363619 matches found
CVE-2026-53257 wifi: cfg80211: enforce HE/EHT cap/oper consistency
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: enforce HE/EHT cap/oper consistency Xiang Mei reports that mac80211 could crash if ehtcap is set but ehtoper isn't. Rather than fixing that for the individual users, enforce that both HE/EHT have consistent elemen...
CVE-2026-53258 wifi: fix leak if split 6 GHz scanning fails
In the Linux kernel, the following vulnerability has been resolved: wifi: fix leak if split 6 GHz scanning fails rdev-intscanreq is leaked if cfg80211scan fails. Note that it's supposed to be released at cfg80211scandone but this doesn't happen as rdev-scanreq is NULL at that point, too, leading ...
CVE-2026-53256 Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: hold listener socket in rfcommconnectind rfcommgetsockbychannel scans rfcommsklist under the list lock, but returns the selected listener after dropping that lock without taking a reference. rfcommconnectind th...
CVE-2026-53255 Bluetooth: MGMT: validate advertising TLV before type checks
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate advertising TLV before type checks tlvdataisvalid reads each advertising data field length from datai, then inspects datai + 1 for managed EIR types before checking that the current field still fits insi...
CVE-2026-53254 Bluetooth: RFCOMM: validate skb length in MCC handlers
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb-data to protocol-specific structs without validating skb-len first. A malicious remote device can send truncated MCC frames and trigger...
CVE-2026-53253 Bluetooth: bnep: reject short frames before parsing
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: reject short frames before parsing A BNEP peer can send a short BNEP SDU. bneprxframe reads the packet type byte immediately and, for control packets, reads the control opcode and setup UUID-size byte before...
CVE-2026-53251 Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync hcigetroute returns a reference-counted hcidev pointer via hcidevhold. The function exits normally or with an error without ever releasing it...
CVE-2026-53252 Bluetooth: fix memory leak in error path of hci_alloc_dev()
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix memory leak in error path of hciallocdev Early failures in Bluetooth HCI UART configuration leak SRCU percpu memory. When device initialization fails before hciregisterdev completes, the HCIUNREGISTER flag is never...
CVE-2026-53250 xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
In the Linux kernel, the following vulnerability has been resolved: xsk: cache csumstart/csumoffset to fix TOCTOU in xskskbmetadata The TX metadata area resides in the UMEM buffer which is memory-mapped and concurrently writable by userspace. In xskskbmetadata, csumstart and csumoffset are read...
CVE-2026-53249 ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
In the Linux kernel, the following vulnerability has been resolved: ipv4: restrict IPOPTSSRR and IPOPTLSRR options This patch restricts setting Loose Source and Record Route LSRR and Strict Source and Record Route SSRR IP options to users with CAPNETRAW capability. This prevents unprivileged...
CVE-2026-53248 net: airoha: Fix use-after-free in metadata dst teardown
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix use-after-free in metadata dst teardown airohametadatadstfree runs metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...
CVE-2026-53247 net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown mtkfreedev calls metadatadstfree which frees the metadatadst with kfree immediately, bypassing the RCU grace period. In the RX path, skbdstsetnoref sets a...
CVE-2026-53245 net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
In the Linux kernel, the following vulnerability has been resolved: net/802/mrp: fix vector attribute parsing in mrppduparsevecattr In mrppduparsevecattr, vector attribute events are encoded three per byte and valen tracks the number of events left to process. The parser decrements valen after...
CVE-2026-53246 sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIEECHO processing When a listening SCTP server processes a COOKIEECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked b...
CVE-2026-53244 VFS: fix possible failure to unlock in nfsd4_create_file()
In the Linux kernel, the following vulnerability has been resolved: VFS: fix possible failure to unlock in nfsd4createfile atomiccreate in fs/namei.c drops the reference to the dentry when it returns an error. This behaviour was imported into dentrycreate so that it will drop the reference if an...
CVE-2026-53243 rseq: Fix using an uninitialized stack variable in rseq_exit_user_update()
In the Linux kernel, the following vulnerability has been resolved: rseq: Fix using an uninitialized stack variable in rseqexituserupdate There is an bug in which an uninitialized stack variable is used in rseqexituserupdate as reported by syzbot: BUG: KMSAN: kernel-infoleak in rseqsetidsgetcsadd...
CVE-2026-53242 ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
In the Linux kernel, the following vulnerability has been resolved: ALSA: PCM: Fix wait queue list corruption in sndpcmdrain on linked streams sndpcmdrain uses initwaitqueueentry which does not clear entry.prev/next, and addwaitqueue with a conditional removewaitqueue that is skipped when tocheck...
