CVE-2026-23001

CVE-2026-23001 – Linux kernel macvlan UAF fix Multiple connected advisories reference this CVE as a fix in the macvlan subsystem. The vulnerability is described as a use-after-free (UAF) in macvlan_forward_source(), with the fix adding RC (read-copy-update) protection on (struct macvlan_source_en...

CVE-2025-39811

In CVE-2025-39811, the Linux kernel fixes a local-denial of-service risk in the DRM subsystem (xe) by clearing the scratch_pt error pointer in xe_vm_free_scratch() to prevent dereferencing an error pointer during cleanup. Root cause: potential dereference of an error pointer on error cleanup. Aff...

CVE-2025-39834

CVE-2025-39834 : In the Linux kernel, a memory leak occurs in the mlx5 HWS path under the error flow of hws_action_get_shared_stc_nic when an invalid stc_type is provided. The function allocates memory for shared_stc but jumps to unlock_and_out without freeing it, causing a leak. The patch fixes ...

CVE-2025-39840

The CVE-2025-39840 in the Linux kernel is a fixed out-of-bounds read in audit_compare_dname_path() when a watch on / coincides with a single-character create under / (e.g., /a). The root cause is that parent_len() returns 1 for "/"; audit_compare_dname_path() can set pathlen to 0 and dereference ...

CVE-2025-39853

CVE-2025-39853 affects the Linux kernel i40e driver. The issue arises when the MAC list is empty, as list_first_entry() can return a pointer to an invalid object, risking invalid memory access upon use. The advisory notes the fix is to replace list_first_entry() with list_first_entry_or_null(), p...

CVE-2025-39863

CVE-2025-39863 affects the Linux kernel’s wifi/brcmfmac path, specifically a use-after-free in brcmf_btcoex_info handling. The vulnerability arises from a race between brcmf_btcoex_detach() and brcmf_btcoex_timerfunc(): the timer handler can set timer_on to false while a detach is in progress, ca...

CVE-2025-39880

CVE-2025-39880 is a Linux kernel vulnerability affecting the libceph code path. Affected component: ceph_connection_v1_info access in the generic messenger code can read/write a union member (v1 vs v2) without validating which member is active. On 64-bit systems, con->v1.auth_retry can overlap...

CVE-2025-39884

Mode C: The provided documents describe CVE-2025-39884 as a Linux kernel (btrfs) race where eviction and inode caching can lose a live btrfs_inode in root->inodes, breaking subvolume deletion. The root cause is a window in evict() between unhashed inode removal and xarray deletion, allowing a ...

CVE-2025-39889

CVE-2025-39889 affects the Linux kernel Bluetooth L2CAP stack by not properly validating the encryption key size on incoming connections. This failure can cause a mismatch between expected and actual key sizes, impacting security posture. Connected OSV data indicates Root has patched CVE-2025-398...

CVE-2025-40039

CVE-2025-40039 relates to the Linux kernel ksmbd subsystem. It describes a race condition in the RPC handle list (sess->rpc_handle_list) managed per ksmbd session. The underlying issue: in ksmbd_session_rpc_open(), xa_store() and xa_erase() modify the XArray but were guarded only by a read loc...

CVE-2025-40082

CVE-2025-40082 targets the Linux kernel’s hfsplus code and causes a slab-out-of-bounds read in hfsplus_uni2asc() when listing extended attributes. The issue arises because the expected unicode buffer structure size varies (hfsplus_attr_unistr vs hfsplus_unistr), so a previous fix was insufficient...

CVE-2025-68365

CVE-2025-68365 affects the Linux kernel ntfs3 code. The issue is an uninitialized memory use in fs/ntfs3 where memory allocated by __getname() (kmem_cache_alloc()) is used before being cleared. The documented fix is to allocate and clear memory with kmem_cache_zalloc(). The CVSS_base from the pro...

