CVE-2025-38522

CVE-2025-38522 fixes a Linux kernel issue in sched/ext where update_locked_rq() could be called with a NULL runqueue (rq). The patch ensures update_locked_rq() is invoked only when rq is non-NULL, preventing unsafe __this_cpu_write() usage in preemptible contexts. The vulnerability description no...

CVE-2025-38570

CVE-2025-38570 is described in the initial document as a Linux kernel issue in the fbnic AF_XDP path, where a UaF occurs in xsk_bind() due to NAPI handling: NAPI is freed and the NAPI pointer is not cleared from the queue after a device open failure. The report indicates a local attack vector wit...

CVE-2025-38598

CVE-2025-38598 : Affected component is the Linux kernel amdgpudriver (AMDGPU) code; the issue is a use-after-free in amdgpu_userq_suspend (addressing a slab-use-after-free). The vulnerability is reported with a read of size 8 during pci_unplug/remove flow, as part of a KASAN report. The entry ind...

CVE-2025-38600

CVE-2025-38600 : In the Linux kernel, a vulnerability in wifi/mt76/mt7925 was fixed: an off-by-one error in mt7925_mcu_hw_scan() where the ssid->ssids[] and sreq->ssids[] arrays (MT7925_RNR_SCAN_MAX_BSSIDS) could trigger an out-of-bounds access. The root cause is the comparison (>=) whic...

CVE-2025-38607

CVE-2025-38607 relates to the Linux kernel BPF_JSET conditional jump; verifier.c:can_jump() could miscompute live registers and SCC during CFG analysis, potentially affecting correctness of analysis. The issue was resolved by handling jset jumps in CFG computation. Affected component: BPF/JSET ha...

CVE-2025-38633

The CVE-2025-38633 entry concerns the Linux kernel clock framework: the spacemit clock PLL1_d8, which is a dependency for multiple clocks (including APB/AXI). Root cause: during a -EPROBE_DEFER handling for a reset controller, the CLK_DMA path was enabled, then temporarily disabled, causing the P...

CVE-2025-38719

The CVE-2025-38719 entry concerns the Linux kernelnet hibmcge: when the network port is down, a released queue can yield ring->len = 0, triggering a division by zero in hbg_get_queue_used_num() called from debugfs. The provided patch adds a guard: if ring->len is 0, hbg_get_queue_used_num()...

CVE-2025-38726

CVE-2025-38726 affects the Linux kernel driver net ftgmac100. The issue arises in ftgmac100_phy_disconnect: after phy_disconnect(), netdev->phydev is reset to NULL, which could cause fixed_phy_unregister() to be invoked with a NULL pointer. The connected documents confirm this NULL-pointer use...

CVE-2025-39712

The CVE-2025-39712 issue affects the Linux kernel media/mt9m114 driver. The deadlock occurred when using V4L2 subdev pad ops get_frame_interval/set_frame_interval due to locking in the subdev state plus the driver. The fix removes the redundant lock operations from mt9m114_ifp_get_frame_interval(...

CVE-2025-39720

CVE-2025-39720 concerns the Linux kernel ksmbd subsystem. The issue is a refcount leak: when ksmbd_conn_releasing(opinfo->conn) returns true, the refcount is not decremented properly, preventing memory release and potentially causing resource leak. Multiple connected sources describe the same ...

CVE-2025-39725

CVE-2025-39725 affects the Linux kernel, specifically the hwpoison handling path in mm/vmscan shrink_folio_list. The issue occurs when a hwpoisoned large folio (THP) cannot be mapped/unmapped properly; without TTU_SPLIT_HUGE_PMD, a null-ptr dereference can occur in pvmw.pte, and even with the fla...

CVE-2025-39745

CVE-2025-39745 relates to the Linux kernel rcutorture code path in PREEMPT_RT builds. The issue manifests as a splat in rcutorture_one_extend_check() during RT testing due to an interaction with preempt_count/softirq handling; Debian/OSS and OSV/NVD records indicate the vulnerability has been res...

CVE-2025-39753

CVE-2025-39753 relates to the Linux kernel’s gfs2 code. The vulnerability is resolved by a patch that adds the .migrate_folio flag in gfs2_{rgrp,meta}_aops, addressing a warning: gfs2_meta_aops does not implement migrate_folio, triggering messages during xfstests. The described impact is the supp...

