CVE-2026-43121

CVE-2026-43121 involves the Linux kernel io_uring/zcrx race between scrub and refill paths. The non-atomic read-then-decrement of the user_refs can race with io_zcrx_scrub() using atomic_xchg, causing a double-free of a niov and an out-of-bounds write past the freelist array. The fix replaces the...

CVE-2026-43383

CVE-2026-43383 affects the Linux kernel’s TCP MD5 signature handling. The root cause is a non-constant-time MAC comparison, enabling potential timing attacks. The vulnerability is addressed by changing the MAC comparison to a constant-time implementation using the appropriate helper function. The...

CVE-2026-46149

Summary: CVE-2026-46149 affects the Linux kernel SCSI target subsystem, specifically the configfs path in tg_pt_gp_members_show(). The function formats LUN paths with snprintf() into a 256-byte stack buffer and then copies cur_len bytes via memcpy(), but snprintf() may return a length that exceed...

CVE-2022-50078

CVE-2022-50078 describes a resolved Linux kernel issue in the tracing subsystem (eprobes). The root cause is a NULL pointer dereference that occurs when event probes (eprobes) try to retrieve the instruction pointer (RIP) using registers, while eprobes do not use pt_regs. The fix, implemented in ...

CVE-2022-50089

CVE-2022-50089 affects the Linux kernel with the btrfs file system. The issue occurs when cow_file_range() fails mid-allocation (unlock=0) and may leave pages locked, potentially causing a hung task in zoned btrfs setups (as described in the provided reports). The included details show that the f...

CVE-2022-50119

The CVE-2022-50119 issue concerns the Linux kernel and a refcount leak in rpmsg_register_device_override. The root cause is that put_device was not invoked to free the vchan on a driver_set_override error path, risking a leak. The fix adds a put_device() in the error path to ensure proper resourc...

CVE-2022-50122

CVE-2022-50122 covers a Linux kernel vulnerability in the ASoC Mediatek MT8173-rt5650 driver. The root cause is a refcount leak where of_parse_phandle() returns a node pointer with an incremented refcount; the correct fix is to call of_node_put() when the reference is no longer needed. The provid...

CVE-2022-50193

CVE-2022-50193 concerns Linux kernel erofs: wake up all waiters after z_erofs_lzma_head is ready. The issue can cause the decompression thread to hang when mounting erofs a second time due to a sequence where Task A loads lzma config and fills z_erofs_lzma_head after Task B has already slept wait...

CVE-2022-50195

The CVE-2022-50195 entry concerns the Linux kernel (ARM) where the device tree for Qualcomm clocks declared a fixed-clock pxo_board, replacing the gcc PXO phandle. The gcc driver does not provide PXO_SRC because it’s a fixed clock, which could lead to a kernel panic if a driver tries to use it. T...

CVE-2022-50276

CVE-2022-50276 is a Linux kernel issue: when kmalloc() fails in kasprintf(), propname becomes NULL and a strcmp() dereferences it in of_get_property(), causing a NULL pointer dereference. The fix is to return ENOMEM when kasprintf() returns NULL. The vulnerability affects the kernel's power suppl...

CVE-2022-50295

CVE-2022-50295: In the Linux kernel io_uring/msg_ring path, a NULL pointer dereference occurs in io_msg_send_fd() when file_ptr is NULL, causing src_file to be NULL and get_file() to dereference a NULL pointer and trigger a crash. The issue was fixed by adding a NULL check in io_msg_send_fd(), pr...

CVE-2022-50405

CVE-2022-50405 affects the Linux kernel VXLAN path. A race in net/tunnel when deleting a vxlan device during packet reception could release the sock before sk_user_data readers finish, leading to a NULL pointer dereference in vxlan_ecn_decapsulate() / vxlan_get_sk_family(). The advisory notes thi...

