364063 matches found
CVE-2026-53052 ASoC: qcom: qdsp6: topology: check widget type before accessing data
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: topology: check widget type before accessing data Check widget type before accessing the private data, as this could a virtual widget which is no associated with a dsp graph, container and module. Accessing...
CVE-2026-53051 PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
In the Linux kernel, the following vulnerability has been resolved: PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on When PERST is deasserted twice assert - deassert - assert - deassert, a CBB Control Backbone timeout occurs at DBI register offset 0x8bc PCIEMISCCONTROL1OFF...
CVE-2026-53050 quota: Fix race of dquot_scan_active() with quota deactivation
In the Linux kernel, the following vulnerability has been resolved: quota: Fix race of dquotscanactive with quota deactivation dquotscanactive can race with quota deactivation in quotareleaseworkfn like: CPU0 quotareleaseworkfn CPU1 dquotscanactive ==============================...
CVE-2026-53049 gfs2: add some missing log locking
In the Linux kernel, the following vulnerability has been resolved: gfs2: add some missing log locking Function gfs2logd calls the log flushing functions gfs2ail1start, gfs2ail1wait, and gfs2ail1empty without holding sdp-sdlogflushlock, but these functions require exclusion against concurrent...
CVE-2026-53048 gfs2: prevent NULL pointer dereference during unmount
In the Linux kernel, the following vulnerability has been resolved: gfs2: prevent NULL pointer dereference during unmount When flushing out outstanding glock work during an unmount, gfs2logflush can be called when sdp-sdjdesc has already been deallocated and sdp-sdjdesc is NULL. Commit 35264909e9...
CVE-2026-53047 efi/capsule-loader: fix incorrect sizeof in phys array reallocation
In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc call for capinfo-phys in eficapsulesetupinfo uses sizeofphysaddrt instead of sizeofphysaddrt, which might be causing an undersized allocation. The...
CVE-2026-53046 ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine ksmbdcryptmessage sets a NULL completion callback on AEAD requests and does not handle the -EINPROGRESS return code from async hardware crypto engines like the...
CVE-2026-53044 soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
In the Linux kernel, the following vulnerability has been resolved: soc/tegra: cbb: Fix incorrect ARRAYSIZE in fabric lookup tables Fix incorrect ARRAYSIZE usage in fabric lookup tables which could cause out-of-bounds access during target timeout lookup...
CVE-2026-53045 memory: tegra124-emc: Fix dll_change check
In the Linux kernel, the following vulnerability has been resolved: memory: tegra124-emc: Fix dllchange check The code checking whether the specified memory timing enables DLL in the EMRS register was reversed. DLL is enabled if bit A0 is low. Fix the check...
CVE-2026-53043 ocfs2/dlm: validate qr_numregions in dlm_match_regions()
In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: validate qrnumregions in dlmmatchregions Patch series "ocfs2/dlm: fix two bugs in dlmmatchregions". In dlmmatchregions, the qrnumregions field from a DLMQUERYREGION network message is used to drive loops over the...
CVE-2026-53042 fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
In the Linux kernel, the following vulnerability has been resolved: fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal CXL is linked before fwctl in drivers/Makefile. Both use moduleinit, so cxlpcidriverinit runs first. When cxlpciprobe calls fwctlregister and then...
CVE-2026-53041 ocfs2: fix listxattr handling when the buffer is full
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full BUG If an OCFS2 inode has both inline and block-based xattrs, listxattr can return a size larger than the caller's buffer when the inline names consume that buffer exactly...
CVE-2026-53040 ocfs2: validate bg_bits during freefrag scan
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate bgbits during freefrag scan BUG A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2IOCINFO is issued with OCFS2INFOFLNONCOHERENT. BUG: KASAN: use-after-free in instrumentatomicread...
CVE-2026-53039 ocfs2: validate group add input before caching
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate group add input before caching BUG OCFS2IOCGROUPADD can trigger a BUGON in ocfs2setnewbufferuptodate: kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 1 SMP KASAN NOPTI RIP:...
CVE-2026-53038 ima_fs: Correctly create securityfs files for unsupported hash algos
In the Linux kernel, the following vulnerability has been resolved: imafs: Correctly create securityfs files for unsupported hash algos imatpmchip-allocatedbanksi.cryptoid is initialized to HASHALGOLAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be...
CVE-2026-53037 HID: usbhid: fix deadlock in hid_post_reset()
In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix deadlock in hidpostreset You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hidprereset and hidpostreset are in the...
CVE-2026-53036 bpf, arm64: Fix off-by-one in check_imm signed range check
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix off-by-one in checkimm signed range check checkimmbits, imm is used in the arm64 BPF JIT to verify that a branch displacement in arm64 instruction units fits into the signed N-bit immediate field of a B, B.cond or...
CVE-2026-53035 bpf, sockmap: Fix af_unix iter deadlock
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix afunix iter deadlock bpfiterunixseqshow may deadlock when locksockfast takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sockmapupdateelem's bhlocksock: WARNING:...
