77679 matches found
CVE-2026-63836
In the Linux kernel, the following vulnerability has been resolved: batman-adv: tpmeter: avoid divide-by-zero for deccwnd The cwnd is always MSS = cwnd = 0x20000000. But the calculation in batadvtpupdatecwnd assumes unsigned 32 bit arithmetics. mss 8 2 / cwnd 8 In case cwnd is actually 0x20000000...
CVE-2026-63834
In the Linux kernel, the following vulnerability has been resolved: batman-adv: tpmeter: restrict number of unacked list entries When the unackedlist is unbound, an attacker could send messages with small lengths and appropriated seqno + gaps to force the receiver to allocate more and more...
CVE-2026-63835
In the Linux kernel, the following vulnerability has been resolved: batman-adv: v: prevent OGM aggregation on disabled hardif When an interface gets disabled, the worker is correctly disabled by batadvhardifdisableinterface - ... - batadvvogmifacedisable. In this process, the skb aggrlist is also...
CVE-2026-63833
In the Linux kernel, the following vulnerability has been resolved: ntfs3: reject direct userspace writes to reserved $LX xattrs NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL permission metadata and reloads them into iuid, igid and imode from ntfsgetwslperm. Because the empty-prefi...
CVE-2026-63832
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: add wcid publish check in mt76staadd Since mt7925macstaadd publishes wcid, add publish check in mt76staadd to avoid reinitializing the wcid-polllist. Found dev-stapolllist corruption when using mt7925 and 7.1-rc4...
CVE-2026-63831
In the Linux kernel, the following vulnerability has been resolved: mac802154: llsec: add skbcowdata before in-place crypto llsecdoencryptunauth, llsecdoencryptauth, llsecdodecryptunauth, and llsecdodecryptauth all perform in-place cryptographic transformations on skb data. They build a scatterli...
CVE-2026-63829
In the Linux kernel, the following vulnerability has been resolved: net: ipgre: require CAPNETADMIN in the device netns for changelink A tunnel changelink operates on at most two netns, devnetdev and the tunnel link netns t-net. They differ once the device is created in or moved to a netns other...
CVE-2026-63830
In the Linux kernel, the following vulnerability has been resolved: net: skmsg: preserve sg.copy across SG transforms The skmsg sg.copy bitmap is part of the scatterlist entry ownership state. A set bit tells skmsgcomputedatapointers not to expose the entry through writable BPF ctx-data. This...
CVE-2026-63828
In the Linux kernel, the following vulnerability has been resolved: apparmor: mediate the implicit connect of TCP fast open sendmsg sendmsg/sendto with MSGFASTOPEN is a combination of connect2 and write2: it opens the connection in the SYN. apparmorsocketsendmsg only checks AAMAYSEND, so a profil...
CVE-2026-63827
In the Linux kernel, the following vulnerability has been resolved: apparmor: fix use-after-free in rawdata dedup loop aareplaceprofiles walks ns-rawdatalist to dedup the incoming policy blob against entries already attached to existing profiles. Per the kernel-doc on struct aaloaddata, list...
CVE-2026-63826
In the Linux kernel, the following vulnerability has been resolved: fbdev: fix use-after-free in storemodes storemodes replaces a framebuffer's modelist with modes from userspace. On success it frees the old modelist with fbdestroymodelist. Two fields still point into that freed list. One pointer...
CVE-2026-63824
In the Linux kernel, the following vulnerability has been resolved: KEYS: fix overflow in keyctlpkeyparamsget2 The length for the internal output buffer is calculated incorrectly, which can result overflow when a too small buffer is provided. Fix the bug by allocating internal output with the siz...
CVE-2026-63825
In the Linux kernel, the following vulnerability has been resolved: gcov: use atomic counter updates to fix concurrent access crashes GCC's GCOV instrumentation can merge global branch counters with loop induction variables as an optimization. In inflatefast, the inner copy loops get transformed ...
CVE-2026-63822
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix warning when unbinding If there is an error during some initialization related to firmware, the buffers dp-txringi.txstatus are released. However this is released again when the device is unbinded ath11kpci, and...
CVE-2026-63823
In the Linux kernel, the following vulnerability has been resolved: keys: Pin requestkeyauth payload in instantiate paths A: requestkey B: KEYCTLINSTANTIATEIOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy...
CVE-2026-63820
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix missing read bio submission on large folio error f2fsreaddatalargefolio can keep a read bio across multiple readahead folios. If a later folio hits an error before any of its blocks are added to the bio, folioinbio is...
CVE-2026-63821
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: fix memory leaks on USB write failures When rtwusbwriteport fails to submit a USB Request Block URB e.g., due to device disconnect or ENOMEM, the completion callback is never executed. Currently, the driver...