CVE-2022-50408

The CVE-2022-50408 entry concerns a use-after-free in brcmfmac within the Linux kernel when handling wifi transmission in brcmf_netdev_start_xmit(). The vulnerability can allow a schedule race between brcmf_proto_tx_queue_data and updating skb stats, leading to a use-after-free observed by KASAN....

CVE-2022-50418

CVE-2022-50418 concerns the Linux kernel wifi path, specifically the ath11k MHI workflow. The issue: when mhi_alloc_controller() allocates mhi_ctrl and ath11k_mhi_read_addr_from_dt() fails, the code path returns without freeing the allocated controller, causing a memory leak. The documented fix a...

CVE-2022-50543

In CVE-2022-50543, Linux kernel RDMA/rxe has a double free of mr->map when rxe_mr_init_user() fails and rxe_mr_cleanup() is called. The root cause involved freeing mr->map twice in the error path, traced through prior commits and a revert, and has been fixed by making rxe_mr_cleanup() free ...

CVE-2023-53151

CVE-2023-53151 affects the Linux kernel’s md/raid10 path. The vulnerability arose because there was no limit for plugged bio during flush writes in raid10 (unlike raid1 which used cond_resched), allowing writeback activity to cause a soft lockup under heavy I/O. The public advisories describe a f...

CVE-2023-53180

Technical specifics (affected versions, exploit details, patch) are not provided in the connected documents. Monitor for updates regarding CVE-2023-53180 and its kernel fix for ath12k NULL pointer handling in management transmit cleanup.

CVE-2023-53185

CVE-2023-53185 exists in the Linux kernel: wifi/ath9k allows overwriting ENDPOINT0 attributes, enabling a bad USB device to craft a service-connection response where the target is ENDPOINT0 (reserved for HTC_CTRL_RSVD_SVC). The vulnerability is fixed in the kernel by rejecting such responses; imp...

CVE-2023-53188

CVE-2023-53188: In the Linux kernel, net: openvswitch: fix race on port output. The vulnerability arises when an Open vSwitch vport is racing with netns/namespace deletion, potentially triggering an infinite loop in skb_tx_hash in dev_queue_xmit if dev->real_num_tx_queues becomes 0 during unre...

CVE-2023-53210

CVE-2023-53210 affects Linux kernel md/raid5-cache code: a null pointer dereference can occur in r5l_flush_stripe_to_raid() when io completion is processed after the log end clears the list. The root cause is r5l_log_flush_endio() clearing the list before handling bio cleanup, which can lead to a...

CVE-2023-53211

The CVE-2023-53211 issue affects the Linux kernel’s driver core, where a struct acpi_pld_info *pld was not freed before returning on allocation failure, risking a memory leak. The fix adds ACPI_FREE() calls to release the allocated memory before the function exits. Connected documents confirm thi...

CVE-2023-53235

CVE-2023-53235: In the Linux kernel, a use-after-free can occur in drm_dev_put() during device-managed cleanup when a driver is freed after kunit-managed resources. The root cause is dereferencing a driver that has become freed due to mismatched resource lifetimes (driver allocated as kunit-manag...

CVE-2023-53254

CVE-2023-53254 is a Linux kernel vulnerability related to the cacheinfo shared_cpu_map. The issue occurs when the kernel checks that caches with the same index are shared, which can trigger slab-out-of-bounds access if CPUs have different cache hierarchies. A second problem is a mismatched shared...

CVE-2023-53270

Technical details about CVE-2023-53270 are not publicly provided in the supplied documents. Monitor upstream advisories and vendor notices for updates.

CVE-2023-53360

CVE-2023-53360 affects the Linux kernel NFSv4.2 path for READ_PLUS and can cause a hole-decode oops and scratch buffer NULL/length mismatch due to reworked scratch handling that reused an nfs_pgio_header across multiple requests. The root cause is that multiple reads could be sent with a single n...

CVE-2023-53362

CVE-2023-53362 : Linux kernel fix for bus: fsl-mc – do not assume all child devices are fsl-mc devices. The fix adds a device-type check when enumerating fsl-mc child devices to prevent a VFIO binding crash caused by a mis-created pseudo-device. Affected: Linux kernel (fsl-mc VFIO path); Root cau...

