363627 matches found
CVE-2026-53216 net: mvpp2: limit XDP frame size to the RX buffer
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: limit XDP frame size to the RX buffer mvpp2 has short and long BM pools, and short pool buffers can be smaller than PAGESIZE. The XDP path nevertheless initializes every xdpbuff with PAGESIZE as frame size. XDP helper...
CVE-2026-53215 net: mvpp2: refill RX buffers before XDP or skb use
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: refill RX buffers before XDP or skb use The RX error path returns the current descriptor buffer to the hardware BM pool. That is only valid while the driver still owns the buffer. mvpp2rxrefill can fail after the...
CVE-2026-53214 ipv6: Fix a potential NPD in cleanup_prefix_route()
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix a potential NPD in cleanupprefixroute addrconfgetprefixroute can return the fib6nullentry sentinel entry which has a NULL fib6table pointer. Therefore, before setting the route's expiration time, check that we are not...
CVE-2026-53213 drm/vc4: fix krealloc() memory leak
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: fix krealloc memory leak Don't just overwrite the original pointer passed to krealloc with its return value without checking latter: MEM = kreallocMEM, SZ, GFP; If krealloc returns NULL, that erases the pointer to the...
CVE-2026-53212 netfilter: nft_tunnel: fix use-after-free on object destroy
In the Linux kernel, the following vulnerability has been resolved: netfilter: nfttunnel: fix use-after-free on object destroy nfttunnelobjdestroy calls metadatadstfree which directly kfrees the metadatadst, ignoring the dstentry refcount. Packets that took a reference via dsthold in...
CVE-2026-53211 netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftmetabridge: fix stale stack leak via IIFHWADDR register NFTMETABRIIIFHWADDR declares its destination register with len = ETHALEN 6 bytes, which the register-init tracking rounds up to two 32-bit registers 8 bytes...
CVE-2026-53210 tee: shm: fix shm leak in register_shm_helper()
In the Linux kernel, the following vulnerability has been resolved: tee: shm: fix shm leak in registershmhelper registershmhelper allocates shm before calling ioviternpages. If ioviternpages returns 0, the function jumps to errctxput and leaks shm. This can be triggered by TEEIOCSHMREGISTER with...
CVE-2026-53209 Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcisync: reject oversized Broadcast Announcement prepend Existing advertising instances can already hold the maximum extended advertising payload. When hciadvbcastannoucement prepends the Broadcast Announcement service...
CVE-2026-53208 Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig net/bluetooth/l2capcore.c:l2capsigchannel accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU MTUsig...
CVE-2026-53207 mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix hugetlblock AA deadlock in gethugepageforhwpoison Two concurrent madviseMADVHWPOISON calls on the same hugetlb page can trigger a recursive spinlock self-deadlock AA deadlock on hugetlblock when racing with...
CVE-2026-53206 accel/ivpu: Add bounds check for firmware runtime memory
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add bounds check for firmware runtime memory Validate that the firmware runtime memory specified in the image header is properly aligned and sized to hold the firmware image. This prevents errors during memory...
CVE-2026-53205 accel/ivpu: Add bounds checks for firmware log indices
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add bounds checks for firmware log indices Add validation that read and write indices in the firmware log buffer are within valid bounds datasize before using them. If out-of-bounds indices are encountered from...
CVE-2026-53204 firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL deref on rsusendmsg timeout in probe rsusendmsg can return -ETIMEDOUT when waitforcompletioninterruptibletimeout fires while the SMC call is still pending. In stratix10rsuprobe, the error paths f...
CVE-2026-53203 accel/ivpu: Add buffer overflow check in MS get_info_ioctl
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Add buffer overflow check in MS getinfoioctl Add validation that the info size returned from the metric stream info query is not exceeded when checked against the allocated buffer size. If the firmware returns a size...
CVE-2026-53202 accel/ivpu: Fix signed integer truncation in IPC receive
In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix signed integer truncation in IPC receive Fix potential buffer overflow where firmware-supplied datasize is cast to signed int before being used in mint. Large unsigned values = 0x80000000 become negative, causing...
CVE-2026-53201 Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
In the Linux kernel, the following vulnerability has been resolved: Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend" This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6. The idle-skip optimization bypasses GuC suspend, so the GPU may not perform the contex...
CVE-2026-53199 hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
In the Linux kernel, the following vulnerability has been resolved: hvnetvsc: use kmaplocalpage in netvsccopytosendbuf netvsccopytosendbuf copies page buffer entries into the VMBus send buffer using phystovirt on the entry PFN. Entries for the RNDIS header and the skb linear data come from...
CVE-2026-53200 KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: nv: Fix handling of XN0 when !FEATXNX XN has already been extracted from its bitfield position so using FIELDPREP on the mask that clears XN0 is completely broken, having the effect of unconditionally granting execute...