CVE-2026-53241 ALSA: seq: dummy: fix UMP event stack overread
In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: dummy: fix UMP event stack overread The dummy sequencer port forwards events by copying an incoming struct sndseqevent into a stack temporary, rewriting source and destination, and dispatching the temporary to...
CVE-2026-53239 xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix use-after-free on inexact bin in xfrmpolicybyselctx Fix the race by pruning the bin while still holding xfrmpolicylock, before dropping it. Use xfrmpolicyinexactprunebin directly since the lock is already held...
CVE-2026-53240 xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix use-after-free on firstskb in inputprocesspayload inputprocesspayload stores firstskb into xtfs-ranewskb under droplock when starting partial reassembly, then unlocks and breaks out of the processing loop. The...
CVE-2026-53238 netlabel: validate unlabeled address and mask attribute lengths
In the Linux kernel, the following vulnerability has been resolved: netlabel: validate unlabeled address and mask attribute lengths netlblunlabeladdrinfoget used the address attribute length to determine whether the attribute data could be read as an IPv4 or IPv6 address, but did not independentl...
CVE-2026-53236 tcp: restrict SO_ATTACH_FILTER to priv users
In the Linux kernel, the following vulnerability has been resolved: tcp: restrict SOATTACHFILTER to priv users This patch restricts the use of SOATTACHFILTER cBPF on TCP sockets to users with CAPNETADMIN capability. This blocks potential side-channel attack where an unprivileged application...
CVE-2026-53237 gpio: mvebu: fix NULL pointer dereference in suspend/resume
In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix NULL pointer dereference in suspend/resume mvebupwmsuspend and mvebupwmresume are called for all GPIO banks during suspend/resume, but not all banks have PWM functionality. GPIO banks without PWM have mvchip-mvpw...
CVE-2026-53235 net: add pskb_may_pull() to skb_gro_receive_list()
In the Linux kernel, the following vulnerability has been resolved: net: add pskbmaypull to skbgroreceivelist skbgroreceivelist calls skbpullskb, skbgrooffsetskb without first ensuring the data is in the linear area via pskbmaypull. When the skb arrives via napigrofrags, skbheadlen can be 0 all...
CVE-2026-53234 net: ibm: emac: Fix use-after-free during device removal
In the Linux kernel, the following vulnerability has been resolved: net: ibm: emac: Fix use-after-free during device removal The driver was using devmregisternetdev which causes unregisternetdev to be deferred until the devres cleanup phase, which runs after emacremove returns. This creates a...
CVE-2026-53233 netdev: fix double-free in netdev_nl_bind_rx_doit()
In the Linux kernel, the following vulnerability has been resolved: netdev: fix double-free in netdevnlbindrxdoit Sashiko flags that genlmsgreply always consumes the skb. The error path calls nlmsgfreersp so we can't jump directly to it. Let's not unbind, just propagate the error to the user. Thi...
CVE-2026-53232 net: phy: clean the sfp upstream if phy probing fails
In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy probing fails Sashiko reported that we don't call sfpbusdelupstream in the probe failure path, so let's add it, otherwise the sfp-bus is left with a dangling 'upstream' field, that may be...
CVE-2026-53230 net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix slab-out-of-bounds in mlx5querynicvportmaclist mlx5querynicvportmaclist sizes its firmware command buffer using the PF's logmaxcurrentuc/mclist capabilities. When querying a VF vport with a larger configured max via...
CVE-2026-53231 net: phy: don't try to setup PHY-driven SFP cages when using genphy
In the Linux kernel, the following vulnerability has been resolved: net: phy: don't try to setup PHY-driven SFP cages when using genphy We don't have support for PHY-driver SFP cages with the genphy code. On top of that, it was found by sashiko that running sfpbusaddupstream for genphy deadlocks,...
CVE-2026-53229 net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix DMA and xdpframe leak on XDPTX xmit failure In the XSK branch of mlx5exmitxdpbuff, when sq-xmitxdpframe returns false e.g. XDPSQ is full, the function returns without unmapping the DMA address or freeing the...
CVE-2026-53228 ipv6: sit: reload inner IPv6 header after GSO offloads
In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6tunnelxmit caches the inner IPv6 header pointer at function entry and continues using it after iptunnelhandleoffloads. For GSO skbs, iptunnelhandleoffloads calls...
CVE-2026-53227 net: openvswitch: fix possible kfree_skb of ERR_PTR
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible kfreeskb of ERRPTR After the patch in the "Fixes" tag, the allocation of the "reply" skb can happen either before or after locking the ovsmutex. However, error cleanups still follow the classical...
