68528 matches found
CVE-2026-31560
In the Linux kernel, the following vulnerability has been resolved: spi: spi-dw-dma: fix print error log when wait finish transaction If an error occurs, the device may not have a current message. In this case, the system will crash. In this case, it's better to use dev from the struct ctlr struc...
CVE-2026-31566
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix fence put before wait in amdgpuamdkfdsubmitib amdgpuamdkfdsubmitib submits a GPU job and gets a fence from amdgpuibschedule. This fence is used to wait for job completion. Currently, the code drops the fence...
CVE-2026-31595
In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-vntb: Stop cmdhandler work in epfntbepccleanup Disable the delayed work before clearing BAR mappings and doorbells to avoid running the handler after resources have been torn down. Unable to handle kernel...
CVE-2026-31584
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix use-after-free in encoder release path The fopsvcodecrelease function frees the context structure ctx without first cancelling any pending or running work in ctx-encodework. This creates a race window...
CVE-2026-31574
In the Linux kernel, the following vulnerability has been resolved: clockevents: Add missing resets of the nexteventforced flag The prevention mechanism against timer interrupt starvation missed to reset the nexteventforced flag in a couple of places: - When the clock event state changes. That ca...
CVE-2026-31554
In the Linux kernel, the following vulnerability has been resolved: futex: Require sysfutexrequeue to have identical flags Nicholas reported that his LLM found it was possible to create a UaF when sysfutexrequeue is used with different flags. The initial motivation for allowing different flags wa...
CVE-2026-31630
In the Linux kernel, the following vulnerability has been resolved: rxrpc: proc: size address buffers for %pISpc output The AFRXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port...
CVE-2026-31578
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102usbprobe In as102usb driver, the following race condition occurs: CPU0 CPU1 as102usbprobe kzalloc; // alloc as102devt .... usbregisterdev; fd =...
CVE-2026-31612
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate EaNameLength in smb2getea smb2getea reads eareq-EaNameLength from the client request and passes it directly to strncmp as the comparison length without verifying that the length of the name really is the size of t...
CVE-2026-31551
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix staticbranchdec underflow for aqldisable. syzbot reported staticbranchdec underflow in aqlenablewrite. 0 The problem is that aqlenablewrite does not serialise concurrent writes to the debugfs. aqlenablewrite...
CVE-2026-31647
In the Linux kernel, the following vulnerability has been resolved: idpf: fix PREEMPTRT raw/bh spinlock nesting for async VC handling Switch from using the completion's raw spinlock to a local lock in the idpfvcxn struct. The conversion is safe because complete/all are called outside the lock and...
CVE-2026-31658
In the Linux kernel, the following vulnerability has been resolved: net: altera-tse: fix skb leak on DMA mapping error in tsestartxmit When dmamapsingle fails in tsestartxmit, the function returns NETDEVTXOK without freeing the skb. Since NETDEVTXOK tells the stack the packet was consumed, the sk...
CVE-2026-31637
In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkaddecryptticket decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether cryptoskcipherdecrypt succeeded. A malformed RESPONSE can...
CVE-2026-31638
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Only put the call ref if one was acquired rxrpcinputpacketonconn can process a to-client packet after the current client call on the channel has already been torn down. In that case chan-call is NULL, rxrpctrygetcall retur...
CVE-2026-31537
In the Linux kernel, the following vulnerability has been resolved: smb: server: make use of smbdirectsocket.sendio.bcredits It turns out that our code will corrupt the stream of reassabled data transfer messages when we trigger an immendiate empty send. In order to fix this we'll have a single...
CVE-2026-31540
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Check setdefaultsubmission before deferencing When the i915 driver firmware binaries are not present, the setdefaultsubmission pointer is not set. This pointer is dereferenced during suspend anyways. Add a check to...
CVE-2026-31550
In the Linux kernel, the following vulnerability has been resolved: pmdomain: bcm: bcm2835-power: Increase ASB control timeout The bcm2835asbcontrol function uses a tight polling loop to wait for the ASB bridge to acknowledge a request. During intensive workloads, this handshake intermittently...
CVE-2026-31620
In the Linux kernel, the following vulnerability has been resolved: ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 A malicious USB device with the TASCAM US-144MKII device id can have a configuration containing bInterfaceNumber=1 but no interface 0. USB configuration descriptors ar...
CVE-2026-31633
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow in rxgkverifyresponse In rxgkverifyresponse, there's a potential integer overflow due to rounding up tokenlen before checking it, thereby allowing the length check to be bypassed. Fix this by checking...
CVE-2026-31663
In the Linux kernel, the following vulnerability has been resolved: xfrm: hold dev ref until after transportfinish NFHOOK After async crypto completes, xfrminputresume calls devput immediately on re-entry before the skb reaches transportfinish. The skb-dev pointer is then used inside NFHOOK and i...
CVE-2026-31585
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix nfeeds state corruption on startstreaming failure syzbot reported a memory leak in vidtvpsiservicedescinit 1. When vidtvstartstreaming fails inside vidtvstartfeed, the nfeeds counter is left incremented even...
CVE-2026-31577
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL iassocinode dereference in nilfsmdtsavetoshadowmap The DAT inode's btree node cache iassocinode is initialized lazily during btree operations. However, nilfsmdtsavetoshadowmap assumes iassocinode is already...
CVE-2026-31561
In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Remove X86CR4FRED from the CR4 pinned bits mask Commit in Fixes added the FRED CR4 bit to the CR4 pinned bits mask so that whenever something else modifies CR4, that bit remains set. Which in itself is a perfectly fine...
