1450 matches found
CVE-2026-10673
The CVE-2026-10673 affects the Zephyr ADIN2111/ADIN1110 Ethernet driver (drivers/ethernet/eth_adin2111.c) in OA SPI mode. The code reassembles frames by copying device-supplied 64-byte chunks into a fixed buffer (CONFIG_ETH_ADIN2111_BUFFER_SIZE, default 1524) without verifying that the write curs...
kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result
A flaw was found in the Linux kernel's Wi-Fi mac80211 subsystem. The ieee80211invokefastrx function uses a static variable for rxresult, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly...
CVE-2026-9263 Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets
The Zephyr Bluetooth controller ISO Adaptation Layer subsys/bluetooth/controller/llsw/isoal.c fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment sc=0 always carries a 3-byte timeoffset, so its segment-header len must be at least...
Linux Distros Unpatched Vulnerability : CVE-2026-53298
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - net: airoha: Move ndesc initialization at end of airohaqdmainitrxqueue If queue entry or DMA descriptor list allocation fails in airohaqdmainitrxqueue routine,...
CVE-2026-10644 Out-of-bounds write in Microchip SERCOM-G1 (PIC32CM-JH) async UART RX with 1-byte buffer
The Microchip SERCOM-G1 UART driver drivers/serial/uartmchpsercomg1.c, used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous DMA receive path. When uartrxenable is invoked with a one-byte receive buffer len == 1 and CONFIGUARTMCHPASYNC is enabled, the RX-complete...
net: mvpp2: refill RX buffers before XDP or skb use
...
drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
...
DEBIAN-CVE-2026-53294
In the Linux kernel, the following vulnerability has been resolved: mailbox: mailbox-test: don't free the reused channel The RX channel can be aliased to the TX channel if it has a different MMIO. This special case needs to be handled when freeing the channels otherwise a double-free occurs...
CVE-2026-53298
In CVE-2026-53298, the Linux kernel airoha network driver is affected by a race in initialization: ndesc is initialized too early in airoha_qdma_init_rx_queue(), causing a NULL pointer dereference during cleanup if allocation fails. The documented fix moves ndesc initialization to the end of airo...
CVE-2026-53298 net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airohaqdmainitrxqueue If queue entry or DMA descriptor list allocation fails in airohaqdmainitrxqueue routine, airohaqdmacleanup will trigger a NULL pointer dereference running...
SUSE CVE-2026-53215
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2rxrefill can fail after the...
CVE-2026-53215
A flaw was found in the Linux kernel's mvpp2 network driver. This vulnerability occurs due to incorrect handling of receive RX buffers, where a buffer is returned to the hardware Buffer Manager BM pool after it has been passed to the eXpress Data Path XDP or attached to a socket buffer skb. This...
Oracle Linux 9 : kernel (ELSA-2026-27789)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-27789 advisory. - net/sched: fix pedit partial COW leading to page cache corruption Ivan Vecera RHEL-177392 CVE-2026-46331 - scsi: qla2xxx: Completely fix fcport doub...
PT-2026-52937
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A NULL pointer dereference occurs in the airoha qdma init rx queue function when queue entry or DMA descriptor list allocation fails. This happens because the ndesc variable is initializ...
kernel: RDMA/mana: Validate rx_hash_key_len
A flaw was found in the Linux kernel's RDMA/mana component. A local user could exploit this vulnerability by providing an invalid rxhashkeylen value through a user-space API uAPI structure. This invalid value is then used in a memcpy operation without proper bounds checking, allowing the user to...
CVE-2026-13351
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer allocated from a memory...
RLSA-2026:27789 Important: kernel security, bug fix, and enhancement update
The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: can: isotp: fix tx.buf use-after-free in isotpsendmsg CVE-2026-31474 kernel: mptcp: fix slab-use-after-free in inetlookupestablished CVE-2026-31669 kernel: xen/privcmd: fix double free vi...
SUSE-SU-2026:2630-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP5 RT kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-10263: arm64: errata: Mitigate TLBI errata on various Arm CPUs bsc1266290. - CVE-2025-68324: scsi: imm: Fix use-after-free bug caused by unfinished delayed wo...
CVE-2026-53233
In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdevnlbindrxdoit Sashiko flags that genlmsgreply always consumes the skb. The error path calls nlmsgfreersp so we can't jump directly to it. Let's not unbind, just propagate the error to the user. Thi...
CVE-2026-53216
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGESIZE. The XDP path nevertheless initializes every xdpbuff with PAGESIZE as frame size. XDP helper...