21545 matches found
CVE-2026-31663 xfrm: hold dev ref until after transport_finish NF_HOOK
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transportfinish NFHOOK After async crypto completes, xfrminputresume calls devput immediately on re-entry before the skb reaches transportfinish. The skb-dev pointer is then used inside NFHOOK and i...
CVE-2026-31663
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transportfinish NFHOOK After async crypto completes, xfrminputresume calls devput immediately on re-entry before the skb reaches transportfinish. The skb-dev pointer is then used inside NFHOOK and i...
EUVD-2026-25556
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transportfinish NFHOOK After async crypto completes, xfrminputresume calls devput immediately on re-entry before the skb reaches transportfinish. The skb-dev pointer is then used inside NFHOOK and i...
CVE-2026-31657 batman-adv: hold claim backbone gateways by reference
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadvblaaddclaim can replace claim-backbonegw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences...
CVE-2026-31657
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadvblaaddclaim can replace claim-backbonegw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences...
EUVD-2026-25550
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadvblaaddclaim can replace claim-backbonegw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences...
CVE-2026-31657
CVE-2026-31657 affects the Linux kernel batman-adv component. The flaw arises when batman-adv’s batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway’s final reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_g...
CVE-2026-31657
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadvblaaddclaim can replace claim-backbonegw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences...
CVE-2026-31639 rxrpc: Fix key reference count leak from call->key
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by...
CVE-2026-31638 rxrpc: Only put the call ref if one was acquired
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpcinputpacketonconn can process a to-client packet after the current client call on the channel has already been torn down. In that case chan-call is NULL, rxrpctrygetcall retur...
CVE-2026-31638
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpcinputpacketonconn can process a to-client packet after the current client call on the channel has already been torn down. In that case chan-call is NULL, rxrpctrygetcall retur...
EUVD-2026-25531
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpcinputpacketonconn can process a to-client packet after the current client call on the channel has already been torn down. In that case chan-call is NULL, rxrpctrygetcall retur...
CVE-2026-31639
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by...
CVE-2026-31638
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpcinputpacketonconn can process a to-client packet after the current client call on the channel has already been torn down. In that case chan-call is NULL, rxrpctrygetcall retur...
EUVD-2026-25532
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by...
CVE-2026-31639
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix key reference count leak from call-key When creating a client call in rxrpcallocclientcall, the code obtains a reference to the key. This is never cleaned up and gets leaked when the call is destroyed. Fix this by...
CVE-2026-31638
The CVE-2026-31638 issue affects the Linux kernel rxrpc subsystem. When a client call on a channel has already been torn down, rxrpc_input_packet_on_conn() could still process a to-client packet; rxrpc_try_get_call() could return NULL and there would be no reference to drop. The code path then un...
CVE-2026-31634
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpcserverkeyring This patch fixes a reference count leak in rxrpcserverkeyring by checking if rx-securities is already set...
EUVD-2026-25527
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpcserverkeyring This patch fixes a reference count leak in rxrpcserverkeyring by checking if rx-securities is already set...
CVE-2026-31634
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpcserverkeyring This patch fixes a reference count leak in rxrpcserverkeyring by checking if rx-securities is already set...