CVE-2026-23466

The CVE-2026-23466 vulnerability affects the Linux kernel’s drm/xe component, where GGTT MMIO access was only protected by hotplug mechanics (drm_dev_enter). If a driver fails to load or during teardown when BOs may be freed asynchronously, drm_dev_unplug() may not be invoked and the MMIO region ...

CVE-2025-39833

CVE-2025-39833 (Linux kernel) Root cause: when unloading the hfcpci module with CONFIG_DEBUG_OBJECTS_TIMERS enabled, an uninitialized timer could trigger a kernel warning path during deletion, as shown in the stack trace and timer-related debug prints. Impact: locally leveraged by a privileged co...

CVE-2025-39886

CVE-2025-39886 in the Linux kernel relates to a locking issue triggered when bpf_map_kmalloc_node() is called from __bpf_async_init(), potentially affecting memcg accounting and causing MEMCG_MAX events. The documented fix changes the bpf_timer_init() path to use allow_spinning=false and, per ups...

CVE-2025-39902

CVE-2025-39902 is a Linux kernel vulnerability where mm/slub could crash if object metadata is accessed when the object pointer is NULL or invalid. The root cause is that object_err() attempts to report object details (freelist pointer, redzone, etc.) even when the pointer is not pointing to a va...

CVE-2025-39923

CVE-2025-39923 concerns the Linux kernel dmaengine/qcom BAM driver. The root cause was missing error handling in DT parsing for required properties (clock and num-channels), which could allow probing to proceed unsafely and read channels from registers, risking early boot crashes across Qualcomm ...

CVE-2025-39964

CVE-2025-39964 affects the Linux kernel crypto: af_alg where two concurrent writes to the same af_alg socket could interleave data and corrupt internal socket state. The fix adds a dedicated exclusive ownership indicator (ctx->write) to prevent concurrent writes and ensure serialized access. I...

CVE-2025-71154

CVE-2025-71154 concerns Linux kernel code for the rtl8150 USB driver. When usb_submit_urb() fails in async_set_registers(), the allocated async_req and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() frees these allocations only after a successful URB submissi...

CVE-2026-23074

CVE-2026-23074 is a Linux kernel vulnerability in net/sched teql where the teql queuing discipline may be used outside its intended root qdisc, allowing a crafted packet sequence to create a use-after-free scenario in the qfq/qos path due to queue length (qlen) handling. The root cause is that te...

CVE-2026-23132

CVE-2026-23132 : Linux kernel vulnerability in the dw-dp bridge (drm/bridge: synopsys: dw-dp) resolved. The issue concerned error handling in dw_dp_bind(), with three problems: (1) Missing return after drm_bridge_attach() failure, causing continued execution; (2) Resource leak where drm_dp_aux_un...

CVE-2026-23194

CVE-2026-23194 relates to the Linux kernel rust_binder handling of FDA objects of length zero. The issue was a out-of-bounds write when an empty fd-array (FDA) with 0 fds was processed, caused by treating skip == 0 as a special “pointer fixup.” The fix replaces this zero-special-case pattern (ori...

CVE-2026-23204

CVE-2026-23204 affects the Linux kernel net/sched cls_u32. The root cause is that skb_header_pointer() does not fully validate negative @offset values, enabling a slab-out-of-bounds condition in u32_classify() (reported as BUG: KASAN). The fix replaces skb_header_pointer() with skb_header_pointer...

CVE-2026-23209

CVE-2026-23209 is a Linux kernel macvlan bug. The issue occurs in macvlan when creating a new link with MACVLAN_MODE_SOURCE and MACVLAN_MACADDR_ADD/SET and the lower device already has a macvlan port, causing a use-after-free after a failed register_netdevice() in the create path. Upstream kernel...

CVE-2026-23229

CVE-2026-23229 is a Linux kernel vulnerability in virtio-crypto where missing spinlock protection around virtqueue done notifications can cause hangs (e.g., openssl speed benchmark with multi-process workloads). Root cause: data virtqueue handling without spinlock protection in virtcrypto_done_ta...

