363766 matches found
CVE-2026-53059 dm log: fix out-of-bounds write due to region_count overflow
In the Linux kernel, the following vulnerability has been resolved: dm log: fix out-of-bounds write due to regioncount overflow The local variable regioncount in createlogcontext is declared as unsigned int 32-bit, but dmsectordivup returns sectort 64-bit. When a device-mapper target has a...
CVE-2026-53058 drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomic_enable()
In the Linux kernel, the following vulnerability has been resolved: drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier in atomicenable In case if we get errors in cdnsmhdplinkup or cdnsmhdpregread in atomicenable, we will go to cdnsmhdpmodesetretryfn and will hit NULL pointer...
CVE-2026-53057 iommu/riscv: Add IOTINVAL after updating DDT/PDT entries
In the Linux kernel, the following vulnerability has been resolved: iommu/riscv: Add IOTINVAL after updating DDT/PDT entries Add riscviommuiodiriotinval to perform required TLB and context cache invalidations after updating DDT or PDT entries, as mandated by the RISC-V IOMMU specification Section...
CVE-2026-53056 drm/msm/dpu: fix mismatch between power and frequency
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: fix mismatch between power and frequency During DPU runtime suspend, calling devpmoppsetratedev, 0 drops the MMCX rail to MINSVS while the core clock frequency remains at its original highest rate. When runtime resum...
CVE-2026-53055 crypto: hisilicon/sec2 - prevent req used-after-free for sec
In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec2 - prevent req used-after-free for sec During packet transmission, if the system is under heavy load, the hardware might complete processing the packet and free the request memory req before the transmission...
CVE-2026-53053 iommu/amd: Fix clone_alias() to use the original device's devid
In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix clonealias to use the original device's devid Currently clonealias assumes first argument pdev is always the original device pointer. This function is called by pciforeachdmaalias which based on topology decides to...
CVE-2026-53054 drm/msm: Fix VM_BIND UNMAP locking
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix VMBIND UNMAP locking Wrong argument meant that the objs involved in UNMAP ops were not always getting locked. Since NOSHARE objs share a common resv with the VM which is always locked this would only show up with...
CVE-2026-53052 ASoC: qcom: qdsp6: topology: check widget type before accessing data
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: topology: check widget type before accessing data Check widget type before accessing the private data, as this could a virtual widget which is no associated with a dsp graph, container and module. Accessing...
CVE-2026-53050 quota: Fix race of dquot_scan_active() with quota deactivation
In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquotscanactive with quota deactivation dquotscanactive can race with quota deactivation in quotareleaseworkfn like: CPU0 quotareleaseworkfn CPU1 dquotscanactive ==============================...
CVE-2026-53051 PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
In the Linux kernel, the following vulnerability has been resolved: PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on When PERST is deasserted twice assert - deassert - assert - deassert, a CBB Control Backbone timeout occurs at DBI register offset 0x8bc PCIEMISCCONTROL1OFF...
CVE-2026-53049 gfs2: add some missing log locking
In the Linux kernel, the following vulnerability has been resolved: gfs2: add some missing log locking Function gfs2logd calls the log flushing functions gfs2ail1start, gfs2ail1wait, and gfs2ail1empty without holding sdp-sdlogflushlock, but these functions require exclusion against concurrent...
CVE-2026-53048 gfs2: prevent NULL pointer dereference during unmount
In the Linux kernel, the following vulnerability has been resolved: gfs2: prevent NULL pointer dereference during unmount When flushing out outstanding glock work during an unmount, gfs2logflush can be called when sdp-sdjdesc has already been deallocated and sdp-sdjdesc is NULL. Commit 35264909e9...
CVE-2026-53047 efi/capsule-loader: fix incorrect sizeof in phys array reallocation
In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc call for capinfo-phys in eficapsulesetupinfo uses sizeofphysaddrt instead of sizeofphysaddrt, which might be causing an undersized allocation. The...
CVE-2026-53046 ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbdcryptmessage sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the...
CVE-2026-53044 soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
In the Linux kernel, the following vulnerability has been resolved: soc/tegra: cbb: Fix incorrect ARRAYSIZE in fabric lookup tables Fix incorrect ARRAYSIZE usage in fabric lookup tables which could cause out-of-bounds access during target timeout lookup...
CVE-2026-53045 memory: tegra124-emc: Fix dll_change check
In the Linux kernel, the following vulnerability has been resolved: memory: tegra124-emc: Fix dllchange check The code checking whether the specified memory timing enables DLL in the EMRS register was reversed. DLL is enabled if bit A0 is low. Fix the check...