CVE-2023-53396

The CVE-2023-53396 issue affects the Linux kernel ubifs: memory leak in do_rename when renaming a file in an encrypted directory. The leak stems from fscrypt_setup_filename allocating memory for the file name, which is never used and is not freed before returning. kmemleak shows the unreferenced ...

CVE-2023-53416

CVE-2023-53416 affects the Linux kernel USB isp1362 driver. The issue is a memory leak caused by calling debugfs_lookup() without releasing the result with dput(), allowing leaked memory over time. The fix simplifies the handling by using debugfs_lookup_and_remove(), which performs the lookup and...

CVE-2023-53417

CVE-2023-53417 affects the Linux kernel USB sl811 path. The issue is a memory leak that occurs when debugfs_lookup() is used without releasing the result with dput(). The published fix replaces this flow with debugfs_lookup_and_remove(), which handles the required cleanup in one step. The connect...

CVE-2023-53425

CVE-2023-53425 affects the Linux kernel’s Mediatek VPU driver (media: platform: mediatek: vpu). The issue is a NULL pointer dereference when pdev is NULL, which could occur during vpu firmware loading in mtk_vpu.c (vpu_load_firmware). The vulnerability is mitigated by a fix that prevents derefere...

CVE-2023-53431

The CVE-2023-53431 entry concerns Linux kernel SCSI SES: the fix ensures graceful handling when an enclosure has a primary component but no secondary components. Previously, devices with one primary enclosure and zero secondary enclosures could cause ses_intf_add() to bail, potentially triggering...

CVE-2023-53440

In CVE-2023-53440, the Linux kernel nilfs2 sysfs interface had lifetime timing issues that could lead to inode NULL pointer dereferences or use-after-free, and lockdep warnings. Specifically, nilfs_sysfs_create_device_group creates sysfs attributes for per-filesystem metadata (cpfile, sufile, dat...

CVE-2023-53443

CVE-2023-53443 affects the Linux kernel mfd Arizona driver. The root cause is a refcount leak in arizona_clk32k_enable() caused by using pm_runtime_get_sync(), which can increase the refcount even on error. The fix is to use pm_runtime_resume_and_get() to avoid leaking references. Impact per advi...

CVE-2023-53635

CVE-2023-53635 concerns a Linux kernel conntrack timeout bug in nfnetlink_queue: the nf_conn->timeout value could be doubled/subtracted due to incorrect handling when unconfirmed vs. confirmed conntracks. The connected OpenVAS/Nessus entries document the fix as separating how ct->timeout is...

CVE-2023-53673

The CVE-2023-53673 issue is a Linux kernel Bluetooth vulnerability in the hci_event path. In hci_cs_disconnect, hci_conn_del is called even when disconnection failed, and ISO/L2CAP/SCO can reference hci_conn without hci_conn_get, so disconn_cfm must be called to clean up the conn; otherwise a use...

CVE-2025-38209

CVE-2025-38209 is rooted in the Linux kernel nvme-tcp admin queue setup path. The patch sequence called nvme_tcp_configure_admin_queue() twice during nvme_tcp_setup_ctrl(): the first call (new=true) succeeds to prepare for DH-CHAP negotiation; the second call (new=false) is needed for secure conc...

CVE-2025-38252

The CVE-2025-38252 entry concerns the Linux kernel (cxl/ras) where CPER handler device confusion could lead to crashes. The fix, as described across connected sources, is to validate that a PCIe endpoint is actually a cxl_memdev before relying on driver data formats and to relocate the lock to th...

CVE-2025-38398

The CVE-2025-38398 issue concerns the Linux kernel driver for spi-qpic-snand. The root cause is out-of-bounds memory access in BAM transactions due to allocating BAM memory for only a single codeword during probe; as a result, operations can exceed allocated space, causing memory corruption, NULL...

