CVE-2026-46099

The CVE-2026-46099 entry describes a use-after-free race in Linux kernel IPv6 handling for seg6 and rpl lightweight tunnels. A NOREF destination cached during ip6_route_input() can be freed by a concurrent FIB lookup on a shared nexthop under PREEMPT_RT, leading to a WARN or potential instability...

CVE-2026-46049

In the Linux kernel, ALSA ctxfi fixes a S/PDIF resource calculation: spdif_passthru_playback_get_resources() used atc->pll_rate as the RSR, but pll_rate is only set in atc_pll_init, not hw_pll_init, so it can remain 0 after card init. If spdif_passthru_playback_setup() skips atc_pll_init() (e....

CVE-2026-46048

The CVE-2026-46048 issue is in the Linux kernel ALSA caiaq driver. The bug caused a usb_dev reference leak when probe failed because private_free was assigned only later in init_card(), after several failure points. If init_card() returned early, snd_card_free(card) ran without a matching private...

CVE-2026-46048 ALSA: caiaq: fix usb_dev refcount leak on probe failure

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usbdev refcount leak on probe failure createcard takes a reference on the USB device with usbgetdev and stores the matching usbputdev in cardfree, which is installed as the sndcard's -privatefree destructor...

CVE-2026-46048

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usbdev refcount leak on probe failure createcard takes a reference on the USB device with usbgetdev and stores the matching usbputdev in cardfree, which is installed as the sndcard's -privatefree destructor...

EUVD-2026-32430

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usbdev refcount leak on probe failure createcard takes a reference on the USB device with usbgetdev and stores the matching usbputdev in cardfree, which is installed as the sndcard's -privatefree destructor...

CVE-2026-46048

In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usbdev refcount leak on probe failure createcard takes a reference on the USB device with usbgetdev and stores the matching usbputdev in cardfree, which is installed as the sndcard's -privatefree destructor...

EUVD-2026-32428

In the Linux kernel, the following vulnerability has been resolved: ext4: fix missing brelse in ext4xattrinodedecrefall The commit c8e008b60492 "ext4: ignore xattrs past end" introduced a refcount leak in when blockcsum is false. ext4xattrinodedecrefall calls ext4getinodeloc to get iloc.bh, but...

CVE-2026-46005

The vulnerability CVE-2026-46005 affects the Linux kernel, specifically the XFS code path in xfs_alloc_buftarg(). In the error path, the DAX device reference may not be dropped, causing a resource leak. The fix adds a call to fs_put_dax() to drop the DAX reference, mitigating the leak. References...

EUVD-2026-32302

In the Linux kernel, the following vulnerability has been resolved: xfs: fix a resource leak in xfsallocbuftarg In the error path, call fsputdax to drop the DAX device reference...

CVE-2026-45997 scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing putdisk when deviceadd&diskdev fails If deviceadd&sdkp-diskdev fails, putdevice runs scsidiskrelease, which frees the scsidisk but leaves the gendisk referenced. The deviceadddisk error path in sdprobe calls...

CVE-2026-45996 spi: imx: fix use-after-free on unbind

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration unless the allocation is device managed. Take another reference before deregistering...

EUVD-2026-32292

In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration unless the allocation is device managed. Take another reference before deregistering...

CVE-2026-45996

The CVE-2026-45996 issue affects the Linux kernel SPI imx driver, where a use-after-free can occur on unbind because the SPI subsystem frees controller and subsystem data during deregistration unless the allocation is device-managed. The fix adds a reference before deregistering the controller so...

CVE-2026-45989

In the Linux kernel CVE-2026-45989, a use-after-free occurs in testdrv_probe() where a released device_node (via of_node_put) may later be passed to of_platform_default_populate(), risking use-after-free of the freed pointer. The root cause is that pdev->dev.of_node is owned by the device mode...

CVE-2026-45984 gfs2: Fix use-after-free in iomap inline data write path

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head dibh is being released prematurely in gfs2iomapbegin via releasemetapath while iomap-inlinedata still points to dibh-bdata. This causes a...

CVE-2026-45981

In CVE-2026-45981, the Linux kernel s390/cio path css_alloc_subchannel() calls device_initialize() before configuring DMA masks. If dma_set_coherent_mask() or dma_set_mask() fails, the error path frees the subchannel directly, bypassing the device model reference counting. After device_initialize...

CVE-2026-45964 SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gssauth kref leak in gssallocmsg error path Commit 5940d1cf9f42 "SUNRPC: Rebalance a kref in authgss.c" added a krefget&gssauth-kref call to balance the gssputauth done in gssreleasemsg, but forgot to add a...

CVE-2026-45955 md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout

In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpuref not resurrected on suspend timeout When llbitmapsuspendtimeout times out waiting for percpuref to become zero, it returns -ETIMEDOUT without resurrecting the percpuref. The caller mdllbitmapdaemonfn...

CVE-2026-45955

Summary (CVE-2026-45955): In the Linux kernel, the md/md-llbitmap path suffers a logic error where llbitmap_suspend_timeout() times out waiting for percpu_ref to reach zero and returns -ETIMEDOUT without resurrecting percpu_ref. This leaves the page control structure in a killed state, potentiall...