CVE-2025-71089

CVE-2025-71089 affects the Linux kernel via IOMMU Shared Virtual Addressing (SVA). In SVA, the IOMMU can cache kernel page-table entries, so freeing a kernel page-table page and reusing it could leave stale IOMMU entries, enabling use-after-free or write-after-free scenarios that could allow loca...

CVE-2025-71097

Technical details for CVE-2025-71097 are not provided in the connected documents. The sources confirm the CVE exists and is tracked in various advisories, but no further product/version/impact/fix specifics are included here. Monitor vendor advisories for updates.

CVE-2025-71161

CVE-2025-71161 affects the Linux kernel dm-verity feature, where recursive forward error correction could cause denial of service and potential data handling issues. The root cause is an overly deep recursive path in fec_read_bufs (up to four nested levels) that may loop excessively, and a shared...

CVE-2026-22986

CVE-2026-22986 concerns a race in Linux kernel gpiolib where two drivers calling gpiochip_add_data_with_key() can concurrently traverse gpio_name_to_desc() while another adds gdev to the list, creating a window where gdev->srcu is dereferenced before it is initialized. The result is a crash (k...

CVE-2026-23006

The CVE-2026-23006 issue in the Linux kernel ASoC: tlv320adcx140 driver was fixed by correcting a null pointer dereference in adcx140_priv when snd_soc_component is only used for dev access. The fix removes the null pointer path by properly initializing/handling snd_soc_component. Public updates ...

CVE-2026-23101

The CVE-2026-23101 issue affects the Linux kernel LED subsystem. The root cause is a race where an LED was added to leds_list before led_init_core() and before led_classdev.set_brightness_work is initialized. This could allow a default-trigger LED to call led_trigger_set() and queue an uninitiali...

CVE-2026-23104

CVE-2026-23104 describes a Linux kernel ice driver issue where devlink reload can trigger a call trace due to mismatched cleanup of the internal hwmon state. The root cause is that ice_hwmon_init() is invoked during feature init and ice_hwmon_exit() was tied to ice_remove(), which could leave a d...

CVE-2026-23106

CVE-2026-23106 concerns the Linux kernel timekeeping subsystem. The root cause is in __do_adjtimex(), which incorrectly references the core timekeeper’s tk_core when adjusting leap second state for an auxiliary timekeeper. This leads to a seqlock protocol violation where the timekeepers sequence ...

CVE-2026-23125

CVE-2026-23125 (Linux kernel SCTP) : A null-pointer dereference in the SCTP transmit path could occur when SCTP-AUTH key initialization fails during INIT_ACK processing. The issue arises because SCTP_CMD_ASSOC_SHKEY is executed after PEER_INIT and can leave asoc->shkey NULL if key setup fails,...

CVE-2026-23193

CVE-2026-23193 affects the Linux kernel SCSI/ISCsi path (scsi: target: iscsi). The issue is a use-after-free in iscsit_dec_session_usage_count() where complete() is called while sess->session_usage_lock is held, risking use-after-free of iscsit_session during wakeup/deallocation. The fix relea...

CVE-2026-23195

The CVE-2026-23195 entry pertains to the Linux kernel, specifically the cgroup/dmem subsystem. The issue is a pool use-after-free (UAF) where a pool could still be held after its memory region is unregistered, leading to a local, kernel-space bug. The provided connected documents describe the roo...

CVE-2026-23203

CVE-2026-23203 relates to the Linux kernel cpsw driver. The fix changes the processing of the ndo_set_rx_mode callback to run in a work queue (net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue) rather than holding the RTNL lock during certain paths. Root cause involved a lock- and c...

CVE-2026-23212

CVE-2026-23212 affects the Linux kernel bonding driver where slave->last_rx (and target_last_arp_rx) data could be read/write locklessly, causing data races. The fix annotates these fields with READ_ONCE() and WRITE_ONCE(), addressing a KCSAN data race in bond_rcv_validate and related paths. C...

