58894 matches found
CVE-2026-31565
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix deadlock during netdev reset with active connections Resolve deadlock that occurs when user executes netdev reset while RDMA applications e.g., rping are active. The netdev reset causes ice driver to remove irdma...
CVE-2026-31564
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix base address calculation in kvmeiointcregsaccess In function kvmeiointcregsaccess, the register base address is caculated from array base address plus offset, the offset is absolute value from the base address...
CVE-2026-31563
In the Linux kernel, the following vulnerability has been resolved: net: macb: Use devconsumeskbany to free TX SKBs The napiconsumeskb function is not intended to be called in an IRQ disabled context. However, after commit 6bc8a5098bf4 "net: macb: Fix txptrlock locking", the freeing of TX SKBs is...
CVE-2026-31562
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dsi: Store driver data before invoking mipidsihostregister The call to mipidsihostregister triggers a callback to mtkdsibind, which uses devgetdrvdata to retrieve the mtkdsi struct, so this structure needs to be...
CVE-2026-31561
In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86CR4FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine...
CVE-2026-31560
In the Linux kernel, the following vulnerability has been resolved: spi: spi-dw-dma: fix print error log when wait finish transaction If an error occurs, the device may not have a current message. In this case, the system will crash. In this case, it's better to use dev from the struct ctlr struc...
CVE-2026-31559
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup 1. Replace "offindnodebypath"/"" with "ofroot" to avoid multiple calls to "ofnodeput". 2. Fix a potential kernel oops during early boot when memory allocation fails while parsing CPU...
CVE-2026-31558
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvmgetvcpubycpuid more robust kvmgetvcpubycpuid takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvmgetvcpubycpuid return NULL for this case so as to make it more robust. This fix an...
CVE-2026-31557
In the Linux kernel, the following vulnerability has been resolved: nvmet: move async event work off nvmet-wq For target nvmetctrlfree flushes ctrl-asynceventwork. If nvmetctrlfree runs on nvmet-wq, the flush re-enters workqueue completion for the same worker:- A. Async event work queued on...
CVE-2026-31555
In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futexlockpi retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at waitforownerexiting+0x7a/0x80, CPU11: futexlockpis/524 When futexlockpiatomic sees the owner i...
CVE-2026-31556
In the Linux kernel, the following vulnerability has been resolved: xfs: scrub: unlock dquot before early return in quota scrub xchkquotaitem can return early after calling xchkfblockprocesserror. When that helper returns false, the function returned immediately without dropping dq-qqlock, which...
CVE-2026-31554
In the Linux kernel, the following vulnerability has been resolved: futex: Require sysfutexrequeue to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sysfutexrequeue is used with different flags. The initial motivation for allowing different flags wa...
CVE-2026-31553
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix the descriptor address in kvmatswapdesc Using "u64 user hva + offset" to get the virtual addresses of S1/S2 descriptors looks really wrong, if offset is not zero. What we want to get for swapping is hva + offset,...
CVE-2026-31552
In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom Since upstream commit e75665dd0968 "wifi: wlcore: ensure skb headroom before skbpush", wl1271txallocate and with it wl1271preparetxframe returns...
CVE-2026-31551
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix staticbranchdec underflow for aqldisable. syzbot reported staticbranchdec underflow in aqlenablewrite. 0 The problem is that aqlenablewrite does not serialise concurrent writes to the debugfs. aqlenablewrite...
CVE-2026-31550
In the Linux kernel, the following vulnerability has been resolved: pmdomain: bcm: bcm2835-power: Increase ASB control timeout The bcm2835asbcontrol function uses a tight polling loop to wait for the ASB bridge to acknowledge a request. During intensive workloads, this handshake intermittently...
CVE-2026-31548
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel pmsrfreewk in cfg80211pmsrwdevdown When the nl80211 socket that originated a PMSR request is closed, cfg80211releasepmsr sets the request's nlportid to zero and schedules pmsrfreewk to process the abort...
CVE-2026-31549
In the Linux kernel, the following vulnerability has been resolved: i2c: cp2615: fix serial string NULL-deref at probe The cp2615 driver uses the USB device serial string as the i2c adapter name but does not make sure that the string exists. Verify that the device has a serial number before...
CVE-2026-31547
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix missing runtime PM reference in ccsmodestore ccsmodestore calls xegtreset which internally invokes xepmruntimegetnoresume. That function requires the caller to already hold an outer runtime PM reference and warns if...
