CVE-2026-52944

ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTLSETSPARSE...

CVE-2026-52943

net: skbuff: fix missing zerocopy reference in pskbcarve helpers...

CVE-2026-52942

netfilter: nflog: validate MAC header was set before dumping it...

CVE-2026-52940

tun: zero the whole vnet header in tunputuser...

CVE-2026-52941

net/smc: avoid NULL deref of conn-lnk in smcmsgevent tracepoint...

CVE-2026-52939

net/rds: fix NULL deref in rdsibsendcqehandler on masked atomic completion...

CVE-2026-52938

bpf: Fix NULL pointer dereference in bpfskstorageclone and diag paths...

CVE-2026-52937

tap: fix stack info leak in tapioctl SIOCGIFHWADDR...

CVE-2026-52936

crypto: jitterentropy - replace long-held spinlock with mutex...

CVE-2026-52935

xfrm: espintcp: do not reuse an in-progress partial send...

CVE-2026-52934

batman-adv: tvlv: reject oversized TVLV packets...

CVE-2026-52932

xfrm: ipcomp: Free destination pages on acomp errors...

CVE-2026-52933

iouring/poll: fix signed comparison in iopollgetownership...

CVE-2026-52931

batman-adv: tpmeter: avoid use of uninit sender vars...

CVE-2026-52929

sctp: stream: fully roll back denied add-stream state...

CVE-2026-52930

ipc/shm: serialize orphan cleanup with shmnattch updates...

CVE-2026-52928

afunix: Reject SIOCATMARK on non-stream sockets...

CVE-2026-52926

batman-adv: clear current gateway during teardown...

CVE-2026-52927

netfilter: ebtables: fix OOB read in compatmtwfromuser...

CVE-2026-52925

vrf: Fix a potential NPD when removing a port from a VRF...

CVE-2026-52924

sctp: purge outqueue on stale COOKIE-ECHO handling...

CVE-2026-52922

batman-adv: dat: handle forward allocation error...

CVE-2026-52923

ipc: limit nextid allocation to the valid ID range...

CVE-2026-52921

netfilter: ipset: stop hash: range iteration at end...

CVE-2026-52919

batman-adv: fix tpmeter counter underflow during shutdown...

CVE-2026-52920

netfilter: xtpolicy: fix strict mode inbound policy matching...

CVE-2026-52918

Bluetooth: serialize acceptq access...

CVE-2026-52916

batman-adv: frag: disallow unicast fragment in fragment...

CVE-2026-52917

sctp: diag: reject stale associations in dumpone path...

CVE-2026-52915

netfilter: ip6thbh: reject oversized option lists...

CVE-2026-52913

batman-adv: v: stop OGMv2 on disabled interface...

CVE-2026-52914

batman-adv: fix fragment reassembly length accounting...

CVE-2026-52912

netfilter: nfqueue: hold bridge skb-dev while queued...

CVE-2026-9539

An out-of-bounds heap read and integer underflow in the TCP urgent dat...

CVE-2026-54518

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...

CVE-2026-50193

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

CVE-2026-54512

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

CVE-2026-54513

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

CVE-2026-54514

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

CVE-2026-54515

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual, per-property @JsonIgnoreProperties exclusions are applied by handleByNameInclusion, producing a...

CVE-2026-54516

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, POJOPropertiesCollector.renameProperties allows a property with @JsonProperty"renamed" on the getter and @JsonIgnore on the setter to be renamed...

CVE-2026-54517

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-12892

A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary...

CVE-2026-12891

A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266...

CVE-2026-45135

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct fla...

CVE-2026-45692

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...

CVE-2026-52845

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forwardauth copyheaders deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through phpfastcgi, Caddy normalizes HTTP headers int...

CVE-2026-52844

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/, but fileserver later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy...

CVE-2026-52846

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous...

CVE-2026-57062

CMS Cryptographic Message Syntax parsing in gpgsm in GnuPG through 2.5.20 mishandles the CMS format for AES-GCM because aes-ICVlen is supposed to be 12 bytes but 4 bytes is accepted. NOTE: this is related to CVE-2026-34182...