CVE-2026-31448

CVE-2026-31448 concerns the Linux kernel ext4 filesystem. The issue arises on mkdir/mknod when an extent insertion fails and ext4_ext_map_blocks() reclaims blocks without removing corresponding data from the extent tree, allowing the same physical block to be referenced by both directory and xatt...

CVE-2026-46054

CVE-2026-46054 affects the Linux kernel SELinux overlayfs access checks for mmap() and mprotect(). The issue arises from insufficient enforcement of backing-file access between the user file and backing file, potentially bypassing policies. A patch introduces security_mmap_backing_file() to enfor...

CVE-2026-46218

The vulnerability CVE-2026-46218 affects the Linux kernel DRM AMDGPU driver. The issue is in ib_get_value/ib_set_value where the uvd/vce/vcn code accessed the Instruction Buffer (IB) at predefined offsets without verifying the IB size, enabling out-of-bounds reads/writes. The root cause is missin...

CVE-2026-46238

CVE-2026-46238 affects the Linux kernel’s BAT IV implementation via the batman-adv subsystem. The issue stems from caching an auxiliary originator pointer derived from a temporary lookup in neigh_node state, where the pointer can be freed or become stale after purge handling. The documented fix i...

CVE-2022-50114

CVE-2022-50114 affects the Linux kernel 9p subsystem. The root cause is a refcount leak in p9_read_work() error handling when m->rreq->rc.sdata is NULL; p9_req_put must be called to avoid the leak. Affected component: net/9p (p9_read_work). The fix is documented in kernel commits (e.g., 34b...

CVE-2022-50246

CVE-2022-50246 involves a refcount leak in the Linux kernel’s usb: typec: tcpci subsystem. The vulnerability stems from tcpci_register_port()’s use of the fwnode-derived node in tcpci_parse_config(), where the node’s refcount is increased by device_get_named_child_node() but not balanced in all e...

CVE-2022-50332

CVE-2022-50332 concerns a Linux kernel issue in video/aperture where sysfb_disable() must be called from aperture_remove_conflicting_pci_devices() before removing PCI devices to prevent simpledrm from binding to simple-framebuffer devices after the driver takes over. The vulnerability is describe...

CVE-2022-50432

CVE-2022-50432 : The Linux kernel kernfs use-after-free is caused by a race where the root node is freed during kernfs_drain(), allowing concurrent kernfs_remove_by_name_ns() calls to dereference freed memory. The fix adds an extra reference to the root of the tree before calling __kernfs_remove(...

CVE-2023-53195

CVE-2023-53195 affects the Linux kernel mlxsw minimal subsystem. The vulnerability stems from a memory leak in mlxsw_m_linecards_init(), where the line cards array was not freed in the error path. The patch fixes this by freeing the array in the error path, making it equivalent to mlxsw_m_linecar...

CVE-2023-53397

Technical details about CVE-2023-53397 (Linux kernel modpost off-by-one in is_executable_section) are not publicly available in the provided connected documents. Monitor for updates from vendors/security advisories.

CVE-2025-38308

CVE-2025-38308 affects the Linux kernel ASoC Intel AVS path during hardware initialization. The root cause is a potential null pointer dereference in avs_dai_find_path_template(); the fix drops the search since the template is already known when avs_hw_constraints_init() fires. Affected/impacted:...

CVE-2025-38370

CVE-2025-38370 concerns a Linux kernel issue in the BTRFS free-space-tree rebuild path. When rebuilding the free-space tree, allocating a new metadata block group could trigger multiple transactions; during the rebuild, btrfs_rebuild_free_space_tree() may encounter newly inserted block groups and...

