UBUNTU-CVE-2026-53247

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown mtkfreedev calls metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...

CVE-2026-53212

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfttunnel: fix use-after-free on object destroy nfttunnelobjdestroy calls metadatadstfree which directly kfrees the metadatadst, ignoring the dstentry refcount. Packets that took a reference via dsthold in...

CVE-2026-53160

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpcmapcreate fastrpcmaplookup returns a raw pointer after releasing fl-lock. The caller fastrpcmapcreate then calls fastrpcmapget krefgetunlesszero on this unprotected pointer. A...

CVE-2026-53269

In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can ra...

CVE-2026-53269

The CVE affects the Linux kernel netfilter synproxy subsystem. The issue arises when netfilter hooks are registered on-demand for the first iptables target or nftables expression and multiple threads concurrently attempt registration, risking a race in refcount management. The published fix intro...

EUVD-2026-39220

In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: add mutex to guard hook reference counting As the synproxy infrastructure register netfilter hooks on-demand when a user adds the first iptables target or nftables expression, if done concurrently they can ra...

CVE-2026-53262

CVE-2026-53262 affects the Linux kernel ioctl path for the pppol2tp module (l2tp) where pppol2tp_ioctl() dereferenced sock->sk->sk_user_data without proper locking while a sleep could occur during copy_from_user(). If a concurrent socket close happened, l2tp_session_close() could free the s...

EUVD-2026-39198

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown mtkfreedev calls metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...

EUVD-2026-39252

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpcuser in workqueue context There is a race between fastrpcdevicerelease and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpcdevicerelease fre...

EUVD-2026-39251

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free race in fastrpcmapcreate fastrpcmaplookup returns a raw pointer after releasing fl-lock. The caller fastrpcmapcreate then calls fastrpcmapget krefgetunlesszero on this unprotected pointer. A...

CVE-2026-53161 misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix use-after-free of fastrpcuser in workqueue context There is a race between fastrpcdevicerelease and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpcdevicerelease fre...

EUVD-2026-39232

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix global performance monitor reference counting In the SETGLOBAL ioctl, v3dperfmonfind bumps the reference count on the perfmon it returns, but v3dperfmonsetglobalioctl and v3dperfmondelete fail to release that referen...

CVE-2026-53141

The CVE-2026-53141 issue affects the Linux kernel DRM v3d global performance monitor reference counting. In SET_GLOBAL, v3d_perfmon_find() bumps the perfmon’s reference count, but v3d_perfmon_set_global_ioctl() and v3d_perfmon_delete() fail to release that reference on several paths, causing leak...

CVE-2026-53141

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix global performance monitor reference counting In the SETGLOBAL ioctl, v3dperfmonfind bumps the reference count on the perfmon it returns, but v3dperfmonsetglobalioctl and v3dperfmondelete fail to release that referen...

EUVD-2026-38847

In the Linux kernel, the following vulnerability has been resolved: net: psp: check for device unregister when creating assoc pspassocdevicegetlocked obtains a pspdev reference via pspdevgetforsock which uses pspdevtryget under RCU; it then acquires psd-lock and drops the reference. Before the lo...

EUVD-2026-38838

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftct: fix missing expect put in obj eval nftctexpectobjeval allocates an expectation and may call nfctexpectrelated, but never drops its local reference. Add nfctexpectputexp before return to balance allocation...

CVE-2026-53085 bpf: fix mm lifecycle in open-coded task_vma iterator

In the Linux kernel, the following vulnerability has been resolved: bpf: fix mm lifecycle in open-coded taskvma iterator The open-coded taskvma iterator reads task-mm locklessly and acquires mmapreadtrylock but never calls mmget. If the task exits concurrently, the mmstruct can be freed as it is...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: Thunderbolt: Fixed a use-after-free in tbdpdprxwork. The original code relied on canceldelayedwork in tbdpdprxstop, which does not ensure that the delayed work item tunnel-dprxwork has fully completed if it was already running...

Astra Linux – Vulnerability found in Linux 6.1, Linux 5.10, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: smb: Client side – fixed a potential deadlock that could occur when releasing mids. All callers of releasemid seem to hold a reference to @mid; therefore, there is no need to call krefput&mid-refcount, releasemid under...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: cachefiles: All requests are flushed after setting CACHEFILESDEAD. In ondemand mode, when the daemon is processing an open request, if the kernel marks the cache as CACHEFILESDEAD, the cachefilesdaemonwrite function will always...