EUVD-2026-2251

In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asixreadphyaddr. A malicious or faulty device can return an invalid address = PHYMAXADDR, which causes a warning in...

EUVD-2026-2240

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxtre: Fix OOB write in bnxtrecopyerrstats Commit ef56081d1864 "RDMA/bnxtre: RoCE related hardware counters update" added three new counters and placed them after BNXTREOUTOFSEQERR. BNXTREOUTOFSEQERR acts as a boundary mark...

EUVD-2026-2249

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG in pskbexpandhead as part of calipsoskbuffsetattr There exists a kernel oops caused by a BUGONnhead INTMAX i.e. intskbheadroomskb + lendelta skbheadroomskb is meant to ensure that delta = headroom - skbheadroomskb is...

EUVD-2026-2242

In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancelworksync will prevent the work from running which also prevents destroying the...

EUVD-2026-2254

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devmkzalloc in btusb This reverts commit 98921dbd00c4e "Bluetooth: Use devmkzalloc in btusb.c file". In btusbprobe, we use devmkzalloc to allocate the btusb data. This ties the lifetime of all the...

EUVD-2026-2271

In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbdinterrupt schedules lk-tq via schedulework, and the work handler lkkbdreinit dereferences the lkkbd structure and its serio/inputdev fields. lkkbddisconnect and error...

EUVD-2026-2263

In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLKREFCOUNTINIT. Befo...

EUVD-2026-2266

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in etsqdiscchange [email protected] says: The vulnerability is a race condition between etsqdiscdequeue and etsqdiscchange. It leads to UAF on stru...

EUVD-2026-2278

In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one processsuch as udev opens ublk block device e.g., to read the partition table via bdevopen, a deadlock1 can occur: 1. bdevopen grabs disk-openmutex 2. The process issues re...

EUVD-2026-2280

In the Linux kernel, the following vulnerability has been resolved: Input: alps - fix use-after-free bugs caused by dev3registerwork The dev3registerwork delayed work item is initialized within alpsreconnect and scheduled upon receipt of the first bare PS/2 packet from an external PS/2 device...

EUVD-2026-2272

In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 "fuse: allocate ff-releaseargs only if release is needed" skips allocating ff-releaseargs if the server does not implement open. However in doing so, fusepreparerelease now...

EUVD-2026-2302

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbdtreeconnectput under concurrency Under high concurrency, A tree-connection object tcon is freed on a disconnect path while another path still holds a reference and later executes put/write on it...

EUVD-2026-2285

In the Linux kernel, the following vulnerability has been resolved: iouring: fix filename leak in ioopenatprep ioopenatprep allocates a struct filename using getname. However, for the condition of the file being installed in the fixed file table as well as having OCLOEXEC flag set, the function...

EUVD-2026-2306

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in t...

EUVD-2026-2311

In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rcpageoff for memcpy byte offset svcrdmacopyinlinerange added rccurpage page index to the page base instead of the byte offset rcpageoff. Use rcpageoff so copies land within the current page. Found by ZeroPath...

EUVD-2026-2297

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtvchannelsiinit creates a temporary list program, service, event and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through...

EUVD-2026-2295

In the Linux kernel, the following vulnerability has been resolved: ksmbd: vfs: fix race on mflags in vfscache ksmbd maintains delete-on-close and pending-delete state in ksmbdinode-mflags. In vfscache.c this field is accessed under inconsistent locking: some paths read and modify mflags under...

EUVD-2026-2305

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2setea function, which handles Extended Attributes EA, was performing buffer validation checks that incorrectly omitted the size of the null...

EUVD-2026-2303

In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL based on the mode bits and not the...

EUVD-2026-2294

In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOLGSSETINFO for the size, ETHTOOLGSTRINGS for the names, and ETHTOOLGSTATS for the values. If the number of...