CVE-2025-38431

The CVE-2025-38431 entry concerns the Linux kernel SMB client regression related to native SMB symlinks. The available connected document details indicate the vulnerability was addressed by restoring the ability of the client to perform lstat(2) and readlink(2) operations even when the symlink ta...

CVE-2025-38547

CVE-2025-38547 affects the Linux kernel IIO ADC driver for the AXP20x family (AXP717). The issue is a missing sentinel entry in the AXP717 ADC channel maps, which leads to a KASAN warning. The described remediation is to add the missing sentinel entry to the channel maps. The provided material do...

CVE-2025-38589

The Connected documents confirm CVE-2025-38589 relates to a null-ptr-deref in neigh_flush_dev() within the Linux kernel, fixed by reverting to hash-table iteration in neigh_table_clear() after introducing per-netdev neighbour lists. The issue was triggered by neigh_table_clear() calling neigh_ifd...

CVE-2025-38625

The CVE-2025-38625 issue concerns the Linux kernel vfio/pds driver. When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci driver, probe fails with a WARN_ON trace because vfio_device_ops.detach_ioas isn’t set. The vuln is resolved by applying a fix that uses the generic vfio_io...

CVE-2025-38631

CVE-2025-38631 affects the Linux kernel clock framework (clk/imx95-blk-ctl). When enabling runtime PM for clock suppliers that share a power domain, a crash can occur (synchronous external abort) during clock provider registration. The root cause is improper runtime PM handling that can cut power...

CVE-2025-38675

CVE-2025-38675 affects the Linux kernel xfrm subsystem. The issue arises when preemption causes xfrm_state_look_at to search on a different pcpu (CPU2 vs CPU1); if a state for CPU2 is found in the state_cache during the lookup, the code may enter the acquire block with state_ptrs not initialized....

CVE-2025-38699

CVE-2025-38699 is a Linux kernel double-free fix in the SCSI bfad (bfa) path. When bfad_im_probe() fails during init, bfad->im is freed but not set to NULL. If the driver is later uninstalled and bfad_sm_stopping triggers bfad_im_probe_undo(), the memory at bfad->im can be freed again, enab...

CVE-2025-38707

CVE-2025-38707 is a Linux-kernel NTFS3 file-name sanity-check vulnerability. The issue arises from a too-long file name not being validated against the directory-entry size, potentially enabling local escalation when processing NTFS names. The CVE entry in the initial doc shows a HIGH impact with...

CVE-2025-38712

CVE-2025-38712 refers to a Linux kernel issue in the hfsplus code path. Root cause: when the volume header has values not reflecting the filesystem state, hfsplus_fill_super() may assume the attributes file isn’t created and call hfsplus_create_attributes_file(), hitting a BUG_ON(). The fix repla...

CVE-2025-38714

CVE-2025-38714 affects the Linux kernel’s HFS+ subsystem. The issue is a slab-out-of-bounds in hfsplus_bnode_read(), leading to potential memory corruption during operations that touch HFS+ bnodes. The connected advisories indicate a fix has been applied in upstream kernel code (hfsplus_bnode_rea...

CVE-2025-38737

CVE-2025-38737 affects the Linux kernel CIFS implementation. The issue is an oops caused by an uninitialised variable in smb3_init_transform_rq(), where the buffer used by netfs_alloc_folioq_buffer() could be read/modified unexpectedly. The fix initializes the buffer to NULL before calling netfs_...

CVE-2025-39675

CVE-2025-39675 affects the Linux kernel DRM/AMD display path. In mod_hdcp_hdcp1_create_session(), get_first_active_display() may return NULL when the display list is empty, causing a NULL pointer dereference. The fix adds a NULL pointer check and returns MOD_HDCP_STATUS_DISPLAY_NOT_FOUND. This mi...

CVE-2025-39713

The CVE-2025-39713 entry concerns the Linux kernel media: rainshadow-cec driver, where rain_interrupt() performed a buffer-full check on rain->buf_len before acquiring rain->buf_lock. This TOCTOU race could allow concurrent interrupts to overflow the buffer (DATA_SIZE) by writing beyond cap...