CVE-2026-31546
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix NULL deref in bonddebugrlbhashshow rlbclearslave intentionally keeps RLB hash-table entries on the rxhashtblusedhead list with slave set to NULL when no replacement slave is available. However,...
CVE-2026-31544
In the Linux kernel, the following vulnerability has been resolved: firmware: armscmi: Fix NULL dereference on notify error path Since commit b5daf93b809d1 "firmware: armscmi: Avoid notifier registration for unsupported events" the call chains leading to the helper scmieventhandlergetops expect a...
CVE-2026-31545
In the Linux kernel, the following vulnerability has been resolved: NFC: nxp-nci: allow GPIOs to sleep Allow the firmware and enable GPIOs to sleep. This fixes a WARNON' and allows the driver to operate GPIOs which are connected to I2C GPIO expanders. -- 8 -- kernel: WARNING: CPU: 3 PID: 2636 at...
CVE-2026-31543
In the Linux kernel, the following vulnerability has been resolved: crashdump: don't log dm-crypt key bytes in readkeyfromuserkeying When debug logging is enabled, readkeyfromuserkeying logs the first 8 bytes of the key payload and partially exposes the dm-crypt key. Stop logging any key bytes...
CVE-2026-31542
In the Linux kernel, the following vulnerability has been resolved: x86/platform/uv: Handle deconfigured sockets When a socket is deconfigured, it's mapped to SOCKEMPTY 0xffff. This causes a panic while allocating UV hub info structures. Fix this by using NUMANONODE, allowing UV hub info structur...
CVE-2026-31541
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix tracemarker copy link list updates When the "copytracemarker" option is enabled for an instance, anything written into /sys/kernel/tracing/tracemarker is also copied into that instances buffer. When the option is set...
CVE-2026-31540
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Check setdefaultsubmission before deferencing When the i915 driver firmware binaries are not present, the setdefaultsubmission pointer is not set. This pointer is dereferenced during suspend anyways. Add a check to...
CVE-2026-31539
In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...
CVE-2026-31538
In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...
CVE-2026-31536
In the Linux kernel, the following vulnerability has been resolved: smb: server: let senddone handle a completion without IBSENDSIGNALED With smbdirectsendbatch processing we likely have requests without IBSENDSIGNALED, which will be destroyed in the final request that has IBSENDSIGNALED set. If...
CVE-2026-31537
In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirectsocket.sendio.bcredits It turns out that our code will corrupt the stream of reassabled data transfer messages when we trigger an immendiate empty send. In order to fix this we'll have a single...
CVE-2026-31535
In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...
CVE-2026-5265
When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total length iptotlen for IPv4, ip6plen for IPv6 without validating it against the actual packet buffer size...
CVE-2026-5367
A flaw was found in OVN Open Virtual Network. A remote attacker, by sending crafted DHCPv6 Dynamic Host Configuration Protocol for IPv6 SOLICIT packets with an inflated Client ID length, could cause the ovn-controller to read beyond the bounds of a packet. This out-of-bounds read can lead to the...
CVE-2026-41044
Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to...
CVE-2026-41043
Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML instead of XML and by injecting...
CVE-2026-40466
Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport...
CVE-2026-41324
basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to...
CVE-2026-41316
ERB is a templating system for Ruby. Ruby 2.7.0 before ERB 2.2.0 was published on rubygems.org introduced an @init instance variable guard in ERBresult and ERBrun to prevent code execution when an ERB object is reconstructed via Marshal.load deserialization. However, three other public methods th...
CVE-2026-41305
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...
CVE-2026-40254
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions prior to 3.25.0 have an off-by-one in the path traversal filter in channels/drive/client/drivefile.c. The containsdotdot function catches ../ and ..\ mid-path but misses .. when it's the last component with no trailing...
CVE-2026-33317
OP-TEE is a Trusted Execution Environment TEE designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In versions 3.13.0 through 4.10.0, missing checks in entrygetattributevalue in ta/pkcs11/src/object.c can lead to out-of-bounds read from...
CVE-2026-32952
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue...
CVE-2026-42095
bookserver in KDE Arianna before 26.04.1 allows attackers to read files over a socket connection by guessing a URL...
CVE-2026-6732
A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition XSD validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that...
CVE-2026-2708
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...
CVE-2026-28525
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...
CVE-2026-6941
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a...
CVE-2026-6940
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files...
CVE-2026-41205
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.gettemplate is vulnerable to path traversal when a URI starts with // e.g., //../../../secret.txt. The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be...
CVE-2026-6921
Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. Chromium security severity: Medium...