CVE-2026-63818
In the Linux kernel, the following vulnerability has been resolved: f2fs: validate orphan inode entry count f2fsrecoverorphaninodes trusts the orphan block entrycount when replaying orphan inodes from the checkpoint pack. A corrupted entrycount larger than F2FSORPHANSPERBLOCK makes the recovery...
CVE-2026-63819
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on f2fsgetnodefoliora kernel BUG at fs/f2fs/file.c:845! Oops: invalid opcode: 0000 1 SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller 0 PREEMPTfull Hardware name: QEMU...
CVE-2026-63817
In the Linux kernel, the following vulnerability has been resolved: f2fs: validate compress cache inode only when enabled F2FSCOMPRESSINO uses NMIsbi-maxnid as the synthetic inode number for the compressed page cache inode. That inode only exists when the compresscache mount option is enabled. Wh...
CVE-2026-63815
In the Linux kernel, the following vulnerability has been resolved: f2fs: bound iinlinexattrsize for non-inline-xattr inodes When the flexibleinlinexattr feature is enabled, doreadinode loads the on-disk iinlinexattrsize unconditionally: if f2fssbhasflexibleinlinexattrsbi fi-iinlinexattrsize =...
CVE-2026-63816
In the Linux kernel, the following vulnerability has been resolved: f2fs: atomic: fix UAF issue on f2fsinodeinfo.atomicinode - ioctlF2FSIOCGARBAGECOLLECTRANGE - shrink - f2fsgc - gcdatasegment - radatablockcowinode - mapping = F2FSIinode-atomicinode-imapping : f2fsiscowfilecowinode is true -...
CVE-2026-63814
In the Linux kernel, the following vulnerability has been resolved: f2fs: validate ACL entry sizes in f2fsaclfromdisk f2fsaclcount only validates the aggregate ACL xattr length. A malformed ACL can still place ACLUSER or ACLGROUP in a slot that only contains struct f2fsaclentryshort bytes, and...
CVE-2026-63813
In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: remove non-uptodate folio from the page cache in movedatablock" This reverts commit 9609dd704725a40cd63d915f2ab6c44248a44598. The kernel panics are keeping to be reported especially when the f2fs partition get almos...
CVE-2026-63811
In the Linux kernel, the following vulnerability has been resolved: f2fs: read COW data with the original inode during atomic write When updating an atomic-write file, f2fswritebegin may read the previously written data back from the COW inode: prepareatomicwritebegin locates the block in the COW...
CVE-2026-63812
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix incorrect FINOEXTENT handling in destroyextentnode When destroyextentnode sets the inode flag FINOEXTENT, it does not reset the length of the largest extent to 0 and update the inode folio. Since modifications to the...
CVE-2026-63810
In the Linux kernel, the following vulnerability has been resolved: block: Avoid mounting the bdev pseudo-filesystem in userspace The bdev pseudo-filesystem is an internal kernel filesystem with which userspace should not interfere. Unregister it so that userspace cannot even attempt to mount it...
CVE-2026-63809
In the Linux kernel, the following vulnerability has been resolved: bpf: use kvfree for replaced sysctl write buffer procsyscallhandler allocates its temporary sysctl buffer with kvzalloc and passes it to cgroupbpfrunfiltersysctl. Since kvzalloc may fall back to vmalloc for large allocations,...
CVE-2026-63808
In the Linux kernel, the following vulnerability has been resolved: exfat: fix potential use-after-free in exfatfinddirentry In exfatfinddirentry, the bufferhead obtained from exfatgetdentry is released with brelsebh before the fall-through TYPEEXTEND branch reads the directory entry through ep...
CVE-2026-63806
In the Linux kernel, the following vulnerability has been resolved: KVM: Replace guest-triggerable BUGON in ioeventfd datamatch with getunaligned Drop a BUGON that has been reachable since it was first added, way back in 2009, and instead use getunaligned to perform potentially-unaligned accesses...
CVE-2026-63807
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level When recovering hugepages in the shadow MMU, verify that the base gfn of the shadow page is actually contained within the target memslot, before queryi...
CVE-2026-63804
In the Linux kernel, the following vulnerability has been resolved: gfs2: fix use-after-free in gfs2qddealloc gfs2qddealloc, called as an RCU callback from gfs2qddispose, accesses the superblock object sdp through qd-qdsbd after freeing qd. It does so to decrement sdquotacount and wake up...
CVE-2026-63805
In the Linux kernel, the following vulnerability has been resolved: crypto: nx - fix nxcryptoctxexit argument nxcryptoctxshashexit calls nxcryptoctxexit with cryptoshashctx... but cryptoshashctx gives a nxcryptoctx , not a cryptotfm . Fix the type in nxcryptoctxexit and drop the bogus cryptotfmct...
