6068 matches found
CVE-2026-53218
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftexthdr: fix register tracking for FPRESENT flag nftexthdrinit passes user-controlled priv-len to nftparseregisterstore, which marks that many bytes in the register bitmap as initialized. However, when...
CVE-2026-53218
CVE-2026-53218 affects the Linux kernel netfilter nft_exthdr path. The root cause is a mismatch in register initialization: nft_exthdr_init() passes priv->len to nft_parse_register_store(), which marks that many bytes as initialized, but when NFT_EXTHDR_F_PRESENT is set the eval paths write on...
CVE-2026-53211
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftmetabridge: fix stale stack leak via IIFHWADDR register NFTMETABRIIIFHWADDR declares its destination register with len = ETHALEN 6 bytes, which the register-init tracking rounds up to two 32-bit registers 8 bytes...
CVE-2026-53211
CVE-2026-53211 (Linux kernel netfilter nft_meta_bridge) : The NFT_META_BRI_IIFHWADDR destination register is declared as 6 bytes but tracked as two 32-bit registers (8 bytes). In nft_meta_bridge_get_eval(), a memcpy writes 6 bytes of br_dev->dev_addr, leaving the upper 2 bytes of the second re...
CVE-2026-53211
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftmetabridge: fix stale stack leak via IIFHWADDR register NFTMETABRIIIFHWADDR declares its destination register with len = ETHALEN 6 bytes, which the register-init tracking rounds up to two 32-bit registers 8 bytes...
CVE-2026-53210
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in registershmhelper registershmhelper allocates shm before calling ioviternpages. If ioviternpages returns 0, the function jumps to errctxput and leaks shm. This can be triggered by TEEIOCSHMREGISTER with...
EUVD-2026-39301
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in registershmhelper registershmhelper allocates shm before calling ioviternpages. If ioviternpages returns 0, the function jumps to errctxput and leaks shm. This can be triggered by TEEIOCSHMREGISTER with...
CVE-2026-53210
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in registershmhelper registershmhelper allocates shm before calling ioviternpages. If ioviternpages returns 0, the function jumps to errctxput and leaks shm. This can be triggered by TEEIOCSHMREGISTER with...
CVE-2026-53210
The CVE-2026-53210 issue is in the Linux kernel’s Trusted Execution Environment (TEE) subsystem. A shm leak occurs in register_shm_helper() when TEE_IOC_SHM_REGISTER registers a zero-length shared memory, because shm is allocated before iov_iter_npages() and not freed if it returns 0; the code pa...
EUVD-2026-39283
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at sndtimeruserparams At releasing a timer object, e.g. when a userspace timer CONFIGSNDUTIMER gets closed and sndtimerfree is called, it tries to detach the timer instances and release the resources. However...
CVE-2026-53192
CVE-2026-53192 — Linux kernel ALSA timer UAF fix The vulnerability affects the ALSA timer path (snd_timer_user_params) in the Linux kernel. A race can occur during timer object release when a concurrent SNDRV_TIMER_IOCTL_PARAMS ioctl is in flight, potentially leading to a use-after-free if anothe...
CVE-2026-53192 ALSA: timer: Fix UAF at snd_timer_user_params()
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at sndtimeruserparams At releasing a timer object, e.g. when a userspace timer CONFIGSNDUTIMER gets closed and sndtimerfree is called, it tries to detach the timer instances and release the resources. However...
CVE-2026-53136
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Why & How The VBIOS integrated info tables v111 and v21 contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C...
CVE-2026-53136
The CVE pertains to the Linux kernel driver drm/amd/display. A malformed VBIOS can set HdmiRegNum/Hdmi6GRegNum to values up to 255, used as loop bounds when copying retimer I2C settings into fixed-size arrays, causing an out-of-bounds heap write during driver probe. The fix clamps each register c...
CVE-2026-53136
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Clamp VBIOS HDMI retimer register count to array size Why & How The VBIOS integrated info tables v111 and v21 contain HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C...
CVE-2026-53134
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftfib: fix stale stack leak via the OIFNAME register For NFTFIBRESULTOIFNAME the destination register is declared with len = IFNAMSIZ four 32-bit registers, but on the lookup-fail, RTNLOCAL and oif-mismatch paths...
EUVD-2026-38900
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in mapkptrmatchtype for scalar regs Commit ab6c637ad027 "bpf: Fix a bpfkptrxchg issue with local kptr" refactored mapkptrmatchtype to branch on btfiskernel before checking basetype. A scalar register stored in...
EUVD-2026-38999
Missing Authentication for Critical Function CWE-306 in the RegisterView apps/accounts/views.py, exposed at POST /api/auth/register/, in MailerUp 1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, becaus...
CVE-2026-53092
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when srcreg == dstreg Consider the case of rX += rX where srcreg and dstreg are pointers to the same bpfregstate in adjustregminmaxvals. The latter first modifies the dstreg in-place, and later ...
CVE-2026-53078
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix same-register dst/src OOB read and pointer leak in sockops When a BPF sockops program accesses ctx fields with dstreg == srcreg, the SOCKOPSGETSK and SOCKOPSGETFIELD macros fail to zero the destination register in the...