CVE-2026-53034 bpf, sockmap: Fix af_unix null-ptr-deref in proto update
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix afunix null-ptr-deref in proto update unixstreamconnect sets skstate WRITEONCEsk-skstate, TCPESTABLISHED before it assigns a peer unixpeersk = newsk. skstate == TCPESTABLISHED makes sockmapskstateallowed believe...
CVE-2026-53033 bpf, sockmap: Take state lock for af_unix iter
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Take state lock for afunix iter When a BPF iterator program updates a sockmap, there is a race condition in unixstreambpfupdateproto where the peer pointer can become stale1 during a state transition TCPESTABLISHED ...
CVE-2026-53031 bpf: Validate node_id in arena_alloc_pages()
In the Linux kernel, the following vulnerability has been resolved: bpf: Validate nodeid in arenaallocpages arenaallocpages accepts a plain int nodeid and forwards it through the entire allocation chain without any bounds checking. Validate nodeid before passing it down the allocation chain in...
CVE-2026-53032 bpf: Fix NULL deref in map_kptr_match_type for scalar regs
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix NULL deref in mapkptrmatchtype for scalar regs Commit ab6c637ad027 "bpf: Fix a bpfkptrxchg issue with local kptr" refactored mapkptrmatchtype to branch on btfiskernel before checking basetype. A scalar register stored in...
CVE-2026-53030 i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
In the Linux kernel, the following vulnerability has been resolved: i3c: master: renesas: Fix memory leak in renesasi3ci3cxfers The xfer structure allocated by renesasi3callocxfer was never freed in the renesasi3ci3cxfers function. Use the freekfree cleanup attribute to automatically free the...
CVE-2026-53029 fs/ntfs3: prevent uninitialized lcn caused by zero len
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: prevent uninitialized lcn caused by zero len syzbot reported a uninit-value in ntfsiomapbegin 1. Since runs was not touched yet, runlookupentry immediately fails and returns false, which makes the value of "len" 0...
CVE-2026-53028 usb: typec: Fix error pointer dereference
In the Linux kernel, the following vulnerability has been resolved: usb: typec: Fix error pointer dereference The variable tps-partner is checked for an error pointer and then if it is, it sends an error message but does not return and then immediately dereferenced a few lines below: tps-partner ...
CVE-2026-53027 fs/ntfs3: fix missing run load for vcn0 in attr_data_get_block_locked()
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix missing run load for vcn0 in attrdatagetblocklocked When a compressed or sparse attribute has its clusters frame-aligned, vcn is rounded down to the frame start using cmask, which can result in vcn != vcn0. In this...
CVE-2026-53026 NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
In the Linux kernel, the following vulnerability has been resolved: NFSD: fix nfs4file access extra count in nfsd4addrdaccesstowrdeleg In nfsd4addrdaccesstowrdeleg, if fp-fifdsORDONLY is already set by another thread, nfs4filegetaccess should not be called to increment the nfs4file access count...
CVE-2026-53024 greybus: raw: fix use-after-free if write is called after disconnect
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free if write is called after disconnect If a user writes to the chardev after disconnect has been called, the kernel panics with the following trace with CONFIGINITONFREEDEFAULTON=y: BUG: kernel NULL...
CVE-2026-53025 greybus: raw: fix use-after-free on cdev close
In the Linux kernel, the following vulnerability has been resolved: greybus: raw: fix use-after-free on cdev close This addresses a use-after-free bug when a raw bundle is disconnected but its chardev is still opened by an application. When the application releases the cdev, it causes the followi...
CVE-2026-53023 fs/ntfs3: terminate the cached volume label after UTF-8 conversion
In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: terminate the cached volume label after UTF-8 conversion ntfsfillsuper loads the on-disk volume label with utf16stoutf8s and stores the result in sbi-volume.label. The converted label is later exposed through...
CVE-2026-53022 platform/x86: dell-wmi-sysman: bound enumeration string aggregation
In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: bound enumeration string aggregation populateenumdata aggregates firmware-provided value-modifier and possible-value strings into fixed 512-byte struct members. The current code bounds each individu...
CVE-2026-53021 scsi: target: core: Fix integer overflow in UNMAP bounds check
In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix integer overflow in UNMAP bounds check sbcexecuteunmap checks LBA + range does not exceed the device capacity, but does not guard against LBA + range wrapping around on 64-bit overflow. Add an overflow che...
CVE-2026-53020 um: Fix potential race condition in TLB sync
In the Linux kernel, the following vulnerability has been resolved: um: Fix potential race condition in TLB sync During the TLB sync, we need to traverse and modify the page table, so we should hold the page table lock. Since full SMP support for threads within the same process is still missing,...
CVE-2026-53019 clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
In the Linux kernel, the following vulnerability has been resolved: clk: spacemit: ccumix: fix inverted condition in ccumixtriggerfc Fix inverted condition that skips frequency change trigger, causing kernel panics during cpufreq scaling...