CVE-2025-39724

CVE-2025-39724 affects the Linux kernel serial 8250 driver. When PSLVERR_RESP_EN=1, an error response can be generated reading an empty RBR with FIFO enabled due to a race in serial8250_do_startup/DW paths. The fix wraps serial_port_out(port, UART_LCR, UART_LCR_WLEN8) under port->lock to preve...

CVE-2025-39743

CVE-2025-39743 refers to a Linux kernel vulnerability in the JFS file system where inode pages were not truncated during eviction when the inode’s hard link count was 0. The reproducer observed AGGR_RESERVED_I on the inode copy and eviction with hard link 0, causing clear_inode() to trigger becau...

CVE-2025-39763

CVE-2025-39763 affects the Linux kernel and describes an ACPI: APEI path where a synchronous memory error that is not recovered can cause the kernel to queue memory_failure() and poison a page, unmap it, and send SIGBUS to the triggering process to avoid a system-wide panic. The issue arises when...

CVE-2025-39770

CVE-2025-39770 affects the Linux kernel’s GSO/TSO handling for IPv6. When performing GSO on IPv6 packets with extension headers, the kernel may request checksum offload even though the egress device only advertises NETIF_F_IPV6_CSUM, which explicitly does not support offloading for packets with e...

CVE-2025-39792

CVE-2025-39792 concerns the Linux kernel, where zoned DM targets (dm-crypt and dm-flakey) could previously encounter unsafe BIO splitting when handling zone append emulation. The advisory states that dm_accept_partial_bio() must not split writes passed to the map() function and that large BIOs mu...

CVE-2025-39807

CVE-2025-39807 : Open kernel vulnerability in Linux kernel's DRM/Mediatek path, where after a hotplug event the cursor update could dereference NULL old_state->crtc, causing a kernel panic. The connected security sources confirm the fix adds NULL pointer checks to ensure stability by preventin...

CVE-2025-39810

CVE-2025-39810 – bnxt_en memory corruption fix in the Linux kernel driver. The issue arises when FW resources change during interface down, where bnxt_set_dflt_rings() can size bp->tx_ring[] too small if bp->num_tc > 1, permitting memory corruption in bnxt_alloc_cp_rings(). The root caus...

CVE-2025-39813

CVE-2025-39813 concerns the Linux kernel ftrace subsystem. A race between ftrace_dump() and trace_pipe reads could trigger WARN_ON_ONCE in trace_printk_seq() when trace data is consumed by other readers, causing iter.seq to be mispopulated. The documented fix moves the trace_printk_seq() call ins...

CVE-2025-39831

The CVE-2025-39831 entry describes a Linux kernel issue in the fbnic driver where phylink resume was invoked under an RTNL locking condition during PM resume, causing a locking assertion in phylink.c and a kernel warning. The root cause is moving phylink resume out of the service_task and into op...

CVE-2025-39836

CVE-2025-39836 is a Linux kernel issue described as resolved: the EFI stmm path allocated a communication buffer with kmalloc(), while the consumer expects contiguous pages, risking corruptions/BUGs. The fix switches from kmalloc() to alloc_pages_exact() in setup_mm_hdr() so buffers passed to tee...

CVE-2025-39845

CVE-2025-39845 : In the Linux kernel, the patch defines ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page-table synchronization when calling p*d_populate_kernel(). For 5-level paging, synchronization uses pgd_populate_kernel(); for 4-level paging, pgd_populate() is a no-op ...

CVE-2025-39860

CVE-2025-39860 – Linux kernel Bluetooth UAF in l2cap_sock_cleanup_listen() . The vulnerability arises from a race between bt_accept_dequeue() and l2cap_sock_cleanup_listen() where a socket could be freed while another path still holds a reference. The root cause is a race in the l2cap_sock_cleanu...