CVE-2025-39759

CVE-2025-39759 affects the Linux kernel’s btrfs quota subsystem. A race between disabling quotas and running btrfs_ioctl_quota_rescan() can lead to a use-after-free of qgroup records in fs_info->qgroup_tree due to Task B freeing qgroups without holding fs_info->qgroup_lock while Task A iter...

CVE-2025-39780

The CVE-2025-39780 entry concerns the Linux kernel sched_ext scheduler. The issue was an invalid task state transition during class switch, caused by skipping initialization for tasks that are already dead (usage counter zero) and not excluding them during the scheduling class transition. The res...

CVE-2025-39827

CVE-2025-39827 concerns the Linux kernel net/rose subsystem: the rose_neigh refcounting used two separate counters (count from rose_node and use from rose_sock). The patch merges these into a single refcount (use) and updates rose_rt_free(), rose_rt_device_down(), and rose_clear_route() to releas...

CVE-2025-39854

CVE-2025-39854 affects the ice driver in the Linux kernel. The ice_ll_ts_intr() path could dereference a NULL tracker or use-after-free if the ice_ptp_tx tracker isn’t initialized. The fix gates access on the tracker’s initialized state and ensures reset clears the init flag under lock to prevent...

CVE-2025-39890

CVE-2025-39890 fixes a memory leak in the Linux kernel’s ath12k driver. In ath12k_service_ready_ext_event(), the code path that handles a failure does not free svc_rdy_ext.mac_phy_caps, leading to a leaked 1024-byte object reported by kmemleak. The patch ensures that mac_phy_caps is freed in erro...

CVE-2025-39961

Summary. CVE-2025-39961 covers a race in the AMD IOMMU pgtable path where unmap may read pgtable->[root/mode] without a lock while the driver increases address space. This can lead to reading a mismatched page-table level, causing iommu_unmap to fail and upper layers to log WARN_ON. The fix, i...

CVE-2025-39967

CVE-2025-39967 affects the Linux kernel, specifically a vulnerability in fbcon_do_set_font where integer overflow in font size calculations could occur when processing user-controlled parameters. The issue stems from unsafe size calculations in CALC_FONTSZ(h, pitch, charcount) and related allocat...

CVE-2025-40251

Technical details for CVE-2025-40251 are not publicly available in the provided documents. No affected products or fixes are specified here. Monitor for updates in forthcoming advisories.

CVE-2025-68211

CVE-2025-68211 (Linux kernel, KSM) is addressed by a patch that changes scan_get_next_rmap_item from per-address walking to a range walk using walk_page_range, allowing KSMD to skip unmapped holes in large VMAs. The fix targets inefficiency where KSMD would otherwise scan vast address spaces with...

CVE-2025-71148

CVE-2025-71148 affects the Linux kernel networking code (net/handshake). The issue: handshake_req_submit() overwrites sk->sk_destruct on submission, but does not restore it if an error occurs before hashing, causing handshake_sk_destruct() to return early and leak the socket. The fix is to res...

CVE-2025-71189

Technical details for CVE-2025-71189 are not provided in the connected documents; the available sources only reference the vulnerability and fix at a high level. Monitor for updates.

CVE-2025-71285

Summary of the CVE-2025-71285 cluster: The Linux kernel’s net/qrtr MHI auto_queue feature for IPCR DL channels is being removed. The race occurs when the MHI stack can call the DL path callback before the QRTR client driver is fully initialized, risking NULL pointer dereferences. The fix disables...

CVE-2026-22980

The CVE-2026-22980 issue is confirmed to affect the Linux kernel and is addressed by a patch that fixes a race between v4_end_grace writes and server shutdown. The fix introduces two new fields in the nfsd network context: client_tracking_active (protected by nn->client_lock) and grace_end_for...

CVE-2026-22993

CVE-2026-22993 affects the Linux kernel idpf RSS LUT handling after a soft reset. The vulnerability causes a NULL pointer dereference when an ethtool operation accesses the RSS LUT immediately after reset, due to the LUT being freed and not restored unless the interface is up. The fix updates the...

CVE-2026-22994

CVE-2026-22994 in the Linux kernel is due to a reference-count leak in the bpf_prog_test_run_xdp path (bpf: Fix reference count leak in bpf_prog_test_run_xdp()). The issue arises from refcount handling between xdp_convert_md_to_buff() and xdp_convert_buff_to_md() and may affect the bpf_prog_test_...

