CVE-2026-43206

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfdeventpageset The kfdeventpageset function writes KFDSIGNALEVENTLIMIT 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of...

CVE-2026-43163

In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in writepage caused by resize race A General Protection Fault occurs in writepage during array resize: RIP: 0010:writepage+0x22b/0x3c0 mdmod This is a use-after-free race between bitmapdaemonwork and...

Security update for erlang

This update for erlang fixes the following issues: CVE-2026-21620: remote arbitrary read/write via TFTP relative path traversal bsc1258663. CVE-2026-23941: HTTP Request Smuggling in Erlang OTP bsc1259687. CVE-2026-23942: path traversal vulnerability in Erlang OTP bsc1259681. CVE-2026-23943: denia...

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2026-0300link is external Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber...

CVE-2026-43256

In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfeisrregupdate vfeisr iterates using MSMVFEIMAGEMASTERSNUM7 as the loop bound and passes the index to vfeisrregupdate. However, vfe-line array is defined with VFELINENUMMAX4:...

CVE-2026-43256 media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfeisrregupdate vfeisr iterates using MSMVFEIMAGEMASTERSNUM7 as the loop bound and passes the index to vfeisrregupdate. However, vfe-line array is defined with VFELINENUMMAX4:...

CVE-2026-43223

CVE-2026-43223 concerns the Linux kernel media driver pvrusb2. The issue arises when pvr2_send_request_ex() submits a write URB and, if the subsequent read URB submission fails (e.g., due to -ENOMEM), returns early without waiting for the write to complete. Because the same URB structure is reuse...

CVE-2026-43216

In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skbmaytxtimestamp skbmaytxtimestamp may acquire sock::skcallbacklock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and comple...

CVE-2026-43216 net: Drop the lock in skb_may_tx_timestamp()

In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skbmaytxtimestamp skbmaytxtimestamp may acquire sock::skcallbacklock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and comple...

CVE-2026-43206

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfdeventpageset The kfdeventpageset function writes KFDSIGNALEVENTLIMIT 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of...

CVE-2026-43206

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfdeventpageset The kfdeventpageset function writes KFDSIGNALEVENTLIMIT 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of...

CVE-2026-43205

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate numifs to prevent out-of-bounds write The driver obtains swattr.numifs from firmware via dpswgetattributes but never validates it against DPSWMAXIF 64. This value controls iteration in...

CVE-2026-43163

Impact: Linux kernel md/bitmap component vulnerable to a use-after-free race during array resize, causing a General Protection Fault in write_page. Root cause: concurrent access to bitmap->storage.filemap between bitmap_daemon_work() and __bitmap_resize(), with md_bitmap_file_unmap() freeing s...

CVE-2026-43163 md/bitmap: fix GPF in write_page caused by resize race

In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in writepage caused by resize race A General Protection Fault occurs in writepage during array resize: RIP: 0010:writepage+0x22b/0x3c0 mdmod This is a use-after-free race between bitmapdaemonwork and...

CVE-2026-43119

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: annotate data-races around hdev-reqstatus hcicmdsyncsk sets hdev-reqstatus under hdev-reqlock: hdev-reqstatus = HCIREQPEND; However, several other functions read or write hdev-reqstatus without holding any loc...

CVE-2026-43075

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2writeendinline KASAN reports a use-after-free write of 4086 bytes in ocfs2writeendinline, called from ocfs2writeendnolock during a copyfilerange splice fallback on a corrupted ocfs2 filesyst...

CVE-2026-43975

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

CVE-2026-43975

CVE-2026-43975 affects Apache Wicket via the FolderUploadsFileManager, which fails to validate or sanitize the uploadFieldId parameter or the clientFileName when constructing file paths. This can let an unauthenticated attacker write files outside the intended upload directory or read files from ...

kernel: Linux kernel: Denial of service and memory corruption in RDMA umad

A flaw was found in the Linux kernel's Remote Direct Memory Access RDMA umad User Mode Access Device component. A local user can exploit this vulnerability by manipulating input, causing an integer underflow that leads to an out-of-bounds memory write. This memory corruption can result in a denia...

CVE-2026-43119

In CVE-2026-43119, the Linux kernel Bluetooth HCI synchronous command infrastructure has a data race on hdev->req_status: __hci_cmd_sync_sk() updates it under req_lock on one workqueue, while other paths (e.g., hci_send_cmd_sync on a different workqueue, plus hci_cmd_sync_complete/cancel) read...