CVE-2026-53043 ocfs2/dlm: validate qr_numregions in dlm_match_regions()
In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qrnumregions in dlmmatchregions Patch series "ocfs2/dlm: fix two bugs in dlmmatchregions". In dlmmatchregions, the qrnumregions field from a DLMQUERYREGION network message is used to drive loops over the...
CVE-2026-53042 fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
In the Linux kernel, the following vulnerability has been resolved: fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal CXL is linked before fwctl in drivers/Makefile. Both use moduleinit, so cxlpcidriverinit runs first. When cxlpciprobe calls fwctlregister and then...
CVE-2026-53041 ocfs2: fix listxattr handling when the buffer is full
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full BUG If an OCFS2 inode has both inline and block-based xattrs, listxattr can return a size larger than the caller's buffer when the inline names consume that buffer exactly...
CVE-2026-53040 ocfs2: validate bg_bits during freefrag scan
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate bgbits during freefrag scan BUG A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2IOCINFO is issued with OCFS2INFOFLNONCOHERENT. BUG: KASAN: use-after-free in instrumentatomicread...
CVE-2026-53039 ocfs2: validate group add input before caching
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate group add input before caching BUG OCFS2IOCGROUPADD can trigger a BUGON in ocfs2setnewbufferuptodate: kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 1 SMP KASAN NOPTI RIP:...
CVE-2026-53038 ima_fs: Correctly create securityfs files for unsupported hash algos
In the Linux kernel, the following vulnerability has been resolved: imafs: Correctly create securityfs files for unsupported hash algos imatpmchip-allocatedbanksi.cryptoid is initialized to HASHALGOLAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be...
CVE-2026-53037 HID: usbhid: fix deadlock in hid_post_reset()
In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix deadlock in hidpostreset You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hidprereset and hidpostreset are in the...
CVE-2026-53036 bpf, arm64: Fix off-by-one in check_imm signed range check
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix off-by-one in checkimm signed range check checkimmbits, imm is used in the arm64 BPF JIT to verify that a branch displacement in arm64 instruction units fits into the signed N-bit immediate field of a B, B.cond or...
CVE-2026-53035 bpf, sockmap: Fix af_unix iter deadlock
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix afunix iter deadlock bpfiterunixseqshow may deadlock when locksockfast takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sockmapupdateelem's bhlocksock: WARNING:...
CVE-2026-53034 bpf, sockmap: Fix af_unix null-ptr-deref in proto update
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix afunix null-ptr-deref in proto update unixstreamconnect sets skstate WRITEONCEsk-skstate, TCPESTABLISHED before it assigns a peer unixpeersk = newsk. skstate == TCPESTABLISHED makes sockmapskstateallowed believe...
CVE-2026-53033 bpf, sockmap: Take state lock for af_unix iter
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Take state lock for afunix iter When a BPF iterator program updates a sockmap, there is a race condition in unixstreambpfupdateproto where the peer pointer can become stale1 during a state transition TCPESTABLISHED ...
CVE-2026-53032 bpf: Fix NULL deref in map_kptr_match_type for scalar regs
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in mapkptrmatchtype for scalar regs Commit ab6c637ad027 "bpf: Fix a bpfkptrxchg issue with local kptr" refactored mapkptrmatchtype to branch on btfiskernel before checking basetype. A scalar register stored in...
CVE-2026-53031 bpf: Validate node_id in arena_alloc_pages()
In the Linux kernel, the following vulnerability has been resolved: bpf: Validate nodeid in arenaallocpages arenaallocpages accepts a plain int nodeid and forwards it through the entire allocation chain without any bounds checking. Validate nodeid before passing it down the allocation chain in...
CVE-2026-53030 i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
In the Linux kernel, the following vulnerability has been resolved: i3c: master: renesas: Fix memory leak in renesasi3ci3cxfers The xfer structure allocated by renesasi3callocxfer was never freed in the renesasi3ci3cxfers function. Use the freekfree cleanup attribute to automatically free the...
CVE-2026-53029 fs/ntfs3: prevent uninitialized lcn caused by zero len
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: prevent uninitialized lcn caused by zero len syzbot reported a uninit-value in ntfsiomapbegin 1. Since runs was not touched yet, runlookupentry immediately fails and returns false, which makes the value of "len" 0...