CVE-2026-53198 ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of a deferred filelock on double SMB2CANCEL A deferred byte-range lock an SMB2LOCK that blocks registers an async work on conn-asyncrequests via setupasyncwork, with cancelfn = smb2removeblockedlock and...
CVE-2026-53197 xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs: fix ABBA deadlock in iptfsdestroystate iptfsdestroystate calls hrtimercancel while holding a spinlock that the timer callback also acquires, leading to an ABBA deadlock on SMP systems. For the output timer iptfstimer...
CVE-2026-53196 USB: serial: io_ti: fix heap overflow in get_manuf_info()
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in getmanufinfo getmanufinfo reads le16tocpuromdesc-Size bytes from the device I2C EEPROM into a buffer allocated with kmallocobj, which is sizeofstruct edgetimanufdescriptor = 10 bytes. The...
CVE-2026-53194 USB: serial: kl5kusb105: fix bulk-out buffer overflow
In the Linux kernel, the following vulnerability has been resolved: USB: serial: kl5kusb105: fix bulk-out buffer overflow klsi105preparewritebuffer is called by the generic write path with the bulk-out buffer and its size bulkoutsize, 64 bytes. It stores a two-byte length header at the start of t...
CVE-2026-53195 USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
In the Linux kernel, the following vulnerability has been resolved: USB: serial: ioti: fix heap overflow in buildi2cfwhdr buildi2cfwhdr allocates a fixed-size buffer of 161024 - 512 + sizeofstruct tii2cfirmwarerec bytes, then copies le16tocpuimgheader-Length bytes into it without validating that...
CVE-2026-53193 ALSA: timer: Forcibly close timer instances at closing
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Forcibly close timer instances at closing When sndtimer object is freed via sndtimerfree and still pending sndtimerinstance objects are assigned to the timer object, it tries to unlink all instances and just set NULL...
CVE-2026-53191 io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
In the Linux kernel, the following vulnerability has been resolved: iouring/net: inherit IORINGCQEFBUFMORE across bundle recv retries When a bundle recv retries inside iorecvfinish, the merge logic OR the saved cflags from the previous iteration with the cflags returned by the new iteration: cfla...
CVE-2026-53192 ALSA: timer: Fix UAF at snd_timer_user_params()
In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Fix UAF at sndtimeruserparams At releasing a timer object, e.g. when a userspace timer CONFIGSNDUTIMER gets closed and sndtimerfree is called, it tries to detach the timer instances and release the resources. However...
CVE-2026-53190 drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
In the Linux kernel, the following vulnerability has been resolved: drm/virtio: fix dmafence refcount leak on error in virtiogpudmafencewait dmafenceunwrapforeach internally calls dmafenceunwrapfirst which does cursor-chain = dmafencegethead, taking an extra reference. On normal loop completion,...
CVE-2026-53189 mm/huge_memory: update file PMD counter before folio_put()
In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: update file PMD counter before folioput splithugepmdlocked updates the file/shmem RSS counter after dropping the PMD mapping's folio reference. If folioput drops the last reference, mmcounterfile can later read fre...
CVE-2026-53187 RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate cpuid against nrcpuids in DMAH alloc The cpuid attribute supplied by user space through UVERBSATTRALLOCDMAHCPUID is passed directly to cpumasktestcpu without first verifying that the value is within the valid...
CVE-2026-53188 RDMA/core: Validate the passed in fops for ib_get_ucaps()
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate the passed in fops for ibgetucaps Sashiko pointed out it is not safe to rely only on the devt because char/block alias so if the user finds a block device with the same devt it can masquerade as a ucap cdev fd...
CVE-2026-53186 RDMA/srp: bound SRP_RSP sense copy by the received length
In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: bound SRPRSP sense copy by the received length srpprocessrsp copies sense data from rsp-data + respdatalen, where respdatalen is the full 32-bit value supplied by the SRP target and is never checked against the number o...
CVE-2026-53184 udp: clear skb->dev before running a sockmap verdict
In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...
CVE-2026-53185 zram: fix use-after-free in zram_bvec_write_partial()
In the Linux kernel, the following vulnerability has been resolved: zram: fix use-after-free in zrambvecwritepartial zramreadpage picks the sync or async backing device read path based on whether the parent bio is NULL. zrambvecwritepartial passes its parent bio down, so for ZRAMWB slots the read...
CVE-2026-53183 mptcp: allow subflow rcv wnd to shrink
In the Linux kernel, the following vulnerability has been resolved: mptcp: allow subflow rcv wnd to shrink In MPTCP connection, the window field in the TCP header refers to the MPTCP-level rcvnxt and it's right edge should not move backward. Such constraint is enforced at DSS option generation...