CVE-2026-23242

CVE-2026-23242 affects the Linux kernel RDMA/siw header processing: siw_tcp_rx_data may dereference a NULL qp->rx_fpdu if siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(). The fix adds a NULL check for rx_fpdu before accessing more_ddp_segs, preventing the NULL pointer dereference. P...

CVE-2026-23244

CVE-2026-23244 affects the Linux kernel and stems from nvme_pr_read_keys() allocating memory based on a user-supplied num_keys value. The code uses num_keys to determine the rse allocation size up to an upper limit PR_KEYS_MAX (64K). A malicious or buggy userspace input can cause a kzalloc-based ...

CVE-2026-23399

CVE-2026-23399 concerns the Linux kernel nf_tables code: when cloning the second stateful expression in a dynset element, the first expression could remain unfreed on error, causing a stateful memleak in error paths. The provided CVE description confirms a resolution in the kernel, with backtrace...

CVE-2026-31626

CVE-2026-31626 affects the Linux kernel’s rtl8723bs staging driver, specifically the rtw_BIP_verify() function. A u64 variable (le_tmp64) was not fully initialized, which Smatch warned could leave the last two bytes uninitialized (only 6 of 8 bytes copied). The issue is resolved by initializing l...

CVE-2026-31649

The CVE-2026-31649 issue affects the Linux kernel’s stmmac driver, where jumbo_frm() can underflow when processing fragmented packets. If nopaged_len is small but skb->len is large, len = nopaged_len - buf_len (with buf_len clamped to min(nopaged_len, bmax)) can still yield a large unsigned va...

CVE-2026-31717

In the Linux kernel ksmbd, a vulnerability allows an authenticated user to hijack an orphaned durable handle by reconnecting with a different security context. The issue stems from ksmbd not verifying that the requester’s SecurityContext matches the original opener when a durable handle is reconn...

CVE-2026-43120

In the Linux kernel RDMA/irdma driver, CVE-2026-43120 describes a double-free during rereg_user_mr when IB_MR_REREG_TRANS is set. If the trans reg path fails after allocating a new umem, the code releases it but fails to NULL the iwmr->region, causing ib_umem_release to be invoked again during...

CVE-2026-43190

The CVE-2026-43190 issue affects the Linux kernel netfilter xt_tcpmss TCP option parser. The root cause is reading op[i+1] without validating the remaining option length, which can cause an out-of-bounds read when i+1 == optlen. This could access memory past the option boundary (stack buffer _opt...

CVE-2026-43303

The CVE-2026-43303 issue affects the Linux kernel’s memory management in mm/page_alloc. Subsystems such as slub, shmem, and ttm expose page->private and fail to clear it before freeing pages. If freed pages are later allocated as high-order pages and split, tail pages may retain stale page-&gt...

CVE-2026-43320

The CVE-2026-43320 entry concerns the Linux kernel’s drm/amd/display component. The root cause described across sources is a missing function hook check before use, which could affect dsc eDP handling. Public descriptions indicate a potential for instability or unexpected behavior in the display ...

CVE-2026-43327

CVE-2026-43327 affects the Linux kernel USB dummy-hcd code. The race involves usb_gadget_udc_reset() being invoked with a NULL second argument (driver) due to a race between USB reset and driver unbind, enabling a potential crash. The root cause was that stop_activity() could drop and re-acquire ...

CVE-2026-45972

The CVE-2026-45972 issue affects the Linux kernel SMB client, specifically smb2_open_file(), where improper handling could lead to memory corruption (UAF) or a double free during SMB2_open() retries. The fixed description states that zeroing err_iov and err_buftype before retrying SMB2_open() pre...

CVE-2026-45988

The CVE-2026-45988 issue affects the Linux kernel rxrpc subsystem: a RESPONSE packet that experiences a temporary failure could end up partially decrypted and be retried, risking communication disruption or resource exhaustion. The published fix discards the problematic packet and triggers a new ...

