-data at function entry without first checking that the buffer holds at least one byte. A malicious...
CVE-2026-63904
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: check URB actuallength for interrupt-IN notifications USBTMC devices can use an optional interrupt endpoint for notification messages. These typically contain two-byte headers indicating the payload format, but the...
CVE-2026-63909
In the Linux kernel, the following vulnerability has been resolved: ksmbd: OOB read regression in smbcheckpermdacl ACE-walk loops Commit d07b26f39246 "ksmbd: require minimum ACE size in smbcheckpermdacl" introduced a transposed bounds check: if offsetofstruct smbace, sid + acessize size offset 2...
CVE-2026-63903
In the Linux kernel, the following vulnerability has been resolved: USB: serial: belkinsa: validate interrupt status length The Belkin interrupt callback treats interrupt data as a four-byte status report and reads LSR/MSR fields at offsets 2 and 3. The interrupt-in buffer length is derived from...
CVE-2026-63902
In the Linux kernel, the following vulnerability has been resolved: USB: serial: cypressm8: validate interrupt packet headers cypressreadintcallback parses the interrupt-in buffer according to the selected Cypress packet format. Format 1 has a two-byte status/count header and format 2 has a...