CVE-2025-38628

CVE-2025-38628 affects the Linux kernel mlx5 vdpa path. The issue was a resource cleanup bug where cleanup paths could operate on uninitialized resources, triggering a splat when adding a vdpa device without a MAC address. The fixes ensure mlx5_vdpa_free() is the single entrypoint for removing vd...

CVE-2025-38686

CVE-2025-38686 describes a Linux kernel local crash in userfaultfd’s UFFDIO_MOVE when encountering a migration PMD entry. The fix adds a missing check and delegates migration-entry handling to split_huge_pmd(), and removes an unnecessary folio check. Upstream commits (e.g., 7f1101a0a181243ad587ec...

CVE-2025-38688

CVE-2025-38688: In the Linux kernel’s iommufd code, ALIGN() overflow could occur while allocating IOVA ranges near ULONG_MAX, risking overlapping mappings or mapping against reserved ranges. The fix uses get_add_overflow() to guard ALIGN() and consolidates the checks under a single helper. Public...

CVE-2025-38722

CVE-2025-38722: Linux kernel HABANA Labs export_dmabuf() UAF due to race between descriptor table fd_install() and object destruction in ->release(). Root cause: a descriptor in dma_buf_fd() may be installed and used while the referenced file/object could be freed, leading to use-after-free. M...

CVE-2025-39680

The CVE-2025-39680 entry concerns the Linux kernel I2C RTL9300 driver. Vulnerable code path is rtl9300_i2c_smbus_xfer where data->block[0] is sourced from user input and could be very large, enabling an out-of-bounds access. The issue is remedied by validating data->block[0] before use. Aff...

CVE-2025-39727

The CVE-2025-39727 entry concerns a Linux kernel vulnerability in memory management swap code. The issue is a potential buffer overflow in setup_clusters() triggered when setup_swap_map() validates badpages only up to (0, last_page], and maxpages may be less than last_page, causing setup_clusters...

CVE-2025-39742

CVE-2025-39742 - RDMA: hfi1 divide-by-zero in find_hw_thread_mask() (Linux kernel) Affects: Linux kernel RDMA hfi1 path; vulnerability arises from dividing the number of online CPUs by num_core_siblings, followed by a zero-division check. Root cause: division performed before validating the divis...

CVE-2025-39779

Summary: CVE-2025-39779 is a Linux kernel vulnerability in btrfs subpage handling. The issue occurs when btrfs_subpage_set_writeback() clears the PAGECACHE_TAG_TOWRITE tag on a folio that still has dirty blocks, breaking WB_SYNC_ALL/ordering guarantees and potentially causing a failure (e.g., an ...

CVE-2025-39790

CVE-2025-39790 : In the Linux kernel, the bus: mhi: host implementation could mis-handle completion events when a device points a TRE pointer ahead of the host’s ring read pointer, enabling a window where a stale TRE is read and its buffer freed twice. The published description documents that thi...

CVE-2025-39811

In CVE-2025-39811, the Linux kernel fixes a local-denial of-service risk in the DRM subsystem (xe) by clearing the scratch_pt error pointer in xe_vm_free_scratch() to prevent dereferencing an error pointer during cleanup. Root cause: potential dereference of an error pointer on error cleanup. Aff...

CVE-2025-39834

CVE-2025-39834 : In the Linux kernel, a memory leak occurs in the mlx5 HWS path under the error flow of hws_action_get_shared_stc_nic when an invalid stc_type is provided. The function allocates memory for shared_stc but jumps to unlock_and_out without freeing it, causing a leak. The patch fixes ...

CVE-2025-39840

The CVE-2025-39840 in the Linux kernel is a fixed out-of-bounds read in audit_compare_dname_path() when a watch on / coincides with a single-character create under / (e.g., /a). The root cause is that parent_len() returns 1 for "/"; audit_compare_dname_path() can set pathlen to 0 and dereference ...