CVE-2026-46052

The CVE-2026-46052 issue concerns the Linux kernel Ceph filesystem where a negative dentry that is already hashed can be re-added to the dcache, corrupting the d_hash bucket and leading to an RCU stall or system hang. The root cause is that d_add() can rehash and reinstate a dentry that is alread...

CVE-2026-46159

The CVE-2026-46159 issue affects the Linux kernel’s Btrfs code, specifically btrfs_ioctl_space_info(). A TOCTOU race occurs between two passes over block group RAID type lists: the first pass counts entries for allocation, the second fills the buffer and releases the groups_sem lock. If entries s...

CVE-2026-46167

CVE-2026-46167 – Linux kernel usb/usblp heap leak : The vulnerability stems from an uninitialized status buffer (statusbuf) allocated at probe time for LPGETSTATUS. If a malicious printer returns zero bytes, a stale 8-byte heap region could be copied to userspace via LPGETSTATUS, causing a heap l...

CVE-2026-46173

CVE-2026-46173 concerns the Linux kernel. The issue arises when an already-exiting task oopses and make_task_dead() calls do_task_dead() with preemption enabled, while __schedule() must be called with preemption disabled. If a preempted oopsing task is still in the dead-state, finish_task_switch(...

CVE-2026-46177

The CVE-2026-46177 issue affects the Linux kernel IPMI driver. It describes a vulnerability where the driver could continuously fetch events and receive messages from the BMC (or become stuck) due to the BMC not signaling completion or the attn bit getting stuck. The documented fix limits event/m...

CVE-2026-46205

Summary (grounded from provided sources): CVE-2026-46205 affects the Linux kernel atomisp driver (staging: media). The root cause is unsafe handling of private IOCTLs; the change disallows all private IOCTLs and returns early when cmd is non-zero to satisfy static checkers. This vulnerability is ...

CVE-2026-46220

CVE-2026-46220 affects the Linux kernel’s drm/amdgpu sdma4 fence emission. The vulnerability stems from two BUG_ON(addr & 0x3) assertions in sdma_v4_0_ring_emit_fence(), which could be triggered by unprivileged userspace submissions via DRM_IOCTL_AMDGPU_CS, causing a kernel panic in a scheduler w...

CVE-2026-46222

In CVE-2026-46222, the Linux kernel’s media: rockchip: rkcif driver was fixed by adding the missing MUST_CONNECT flag to pads, addressing a null-pointer dereference when a media stream is enabled. The issue arose from pads not reliably checking for connected devices, enabling a local attacker to ...

CVE-2026-46266

Summary (CVE-2026-46266): In the Linux kernel, RAW sockets using IPPROTO_RAW (255) could be triggered by a malicious incoming ICMP packet that sets the protocol field to 255 and matches a RAW socket, causing undesired FNHE cache changes. This issue has been resolved in updates cited across multip...

CVE-2026-46273

The CVE-2026-46273 entry describes a Linux kernel vulnerability in the ibmveth driver affecting Power systems: GSO offload fails when MSS < 224 bytes, potentially freezing the network adapter and causing DoS until a manual reset. The fix adds an ndo_features_check to disable GSO for MSS 1; si...

CVE-2022-49947

CVE-2022-49947: Linux kernel binder null-ptr dereference in alloc->vma_vm_mm. Connected reports confirm a fix: initialize alloc->vma_vm_mm during open() and cache from current->mm to guarantee safe mmap_lock usage when a binder_proc has not mmap’d to set up alloc space. Descriptions deta...

CVE-2022-49953

CVE-2022-49953 concerns the Linux kernel’s iio: light cm3605 driver. The issue is an error-handling path in cm3605_probe() that, after a fix, introduced a new error-path which should jump to the existing error-handling path to avoid resource leaks. The connected sources consistently describe this...