CVE-2026-53018 f2fs: avoid reading already updated pages during GC
In the Linux kernel, the following vulnerability has been resolved: f2fs: avoid reading already updated pages during GC We found the following issue during fuzz testing: page: refcount:3 mapcount:0 mapping:00000000b6e89c65 index:0x18b2dc pfn:0x161ba9 memcg:f8ffff800e269c00 aops:f2fsmetaaops ino:2...
CVE-2026-53017 f2fs: fix data loss caused by incorrect use of nat_entry flag
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix data loss caused by incorrect use of natentry flag Data loss can occur when fsync is performed on a newly created file before any checkpoint has been written concurrently with a checkpoint operation. The scenario is as...
CVE-2026-53016 crypto: ccp - copy IV using skcipher ivsize
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - copy IV using skcipher ivsize AFALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver. ccpaescomplete restores AESBLOCKSIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, s...
CVE-2026-53015 erofs: unify lcn as u64 for 32-bit platforms
In the Linux kernel, the following vulnerability has been resolved: erofs: unify lcn as u64 for 32-bit platforms As sashiko reported 1, lcn was typed as unsigned long or unsigned int sometimes, which is only 32 bits wide on 32-bit platforms, which causes lcn lclusterbits to be truncated at 4 GiB...
CVE-2026-53014 net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
In the Linux kernel, the following vulnerability has been resolved: net/sched: actmirred: fix wrong device for macheaderxmit check in tcfblockcastredir In tcfblockcastredir, when iterating block ports to redirect packets to multiple devices, the macheaderxmit flag is queried from the wrong device...
CVE-2026-53013 macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
In the Linux kernel, the following vulnerability has been resolved: macvlan: fix macvlangetsize not reserving space for IFLAMACVLANBCCUTOFF macvlangetsize does not account for IFLAMACVLANBCCUTOFF, but macvlanfillinfo conditionally includes it when port-bccutoff != 1. This causes nlaputs32 to fail...
CVE-2026-53011 net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix use-after-free in advancesched on schedule switch In advancesched, when shouldchangeschedules returns true, switchschedules is called to promote the admin schedule to oper. switchschedules queues the old op...
CVE-2026-53012 nexthop: fix IPv6 route referencing IPv4 nexthop
In the Linux kernel, the following vulnerability has been resolved: nexthop: fix IPv6 route referencing IPv4 nexthop syzbot reported a panic 1 2. When an IPv6 nexthop is replaced with an IPv4 nexthop, the hasv4 flag of all groups containing this nexthop is not updated. This is because...
CVE-2026-53010 ksmbd: fix use-after-free in smb2_open during durable reconnect
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2open during durable reconnect In smb2open, the call to ksmbdputdurablefdfp drops the reference to the durable file descriptor early during the durable reconnect process. If an error occurs...
CVE-2026-53009 ice: fix double-free of tx_buf skb
In the Linux kernel, the following vulnerability has been resolved: ice: fix double-free of txbuf skb If icetso or icetxcsum fail, the error path in icexmitframering frees the skb, but the 'first' txbuf still points to it and is marked as valid ICETXBUFSKB. 'nexttouse' remains unchanged, so the...
CVE-2026-53008 ice: fix race condition in TX timestamp ring cleanup
In the Linux kernel, the following vulnerability has been resolved: ice: fix race condition in TX timestamp ring cleanup Fix a race condition between icefreetxtstampring and icetxmap that can cause a NULL pointer dereference. icefreetxtstampring currently clears the ICETXFLAGSTXTIME flag after...
CVE-2026-53007 ice: fix potential NULL pointer deref in error path of ice_set_ringparam()
In the Linux kernel, the following vulnerability has been resolved: ice: fix potential NULL pointer deref in error path of icesetringparam icesetringparam nullifies tstampring of temporary txrings, without clearing ICETXRINGFLAGSTXTIME bit. When ICETXRINGFLAGSTXTIME is set and the subsequent...
CVE-2026-53006 ipv6: fix possible UAF in icmpv6_rcv()
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in icmpv6rcv Caching saddr and daddr before pskbpull is problematic since skb-head can change. Remove these temporary variables: - We only access &ipv6hdrskb-saddr and &ipv6hdrskb-daddr when netdbgratelimit...
CVE-2026-53004 sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
In the Linux kernel, the following vulnerability has been resolved: sctp: fix OOB write to userspace in sctpgetsockoptpeerauthchunks sctpgetsockoptpeerauthchunks checks that the caller's optval buffer is large enough for the peer AUTH chunk list with if len gauthchunks, which lives at offset...
CVE-2026-53005 af_unix: Drop all SCM attributes for SOCKMAP.
In the Linux kernel, the following vulnerability has been resolved: afunix: Drop all SCM attributes for SOCKMAP. SOCKMAP can hide inflight fd from AFUNIX GC. When a socket in SOCKMAP receives skb with inflight fd, skpsockverdictdataready looks up the mapped socket and enqueue skb to its...
CVE-2026-53003 pppoe: drop PFC frames
In the Linux kernel, the following vulnerability has been resolved: pppoe: drop PFC frames RFC 2516 Section 7 states that Protocol Field Compression PFC is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the current PPPoE driver assumes an...