CVE-2026-63802
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix UAF in blkcgrstatflush When multiple blkgs in the same blkcg are released concurrently, a use-after-free can occur. The race happens when one blkg's blkcgrstatflush removes another blkg's iostat entries via...
CVE-2026-63803
In the Linux kernel, the following vulnerability has been resolved: hdlcppp: sync per-proto timers before freeing hdlc state Each PPP control protocol LCP/IPCP/IPV6CP embedded in struct ppp registers a timer via timersetup. That struct ppp is the hdlc-state allocation, which detachhdlcprotocol...
CVE-2026-63801
In the Linux kernel, the following vulnerability has been resolved: tipc: fix slab-use-after-free Read in tipcaeaddecryptdone tipcaeaddecrypt goes straight from tipcbearerholdb to cryptoaeaddecryptreq without taking a reference on the netns, unlike the encrypt path. When cryptoaeaddecrypt is...
CVE-2026-63800
In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix use-after-free in pnfsupdatelayout When hitting the NFSLAYOUTRETURN branch in pnfsupdatelayout, the code calls pnfspreparetoretrylayoutgetlo. If it succeeds, pnfsputlayouthdrlo is called before tracepnfsupdatelayout,...
CVE-2026-63799
In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Fix OOB clearbit when CID is MMCIDUNSET in fixup path In mmcidfixupcpustotasks, when rq-curr has the target mm and mmcid.active is set, the CID is checked with cidintransit before setting the transition bit. In per-C...
CVE-2026-63798
In the Linux kernel, the following vulnerability has been resolved: irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove The driver allocates domain generic chips using irqallocdomaingenericchips during probe and sets up chained handlers using...
CVE-2026-63797
In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Fix use-after-free on probe error path rpmsgchrdevprobe stores the newly allocated eptdev in the default endpoint's priv pointer before calling rpmsgchrdeveptdevadd. If rpmsgchrdeveptdevadd then fails, its error path...
CVE-2026-63796
In the Linux kernel, the following vulnerability has been resolved: ocfs2: reject oversized group bitmap descriptors ocfs2validategdparent only bounds bgbits against the parent allocator's chain geometry. A malicious descriptor can still claim a bgsize/bgbits pair that exceeds the bitmap bytes th...
CVE-2026-63795
In the Linux kernel, the following vulnerability has been resolved: 9p: avoid putting oldfid in p9clientwalk error path When p9clientwalk is called with clone set to false, fid aliases oldfid. If the walk subsequently fails after the request has been sent, the error path jumps to clunkfid, which...
CVE-2026-63794
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Fix page overflow in sevdbgcrypt for ENCRYPT path In sevdbgcrypt, the per-iteration transfer length is bounded by the source page offset PAGESIZE - soff but not by the destination page offset PAGESIZE - doff. When doff...
CVE-2026-53403
In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fbnewmodelist to prevent null-ptr-deref in fbvideomodetovar info-var, a framebuffer's current mode, is expected to have a matching entry in info-modelist. vartodisplay relies on this and treats a failed fbmatchmode as...
CVE-2026-63793
In the Linux kernel, the following vulnerability has been resolved: ntfs: serialize volume label accesses Protect vol-volumelabel with a mutex and snaphost the label before copytouser. This prevent a use-after-free when FSIOCSETFSLABEL replaces the vol-volumelabel and FSIOCGETTSLABEL reads it...
CVE-2026-53402
In the Linux kernel, the following vulnerability has been resolved: fbdev: fbcon: fix out-of-bounds read in errout of fbcondosetfont When fbcondosetfont fails e.g., due to a memory allocation failure inside vcresize under heavy memory pressure, it jumps to the errout label to roll back the consol...
CVE-2026-53401
In the Linux kernel, the following vulnerability has been resolved: fbdev: omap2: fix use-after-free in omapfbmmap omapfbmmap has a race condition with OMAPFBSETUPPLANE ioctl that can lead to use-after-free: The fbmmap entry point holds mmlock but not lock fbinfo-lock, while ioctl handlers like...
CVE-2026-53399
In the Linux kernel, the following vulnerability has been resolved: nfsd: release layout stid on setlease failure nfs4allocstid publishes the new stid into cl-clstateids via idralloccyclic under cllock before returning to nfsd4alloclayoutstateid. When nfsd4layoutsetlease then fails, the error pat...
CVE-2026-53400
In the Linux kernel, the following vulnerability has been resolved: i2c: core: fix adapter registration race Adapters can be looked up based on their id using i2cgetadapter which takes a reference to the embedded struct device. Make sure that the adapter including its struct device has been...
CVE-2026-53398
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix SECINFONONAME decode error cleanup nfsd4decodesecinfononame currently initializes sinexp after decoding sinstyle. If the XDR stream is truncated, the decoder returns nfserrbadxdr before sinexp is initialized. Since comm...