363746 matches found
CVE-2026-48731 Warp: Linux external editor command injection
Warp is an agentic development environment. From 0.2024.02.20.08.01.stable01 until 0.2026.05.06.15.42.stable01, Warp contains a command injection issue in the Linux external editor launcher. Warp expanded freedesktop .desktop Exec templates for affected editor integrations and executed the expand...
CVE-2026-48732 Warp: Remote SSH cwd can lead to unauthorized remote command execution
Warp is an agentic development environment. From 0.2023.03.21.08.02.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command injection issue in the legacy SSH background command path. Warp used the remote working directory reported by the session when building helper commands for...
CVE-2026-54686 Warp: DCS lifecycle hook spoofing can alter terminal session metadata
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable00 until 0.2026.05.06.15.42.stable01, Warp accepted certain state-mutating terminal lifecycle hooks from the PTY stream without verifying that the hooks were emitted by Warp's shell integration for the active session. An...
CVE-2026-54699 Warp: OS command injection when opening terminal links from WSL
Warp is an agentic development environment. From 0.2024.03.12.08.02.stable01 until 0.2026.05.06.15.42.stable01, Warp contains an OS command injection vulnerability in the WSL URL-opening fallback. When Warp is running under WSL and cannot open a URL through wslview, it falls back to a Windows...
CVE-2026-48703 Warp: Command Injection via Warp code search tool arguments
Warp is an agentic development environment. From 0.2025.04.09.08.11.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command execution policy bypass in Agent code search tools. The affected Grep and FileGlob actions are authorized as read/search operations, but their implementations...
CVE-2026-48725 Warp may allow terminal output to access the local clipboard through OSC 52
Warp is an agentic development environment. From 0.2021.04.25.23.05.stable00 until 0.2026.05.06.15.42.stable01, Warp allows terminal output to request access to the local system clipboard. A malicious remote host, remote program, or other attacker-controlled terminal output source can trigger...
CVE-2026-55611 AnythingLLM: embed-parsed-file cleanup deletes any parsed file by ID without ownership scoping (cross-tenant IDOR deletion)
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...
CVE-2026-48789 AnythingLLM: Windows path containment bypass in document folder route
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...
CVE-2026-49851 Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...
CVE-2026-53130 fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject ssysblocksize smaller than OMFSDIRSTART omfsfillsuper rejects oversized ssysblocksize values PAGESIZE, but it does not reject values smaller than OMFSDIRSTART 0x1b8 = 440. Later, omfsmakeempty uses sbi-ssysblocksi...
CVE-2026-53129 fs/mbcache: cancel shrink work before destroying the cache
In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mbcachedestroy calls shrinkerfree and then frees all cache entries and the cache itself, but it does not cancel the pending cshrinkwork work item first. If...
CVE-2026-53127 block: fix zones_cond memory leak on zone revalidation error paths
In the Linux kernel, the following vulnerability has been resolved: block: fix zonescond memory leak on zone revalidation error paths When blkrevalidatediskzones fails after diskrevalidatezoneresources has allocated args.zonescond, the memory is leaked because no error path frees it...
CVE-2026-53128 drbd: Balance RCU calls in drbd_adm_dump_devices()
In the Linux kernel, the following vulnerability has been resolved: drbd: Balance RCU calls in drbdadmdumpdevices Make drbdadmdumpdevices call rcureadlock before rcureadunlock is called. This has been detected by the Clang thread-safety analyzer...
CVE-2026-53126 blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix disk reference leak in blkcgmaybethrottlecurrent Add the missing putdisk on the error path in blkcgmaybethrottlecurrent. When blkcg lookup, blkg lookup, or blkgtryget fails, the function jumps to the out label whi...
CVE-2026-53124 ublk: reset per-IO canceled flag on each fetch
In the Linux kernel, the following vulnerability has been resolved: ublk: reset per-IO canceled flag on each fetch If a ublk server starts recovering devices but dies before issuing fetch commands for all IOs, cancellation of the fetch commands that were successfully issued may never complete. Th...
CVE-2026-53125 md: fix array_state=clear sysfs deadlock
In the Linux kernel, the following vulnerability has been resolved: md: fix arraystate=clear sysfs deadlock When "clear" is written to arraystate, mdattrstore breaks sysfs active protection so the array can delete itself from its own sysfs store method. However, mdattrstore currently drops the...
CVE-2026-53123 md: wake raid456 reshape waiters before suspend
In the Linux kernel, the following vulnerability has been resolved: md: wake raid456 reshape waiters before suspend During raid456 reshape, direct IO across the reshape position can sleep in raid5makerequest waiting for reshape progress while still holding an activeio reference. If userspace then...