CVE-2026-31665
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftct: fix use-after-free in timeout object destroy nftcttimeoutobjdestroy frees the timeout object with kfree immediately after nfctuntimeout, without waiting for an RCU grace period. Concurrent packet processing on...
CVE-2026-31593
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU Reject synchronizing vCPU state to its associated VMSA if the vCPU has already been launched, i.e. if the VMSA has already been encrypted. On a host wit...
CVE-2026-31652
In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: deallocate damoncall failure leaking damonctx damonstatstart always allocates the module's damonctx object damonstatcontext. Meanwhile, if damoncall in the function fails, the damonctx object is not deallocated...
CVE-2026-31572
In the Linux kernel, the following vulnerability has been resolved: i2c: designware: amdisp: Fix resume-probe race condition issue Identified resume-probe race condition in kernel v7.0 with the commit 38fa29b01a6a "i2c: designware: Combine the init functions",but this issue existed from the...
CVE-2026-31603
In the Linux kernel, the following vulnerability has been resolved: staging: sm750fb: fix division by zero in pstohz pstohz is called from hwsm750crtcsetmode without validating that pixclock is non-zero. A zero pixclock passed via FBIOPUTVSCREENINFO causes a division by zero. Fix by rejecting zer...
CVE-2026-31559
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix missing NULL checks for kstrdup 1. Replace "offindnodebypath"/"" with "ofroot" to avoid multiple calls to "ofnodeput". 2. Fix a potential kernel oops during early boot when memory allocation fails while parsing CPU...
CVE-2026-31651
In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free...
CVE-2026-31541
In the Linux kernel, the following vulnerability has been resolved: tracing: Fix tracemarker copy link list updates When the "copytracemarker" option is enabled for an instance, anything written into /sys/kernel/tracing/tracemarker is also copied into that instances buffer. When the option is set...
CVE-2026-31622
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digitalinrecvsddres appends 3 or 4 bytes to target-nfcid1 on each round, but the number of cascade rounds is controlled...
CVE-2026-31598
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dioendiowrite ocfs2unlink takes orphan dir inodelock first and then ipallocsem, while in ocfs2dioendiowrite, it acquires these locks in reverse order. This creates an ABBA lock...
CVE-2026-31670
In the Linux kernel, the following vulnerability has been resolved: net: rfkill: prevent unlimited numbers of rfkill events from being created Userspace can create an unlimited number of rfkill events if the system is so configured, while not consuming them from the rfkill file descriptor, causin...
CVE-2026-31539
In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...
CVE-2026-31646
In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix pagepool error handling in lan966xfdmarxallocpagepool pagepoolcreate can return an ERRPTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through...
CVE-2026-31657
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadvblaaddclaim can replace claim-backbonegw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences...
CVE-2026-31615
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesasusb3: validate endpoint index in standard request handlers The GETSTATUS and SET/CLEARFEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by...
CVE-2026-31535
In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...
CVE-2026-31565
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix deadlock during netdev reset with active connections Resolve deadlock that occurs when user executes netdev reset while RDMA applications e.g., rping are active. The netdev reset causes ice driver to remove irdma...
CVE-2026-31564
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix base address calculation in kvmeiointcregsaccess In function kvmeiointcregsaccess, the register base address is caculated from array base address plus offset, the offset is absolute value from the base address...
CVE-2026-31558
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Make kvmgetvcpubycpuid more robust kvmgetvcpubycpuid takes a cpuid parameter whose type is int, so cpuid can be negative. Let kvmgetvcpubycpuid return NULL for this case so as to make it more robust. This fix an...
CVE-2026-31608
In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smbdirectfreesendmsg after smbdirectflushsendlist smbdirectflushsendlist already calls smbdirectfreesendmsg, so we should not call it again after postsendmsg moved it to the batch list...
CVE-2026-31664
In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in buildpolexpire buildexpire clears the trailing padding bytes of struct xfrmuserexpire after setting the hard field via memsetafter, but the analogous function buildpolexpire does not do this for...
CVE-2026-31607
In the Linux kernel, the following vulnerability has been resolved: usbip: validate numberofpackets in usbippackretsubmit When a USB/IP client receives a RETSUBMIT response, usbippackretsubmit unconditionally overwrites urb-numberofpackets from the network PDU. This value is subsequently used as...
CVE-2026-31634
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix reference count leak in rxrpcserverkeyring This patch fixes a reference count leak in rxrpcserverkeyring by checking if rx-securities is already set...
CVE-2026-31591
In the Linux kernel, the following vulnerability has been resolved: KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish Lock all vCPUs when synchronizing and encrypting VMSAs for SNP guests, as allowing userspace to manipulate and/or run a vCPU while its state is being...
CVE-2026-31580
In the Linux kernel, the following vulnerability has been resolved: bcache: fix cacheddev.sbbio use-after-free and crash In our production environment, we have received multiple crash reports regarding libceph, which have caught our attention: 6888366.280350 Call Trace: 6888366.280452...
CVE-2026-31641
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix RxGK token loading to check bounds rxrpcpreparsexdryfsrxgk reads the raw key length and ticket length from the XDR token as u32 values and passes each through roundupx, 4 before using the rounded value for validation a...
CVE-2026-31669
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in inetlookupestablished The ehash table lookups are lockless and rely on SLABTYPESAFEBYRCU to guarantee socket memory stability during RCU read-side critical sections. Both tcpprot and tcpv6prot ha...