CVE-2026-45951 bpf: Fix a potential use-after-free of BTF object

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the checkpseudobtfid function is incorrect: the checkpseudobtfid function might get called with a zero refcounted btf. Fix this, and patch related code accordingly...

CVE-2026-45951

The CVE-2026-45951 issue affects the Linux kernel BPF subsystem, caused by incorrect reference counting in check_pseudo_btf_id() that could cause a use-after-free of a BTF object. The mitigation is a kernel patch that fixes the refcount handling (and related code). RedHat notes potential privileg...

CVE-2026-45931 accel/amdxdna: Hold mm structure across iommu_sva_unbind_device()

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommusvaunbinddevice Some tests trigger a crash in iommusvaunbinddevice due to accessing iommumm after the associated mm structure has been freed. Fix this by taking an explicit reference t...

CVE-2026-45931

The CVE-2026-45931 issue affects the Linux kernel’s accel/amdxdna module. A crash can occur in iommu_sva_unbind_device() when it accesses iommu_mm after the associated mm structure has been freed. The fix is to take an explicit reference to the mm structure after successfully binding the device a...

CVE-2026-45925

In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermalofcmlookup In thermalofcmlookup, trnp is obtained via ofparsephandle, but never released. Use the freedevicenode cleanup attribute to automatically release the node and fix the leak. rjw:...

CVE-2026-45925

The CVE pertains to the Linux kernel thermal subsystem. In thermal_of_cm_lookup(), a reference leak occurs because tr_np is obtained via of_parse_phandle() but not released. The fix uses the __free(device_node) cleanup attribute to automatically release the node and close the leak. The connected/...

CVE-2026-45925 thermal/of: Fix reference leak in thermal_of_cm_lookup()

In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermalofcmlookup In thermalofcmlookup, trnp is obtained via ofparsephandle, but never released. Use the freedevicenode cleanup attribute to automatically release the node and fix the leak. rjw:...

CVE-2026-45910

The CVE-2026-45910 issue affects the Linux kernel RDMA/rxe driver, caused by a race between retransmit_timer() and rxe_destroy_qp that can drop a Queue Pair (QP) reference count to zero during timer handling. Public documents describe a use-after-free risk and refcount underflow in affected flows...

CVE-2026-45880 PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails

In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Release per-CPU pgmap ref when vminsertpage fails When vminsertpage fails in p2pmemallocmmap, p2pmemallocmmap doesn't invoke percpurefput to free the per-CPU ref of pgmap acquired after genpoolallocowner, and...

CVE-2026-45880

The CVE-2026-45880 entry concerns the Linux kernel PCI/P2PDMA path. When vm_insert_page() fails inside p2pmem_alloc_mmap(), the code path does not call percpu_ref_put() to release the per-CPU reference of the pgmap acquired after gen_pool_alloc_owner(). As a result, memunmap_pages() can hang inde...

CVE-2026-45874

The CVE-2026-45874 entry concerns the Linux kernel component for Freescale IMX8QM HSIO. The vulnerability arises when probing the driver: the refclk_pad pointer may be NULL if the device tree property fsl,refclk-pad-mode is not defined, yet imx_hsio_configure_clk_pad() uses this pointer unconditi...

CVE-2026-45866

The CVE-2026-45866 issue is a use-after-free in caif_serial within the Linux kernel where handle_tx() may access ser->tty after the tty is freed due to tty_kref_put() occurring in ldisc_close() while the network device is still active. The race between ldisc_close() and packet transmission can...

CVE-2026-45866 serial: caif: fix use-after-free in caif_serial ldisc_close()

In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caifserial ldiscclose There is a use-after-free bug in caifserial where handletx may access ser-tty after the tty has been freed. The race condition occurs between ldiscclose and packet...

Hunting-Bugs

2026 Practical Bug Bounty Guide Built on real-world experie...

CVE-2026-42725

CVE-2026-42725 describes an Insecure Direct Object References (IDOR) vulnerability in the WordPress plugin Checkout Files Upload for WooCommerce (versions

CVE-2026-42736 WordPress BP Better Messages plugin <= 2.14.16 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through = 2.14.16...

CVE-2026-8707

The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to 1.2.4 due to insufficient input sanitization and output escaping. Affected: WordPress plugin NS Product icon badge; vulnerable component: code handling user input/outp...

CVE-2025-14481

The CVE concerns the WordPress Yoast SEO plugin (versions up to and including 26.5). The root cause is insufficient authorization checks in the Meta Search REST API endpoint, which fails to verify post ownership. This allows authenticated attackers with Contributor-level access or higher to read ...

CVE-2025-14481 Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

CVE-2025-14481 Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...