CVE-2026-53122 btrfs: fix deadlock between reflink and transaction commit when using flushoncommit
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between reflink and transaction commit when using flushoncommit When using the flushoncommit mount option, we can have a deadlock between a transaction commit and a reflink operation that copied an inline exte...
CVE-2026-53121 amd-pstate: Fix memory leak in amd_pstate_epp_cpu_init()
In the Linux kernel, the following vulnerability has been resolved: amd-pstate: Fix memory leak in amdpstateeppcpuinit On failure to set the epp, the function amdpstateeppcpuinit returns with an error code without freeing the cpudata object that was allocated at the beginning of the function...
CVE-2026-53120 PCI: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: PCI: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock, which can cause ...
CVE-2026-53118 vdpa: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: vdpa: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock, which can cause...
CVE-2026-53119 platform/wmi: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: platform/wmi: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock, which c...
CVE-2026-53117 s390/cio: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: s390/cio: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock, which can...
CVE-2026-53115 bus: fsl-mc: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: use generic driveroverride infrastructure When a driver is probed through driverattach, the bus' match callback is called without the device lock held, thus accessing the driveroverride field without a lock, which ca...
CVE-2026-53116 s390/ap: use generic driver_override infrastructure
In the Linux kernel, the following vulnerability has been resolved: s390/ap: use generic driveroverride infrastructure When the AP masks are updated via apmaskstore or aqmaskstore, apbusrevisebindings is called after apattrmutex has been released. This calls aprevisereserved, which accesses the...
CVE-2026-53113 wifi: ath11k: fix memory leaks in beacon template setup
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix memory leaks in beacon template setup The functions ath11kmacsetupbcntmplema and ath11kmacsetupbcntmplmbssid allocate memory for beacon templates but fail to free it when parameter setup returns an error. Since...
CVE-2026-53114 perf/amd/ibs: Avoid calling perf_allow_kernel() from the IBS NMI handler
In the Linux kernel, the following vulnerability has been resolved: perf/amd/ibs: Avoid calling perfallowkernel from the IBS NMI handler Calling perfallowkernel from the NMI context is unsafe and could be fatal. Capture the permission at event-initialization time by storing it in event-hw.flags,...
CVE-2026-53112 wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irqpreparebcntasklet The irqpreparebcntasklet is initialized in rtlpciinit and scheduled when RTLIMRBCNINT interrupt is triggered by hardware. But it is never...
CVE-2026-53111 bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap
In the Linux kernel, the following vulnerability has been resolved: bpf: testrun: Fix the null pointer dereference issue in bpflwtxmitpushencap The bpflwtxmitpushencap helper needs to access skbdstskb-dev to calculate the needed headroom: err = skbcowheadskb, len + LLRESERVEDSPACEskbdstskb-dev; B...
CVE-2026-53110 s390/bpf: Zero-extend bpf prog return values and kfunc arguments
In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Zero-extend bpf prog return values and kfunc arguments s390x ABI requires callers to zero-extend unsigned arguments and sign-extend signed arguments, and callees to zero-extend unsigned return values and sign-extend...
CVE-2026-53109 powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy
In the Linux kernel, the following vulnerability has been resolved: powerpc/pgtable-frag: Fix bad page state in ptefragdestroy powerpc uses ptfragrefcount as a reference counter for tracking it's pte and pmd page table fragments. For PTE table, in case of Hash with 64K pagesize, we have 16...
CVE-2026-53108 powerpc/64s: Fix unmap race with PMD migration entries
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix unmap race with PMD migration entries The following race is possible with migration swap entries or device-private THP entries. e.g. when movepages is called on a PMD THP page, then there maybe an intermediate...
CVE-2026-53107 wifi: libertas: don't kill URBs in interrupt context
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: don't kill URBs in interrupt context Serialization for the TX path was enforced by calling usbkillurb/usbkillanchoredurbs, to prevent transmission before a previous URB was completed. usbtxblock can be called from...
CVE-2026-53106 bpf: Do not allow deleting local storage in NMI
In the Linux kernel, the following vulnerability has been resolved: bpf: Do not allow deleting local storage in NMI Currently, local storage may deadlock when deferring freeing selem or local storage through kfreercu, callrcu or callrcutaskstrace in NMI or reentrant. Since deleting selem in NMI i...
CVE-2026-53105 wifi: mt76: mt7925: prevent NULL vif dereference in mt7925_mac_write_txwi
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL vif dereference in mt7925macwritetxwi Check for a NULL vif before accessing ieee80211vifismldvif to avoid a potential kernel panic in scenarios where vif might not be initialized...