CVE-2026-53028 usb: typec: Fix error pointer dereference
In the Linux kernel, the following vulnerability has been resolved: usb: typec: Fix error pointer dereference The variable tps-partner is checked for an error pointer and then if it is, it sends an error message but does not return and then immediately dereferenced a few lines below: tps-partner ...
CVE-2026-53027 fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attrdatagetblocklocked When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this...
CVE-2026-53026 NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix nfs4file access extra count in nfsd4addrdaccesstowrdeleg In nfsd4addrdaccesstowrdeleg, if fp-fifdsORDONLY is already set by another thread, nfs4filegetaccess should not be called to increment the nfs4file access count...
CVE-2026-53024 greybus: raw: fix use-after-free if write is called after disconnect
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free if write is called after disconnect If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace with CONFIGINITONFREEDEFAULTON=y: BUG: kernel NULL...
CVE-2026-53025 greybus: raw: fix use-after-free on cdev close
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the followi...
CVE-2026-53023 fs/ntfs3: terminate the cached volume label after UTF-8 conversion
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: terminate the cached volume label after UTF-8 conversion ntfsfillsuper loads the on-disk volume label with utf16stoutf8s and stores the result in sbi-volume.label. The converted label is later exposed through...
CVE-2026-53022 platform/x86: dell-wmi-sysman: bound enumeration string aggregation
In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: bound enumeration string aggregation populateenumdata aggregates firmware-provided value-modifier and possible-value strings into fixed 512-byte struct members. The current code bounds each individu...
CVE-2026-53021 scsi: target: core: Fix integer overflow in UNMAP bounds check
In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix integer overflow in UNMAP bounds check sbcexecuteunmap checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow. Add an overflow che...
CVE-2026-53020 um: Fix potential race condition in TLB sync
In the Linux kernel, the following vulnerability has been resolved: um: Fix potential race condition in TLB sync During the TLB sync, we need to traverse and modify the page table, so we should hold the page table lock. Since full SMP support for threads within the same process is still missing,...
CVE-2026-53019 clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
In the Linux kernel, the following vulnerability has been resolved: clk: spacemit: ccumix: fix inverted condition in ccumixtriggerfc Fix inverted condition that skips frequency change trigger, causing kernel panics during cpufreq scaling...
CVE-2026-53018 f2fs: avoid reading already updated pages during GC
In the Linux kernel, the following vulnerability has been resolved: f2fs: avoid reading already updated pages during GC We found the following issue during fuzz testing: page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9 memcg:f8ffff800e269c00 aops:f2fsmetaaops ino:2...
CVE-2026-53017 f2fs: fix data loss caused by incorrect use of nat_entry flag
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix data loss caused by incorrect use of natentry flag Data loss can occur when fsync is performed on a newly created file before any checkpoint has been written concurrently with a checkpoint operation. The scenario is as...
CVE-2026-53016 crypto: ccp - copy IV using skcipher ivsize
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsize AFALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. ccpaescomplete restores AESBLOCKSIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, s...
CVE-2026-53015 erofs: unify lcn as u64 for 32-bit platforms
In the Linux kernel, the following vulnerability has been resolved: erofs: unify lcn as u64 for 32-bit platforms As sashiko reported 1, lcn was typed as unsigned long or unsigned int sometimes, which is only 32 bits wide on 32-bit platforms, which causes lcn lclusterbits to be truncated at 4 GiB...
CVE-2026-53014 net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
In the Linux kernel, the following vulnerability has been resolved: net/sched: actmirred: fix wrong device for macheaderxmit check in tcfblockcastredir In tcfblockcastredir, when iterating block ports to redirect packets to multiple devices, the macheaderxmit flag is queried from the wrong device...
CVE-2026-53013 macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlangetsize not reserving space for IFLAMACVLANBCCUTOFF macvlangetsize does not account for IFLAMACVLANBCCUTOFF, but macvlanfillinfo conditionally includes it when port-bccutoff != 1. This causes nlaputs32 to fail...
CVE-2026-53012 nexthop: fix IPv6 route referencing IPv4 nexthop
In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic 1 2. When an IPv6 nexthop is replaced with an IPv4 nexthop, the hasv4 flag of all groups containing this nexthop is not updated. This is because...
CVE-2026-53011 net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advancesched on schedule switch In advancesched, when shouldchangeschedules returns true, switchschedules is called to promote the admin schedule to oper. switchschedules queues the old op...
CVE-2026-53010 ksmbd: fix use-after-free in smb2_open during durable reconnect
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2open during durable reconnect In smb2open, the call to ksmbdputdurablefdfp drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs...