CVE-2026-31523

A flaw was found in the Linux kernel's Non-Volatile Memory Express NVMe PCI driver. A local user can trigger a race condition during a system reset by changing the polled queue count. This vulnerability allows a high-priority task to attempt to poll a queue before the system's queue maps are...

CVE-2026-31518

A flaw was found in the Linux kernel. When the espintcp component processes network traffic using asynchronous cryptography, a memory leak can occur. This happens because a socket buffer skb is not correctly released if the transmit queue becomes full. This continuous leak of memory can lead to...

CVE-2026-31509

A flaw was found in the Linux kernel, specifically within the Near Field Communication NFC NCI subsystem. A circular locking dependency can occur when the nciclosedevice function attempts to flush work queues while holding a lock that can be re-acquired by a work queue function. This improper...

EUVD-2026-24911

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue...

EUVD-2026-24863

In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in...

EUVD-2026-24902

In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, espoutputtailtcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packe...

EUVD-2026-24862

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Initialize freeqp completion before using it In irdmacreateqp, if ibcopytoudata fails, it will call irdmadestroyqp to clean up which will attempt to wait on the freeqp completion, which is not initialized yet. Fix thi...

EUVD-2026-24825

In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with reqqueuemutex MEDIAREQUESTIOCREINIT can run concurrently with VIDIOCREQBUFS0 queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to...

EUVD-2026-24771

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix memory leak when a wq is reset idxdwqdisablecleanup which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty all its resourc...

CVE-2026-31523

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue...

CVE-2026-31518

In the Linux kernel, the following vulnerability has been resolved: esp: fix skb leak with espintcp and async crypto When the TX queue for espintcp is full, espoutputtailtcp will return an error and not free the skb, because with synchronous crypto, the common xfrm output code will drop the packe...

CVE-2026-31509

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nciclosedevice nciclosedevice flushes rxwq and txwq while holding reqlock. This causes a circular locking dependency because ncirxwork running on rxwq can end up taking reqlock too:...

CVE-2026-31493

In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix use of completion ctx after free On admin queue completion handling, if the admin command completed with error we print data from the completion context. The issue is that we already freed the completion context in...

CVE-2026-31494

In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gemgetssetcount correctly computes the number of stats based on the activ...

CVE-2026-31484

In the Linux kernel, the following vulnerability has been resolved: iouring/fdinfo: fix OOB read in SQEMIXED wrap check iouringshowfdinfo iterates over pending SQEs and, for 128-byte SQEs on an IORINGSETUPSQEMIXED ring, needs to detect when the second half of the SQE would be past the end of the...

CVE-2026-31473

In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with reqqueuemutex MEDIAREQUESTIOCREINIT can run concurrently with VIDIOCREQBUFS0 queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to...

CVE-2026-31523

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue...

CVE-2026-31523 nvme-pci: ensure we're polling a polled queue

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: ensure we're polling a polled queue A user can change the polled queue count at run time. There's a brief window during a reset where a hipri task may try to poll that queue before the block layer has updated the queue...

CVE-2026-31523

In the Linux kernel NVMe PCI driver, CVE-2026-31523 is a race condition: a running change to the polled queue count can create a brief window during reset where a hipri task poll occurs before queue maps are updated, risking double completions when the interrupt-driven path takes over. The issue ...

CVE-2026-31518

CVE-2026-31518 affects the Linux kernel espintcp path when using asynchronous crypto. If the TX queue for espintcp is full, esp_output_tail_tcp returns an error and the skb is not freed under earlier synchronous handling; with async crypto (esp_output_done) the skb must be dropped when esp_output...