CVE-2026-53104 wifi: mt76: Fix memory leak destroying device
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak destroying device All MT76 rx queues have an associated pagepool even if the queue is not associated to a NAPI e.g. WED RRO queues with WED enabled. Destroy the pagepool running mt76dmacleanup routine...
CVE-2026-53103 wifi: mt76: mt7925: fix potential deadlock in mt7925_roc_abort_sync
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix potential deadlock in mt7925rocabortsync rocabortsync can deadlock with rocwork. rocwork holds dev-mt76.mutex, while cancelworksync waits for rocwork to finish. If the caller already owns the same mutex,...
CVE-2026-53102 wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix memory leak after mt76connacmcuallocstareq mt76connacmcuallocstareq allocates an skb which is expected to be freed eventually by mt76mcuskbsendmsg. However, currently if an intermediate function fails before...
CVE-2026-53100 wifi: mt76: fix deadlock in remain-on-channel
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: fix deadlock in remain-on-channel mt76remainonchannel and mt76roccomplete call mt76setchannel while already holding dev-mutex. Since mt76setchannel also acquires dev-mutex, this results in a deadlock. Use mt76setchann...
CVE-2026-53101 wifi: mt76: mt7921: fix potential deadlock in mt7921_roc_abort_sync
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix potential deadlock in mt7921rocabortsync rocabortsync can deadlock with rocwork. rocwork holds dev-mt76.mutex, while cancelworksync waits for rocwork to finish. If the caller already owns the same mutex,...
CVE-2026-53099 bpf: Switch CONFIG_CFI_CLANG to CONFIG_CFI
In the Linux kernel, the following vulnerability has been resolved: bpf: Switch CONFIGCFICLANG to CONFIGCFI This was renamed in commit 23ef9d439769 "kcfi: Rename CONFIGCFICLANG to CONFIGCFI" as it is now a compiler-agnostic option. Using the wrong name results in the code getting compiled out...
CVE-2026-53098 wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix use-after-free bugs in mt7915macdumpwork When the mt7915 pci chip is detaching, the mt7915crashdata is released in mt7915coredumpunregister. However, the work item dumpwork may still be running or pending,...
CVE-2026-53097 wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix use-after-free bugs in mt7996macdumpwork When the mt7996 pci chip is detaching, the mt7996crashdata is released in mt7996coredumpunregister. However, the work item dumpwork may still be running or pending,...
CVE-2026-53096 bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
In the Linux kernel, the following vulnerability has been resolved: bpf: Use RCU-safe iteration in devmapredirectmulti SKB path The DEVMAPHASH branch in devmapredirectmulti uses hlistforeachentrysafe to iterate hash buckets, but this function runs under RCU protection called from...
CVE-2026-53095 bpf: Fix abuse of kprobe_write_ctx via freplace
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix abuse of kprobewritectx via freplace uprobe programs are allowed to modify struct ptregs. Since the actual program type of uprobe is KPROBE, it can be abused to modify struct ptregs via kprobe+freplace when the kprobe...
CVE-2026-53093 wifi: brcmfmac: Fix error pointer dereference
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix error pointer dereference The function brcmfchipaddcore can return an error pointer and is not checked. Add checks for error pointer. Detected by Smatch:...
CVE-2026-53094 bpf: Fix stale offload->prog pointer after constant blinding
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stale offload-prog pointer after constant blinding When a dev-bound-only BPF program BPFFXDPDEVBOUNDONLY undergoes JIT compilation with constant blinding enabled bpfjitharden = 2, bpfjitblindconstants clones the program...
CVE-2026-53092 bpf: Fix linked reg delta tracking when src_reg == dst_reg
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix linked reg delta tracking when srcreg == dstreg Consider the case of rX += rX where srcreg and dstreg are pointers to the same bpfregstate in adjustregminmaxvals. The latter first modifies the dstreg in-place, and later ...
CVE-2026-53091 net: pull headers in qdisc_pkt_len_segs_init()
In the Linux kernel, the following vulnerability has been resolved: net: pull headers in qdiscpktlensegsinit Most ndostartxmit methods expects headers of gso packets to be already in skb-head. net/core/tso.c users are particularly at risk, because tsobuildhdr does a memcpyhdr, skb-data, hdrlen;...
CVE-2026-53090 bpf: Fix ld_{abs,ind} failure path analysis in subprogs
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ldabs,ind failure path analysis in subprogs Usage of ldabs,ind instructions got extended into subprogs some time ago via commit 09b28d76eac4 "bpf: Add abnormal return checks.". These are only allowed in subprograms when...