CVE-2026-53182 wifi: nl80211: reject oversized EMA RNR lists
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject oversized EMA RNR lists nl80211parsernrelems stores the parsed element count in a u8-backed cfg80211rnrelems::cnt field and uses that count to size the flexible array allocation. Reject nested...
CVE-2026-53180 timers/migration: Fix livelock in tmigr_handle_remote_up()
In the Linux kernel, the following vulnerability has been resolved: timers/migration: Fix livelock in tmigrhandleremoteup tmigrhandleremotecpu skips timerexpireremote when cpu == smpprocessorid, assuming the local softirq path already handled this CPU's timers. This assumption is wrong because...
CVE-2026-53181 vsock/vmci: fix sk_ack_backlog leak on failed handshake
In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: fix skackbacklog leak on failed handshake When vmcitransportrecvconnectingserver returns an error, vmcitransportrecvlisten calls vsockremovepending but never calls skacceptqremoved. This leaves skackbacklog incremente...
CVE-2026-53179 staging: rtl8723bs: fix buffer over-read in rtw_update_protection
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix buffer over-read in rtwupdateprotection rtwupdateprotection is called with a pointer offset into the ies buffer but the full ielength is passed, causing a potential buffer over-read...
CVE-2026-53178 staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: rtwmlme: add bounds checks before ielength subtraction Add guards to ensure ielength is large enough before subtracting fixed IE offsets to prevent unsigned integer underflow...
CVE-2026-53177 bnxt_en: Fix NULL pointer dereference
In the Linux kernel, the following vulnerability has been resolved: bnxten: Fix NULL pointer dereference PCIe errors detected by a Root Port or Downstream Port cause error recovery services to run on all subordinate devices regardless of administrative state. The .errordetected callback,...
CVE-2026-53175 inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
In the Linux kernel, the following vulnerability has been resolved: inet: frags: fix use-after-free caused by the fqdirpreexit flush On netns teardown, fqdirpreexit walks the fqdir rhashtable and flushes every fragment queue that is not yet complete using inetfragqueueflush. That helper frees all...
CVE-2026-53176 IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISERHEADERSLEN In drivers/infiniband/ulp/isert/ibisert.c, isertloginrecvdone computes the login request payload length as wc-bytelen minus ISERHEADERSLEN with no lower bound, and loginreql...
CVE-2026-53174 ovl: keep err zero after successful ovl_cache_get()
In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovlcacheget ovliteratemerged stores PTRERRcache in err before checking ISERRcache. On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot...
CVE-2026-53172 accel/ethosu: fix IFM region index out-of-bounds in command stream parser
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix IFM region index out-of-bounds in command stream parser NPUSETIFMREGION extracts the region index with param & 0x7f, giving a maximum value of 127. However regionsize and outputregion in struct...
CVE-2026-53173 accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate()
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix OOB write in ethosugemcmdstreamcopyandvalidate The command stream parsing loop increments the index variable a second time when a 64-bit command word is encountered bit 14 set, but does not re-check the loop bou...
CVE-2026-53171 accel/ethosu: fix arithmetic issues in dma_length()
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dmalength dmalength derives DMA region usage from command stream values and updates regionsize: len = len + stride0 size0 + stride1 size1 regionsizeregion = max..., len + dma-offset Several...
CVE-2026-53169 accel/ethosu: reject NPU_OP_RESIZE commands from userspace
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject NPUOPRESIZE commands from userspace NPUOPRESIZE is a U85-only command that the driver does not yet implement. The existing WARNON1 placeholder fires unconditionally whenever userspace submits this command via...
CVE-2026-53170 accel/ethosu: reject DMA commands with uninitialized length
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: reject DMA commands with uninitialized length cmdstateinit initializes the command state with memset0xff, leaving dma-len at U64MAX to signal missing setup. The only setter is NPUSETDMA0LEN; if userspace omits this...
CVE-2026-53168 fuse: reject fuse_notify() pagecache ops on directories
In the Linux kernel, the following vulnerability has been resolved: fuse: reject fusenotify pagecache ops on directories The operations FUSENOTIFYSTORE and FUSENOTIFYRETRIEVE allow the FUSE daemon to actively write/read pagecache contents. For directories with FOPENCACHEDIR, the pagecache is used...
CVE-2026-53167 fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
In the Linux kernel, the following vulnerability has been resolved: fuse: limit FUSENOTIFYRETRIEVE to uptodate folios FUSENOTIFYRETRIEVE must be limited to uptodate folios; !uptodate folios can contain uninitialized data. Since FUSENOTIFYRETRIEVE is intended to only return data that is already in...