CVE-2026-53226 gpio: rockchip: fix generic IRQ chip leak on remove
In the Linux kernel, the following vulnerability has been resolved: gpio: rockchip: fix generic IRQ chip leak on remove The driver allocates domain generic chips using irqallocdomaingenericchips during probe. However, on driver remove/teardown, the generic chips are not automatically freed when t...
CVE-2026-53224 sctp: validate embedded INIT chunk and address list lengths in cookie
In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctpunpackcookie only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large...
CVE-2026-53225 sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
In the Linux kernel, the following vulnerability has been resolved: sctp: fix uninit-value in sctprcvasconflookup sctprcvasconflookup in net/sctp/input.c only checks that the ASCONF chunk can hold the ADDIP header and a parameter header, then calls af-fromaddrparam, which reads the full address 1...
CVE-2026-53223 net: guard timestamp cmsgs to real error queue skbs
In the Linux kernel, the following vulnerability has been resolved: net: guard timestamp cmsgs to real error queue skbs skbiserrqueue treats PACKETOUTGOING as the sole marker for an skb from skerrorqueue. That assumption is not true for AFPACKET sockets: outgoing packet taps are also delivered to...
CVE-2026-53221 ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
In the Linux kernel, the following vulnerability has been resolved: ip6vti: fix incorrect tunnel matching in vti6tnllookup In vti6tnllookup, when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remot...
CVE-2026-53222 ptp: ocp: fix resource freeing order
In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix resource freeing order Commit a60fc3294a37 "ptp: rework ptpclockunregister to disable events" added a call to ptpdisableallevents which changes the configuration of pins if they support EXTTS events. In ptpocpdetach...
CVE-2026-53220 netfilter: revalidate bridge ports
In the Linux kernel, the following vulnerability has been resolved: netfilter: revalidate bridge ports ebtredirecttg dereferences brportgetrcu return without a NULL check, causing a kernel panic when the bridge port has been removed between the original hook invocation and an NFQUEUE reinject. A...
CVE-2026-53218 netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftexthdr: fix register tracking for FPRESENT flag nftexthdrinit passes user-controlled priv-len to nftparseregisterstore, which marks that many bytes in the register bitmap as initialized. However, when...
CVE-2026-53219 netfilter: x_tables: avoid leaking percpu counter pointers
In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: avoid leaking percpu counter pointers The native and compat get-entries paths copy the fixed rule entry header from the kernelized rule blob to userspace before overwriting the entry's counter fields with a...
CVE-2026-53217 net: mvpp2: sync RX data at the hardware packet offset
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: sync RX data at the hardware packet offset mvpp2 programs the RX queue packet offset, so hardware writes received data at dmaaddr + MVPP2SKBHEADROOM. The current CPU sync starts at dmaaddr and only covers rxbytes +...
CVE-2026-53216 net: mvpp2: limit XDP frame size to the RX buffer
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGESIZE. The XDP path nevertheless initializes every xdpbuff with PAGESIZE as frame size. XDP helper...
CVE-2026-53215 net: mvpp2: refill RX buffers before XDP or skb use
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2rxrefill can fail after the...
CVE-2026-53214 ipv6: Fix a potential NPD in cleanup_prefix_route()
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix a potential NPD in cleanupprefixroute addrconfgetprefixroute can return the fib6nullentry sentinel entry which has a NULL fib6table pointer. Therefore, before setting the route's expiration time, check that we are not...
CVE-2026-53213 drm/vc4: fix krealloc() memory leak
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: fix krealloc memory leak Don't just overwrite the original pointer passed to krealloc with its return value without checking latter: MEM = kreallocMEM, SZ, GFP; If krealloc returns NULL, that erases the pointer to the...
CVE-2026-53212 netfilter: nft_tunnel: fix use-after-free on object destroy
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfttunnel: fix use-after-free on object destroy nfttunnelobjdestroy calls metadatadstfree which directly kfrees the metadatadst, ignoring the dstentry refcount. Packets that took a reference via dsthold in...
CVE-2026-53211 netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftmetabridge: fix stale stack leak via IIFHWADDR register NFTMETABRIIIFHWADDR declares its destination register with len = ETHALEN 6 bytes, which the register-init tracking rounds up to two 32-bit registers 8 bytes...
CVE-2026-53210 tee: shm: fix shm leak in register_shm_helper()
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in registershmhelper registershmhelper allocates shm before calling ioviternpages. If ioviternpages returns 0, the function jumps to errctxput and leaks shm. This can be triggered by TEEIOCSHMREGISTER with...
CVE-2026-53209 Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hciadvbcastannoucement prepends the Broadcast Announcement service...