CVE-2026-23000

CVE-2026-23000 concerns the Linux kernel mlx5e driver. The issue occurs when mlx5e_netdev_change_profile fails to attach a new profile and then cannot rollback to the old one, leaving a dangling netdev with a reset priv. A second change-profile attempt (e.g., via switchdev) can crash when derefer...

CVE-2026-23017

CVE-2026-23017 affects the Linux kernel idpf driver. Root cause: if init_task fails during driver load, vports/netdevs are not created and a reset can crash while service/mailbox tasks run. Fix: in the init_task error path, disable service/mailbox tasks and stop PTP callbacks; ensures proper clea...

CVE-2026-23085

CVE-2026-23085 affects the Linux kernel irqchip/gic-v3-its on 32-bit ARM with CONFIG_ARM_LPAE, where lowmem allocations could be backed by physical memory above 4 GB. The ITS driver stored a 32-bit address in an unsigned long, triggering truncation. The fix changes the itt_addr and related physic...

CVE-2026-23121

Technical details for CVE-2026-23121 are not provided in the supplied documents. No affected products, root cause, or remediation are stated here. Monitor for updates from the vendor/security advisories.

CVE-2026-23138

In CVE-2026-23138, the Linux kernel fixes an infinite recursion bug triggered when tracing the RCU events with the stack-trace trigger enabled. The patch expands ftrace recursion protection by adding a set of bits to protect events from recursion across contexts (normal, softirq, interrupt, and N...

CVE-2026-23188

CVE-2026-23188 affects the Linux kernel’s net/usb rtl8152 driver. The issue arises on resume: rtl8152_resume triggers a device reset while holding tp->control mutex, and reset path re-enters rtl8152 and tries to acquire the same lock, creating a recursive mutex_deadlock. The result is a DPM ti...

CVE-2026-23192

Summary (CVE-2026-23192) : This is a use-after-free in the Linux kernel’s linkwatch subsystem. When a network device is deleted while linkwatch events are pending, the device reference may be freed prematurely (in linkwatch_do_dev), allowing __linkwatch_run_queue to access a freed device. The fix...

CVE-2026-23207

CVE-2026-23207 concerns the Linux kernel SPI Tegra210 quad driver. The issue arose because curr_xfer accesses were not consistently protected by the lock in the IRQ thread path, enabling a race against the timeout path where curr_xfer could be NULL after being cleared but still dereferenced in ha...

CVE-2026-23228

The CVE-2026-23228 issue is in the Linux kernel smb server (ksmbd) where, on ksmbd_tcp_new_connection() failure, free_transport() did not decrement active_num_conn, leaking the counter. This occurs in the kthread_run() path during transport cleanup. The documented fix replaces free_transport() wi...

CVE-2026-23233

CVE-2026-23233 covers a Linux kernel f2fs bug where swapfile mapping can go wrong when the first extent is unaligned and the swapfile is small (

CVE-2026-23398

CVE-2026-23398 — Linux kernel icmp_tag_validation NULL pointer dereference has concrete details in the provided documents. The vulnerability occurs when icmp_tag_validation() dereferences inet_protos[proto] without a NULL check for an unregistered protocol number in an ICMP Fragmentation Needed p...

CVE-2026-23450

CVE-2026-23450 (Linux kernel): The issue stems from a race in the SMC TCP path (net/smc) where, during close of an SMC listen socket, sk_user_data can be NULL or the smc_sock freed, causing a NULL dereference or use-after-free in smc_tcp_syn_recv_sock() when accessed under rcu/protected context. ...

CVE-2026-31591

The CVE-2026-31591 entry details a Linux kernel KVM SNP/VMSA issue where vCPU state synchronization and encryption during SNP launch could be interfered with by userspace, risking vCPU state corruption or host kernel crashes. The root cause is insufficient locking around vcpu->mutex during VMS...

CVE-2026-31608

CVE-2026-31608 affects the Linux kernel SMB server. The issue is a double-free in smb_direct_free_sendmsg when invoked after smb_direct_flush_send_list(); smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so a second call after post_sendmsg() is incorrect. The fix moves the ca...

CVE-2026-31613

The CVE-2026-31613 issue affects the Linux kernel SMB client. A crafted symlink error response from a remote SMB server can trigger an out-of-bounds read during symlink parsing, allowing UTF-16 data to be read via readlink(2). Root cause: smb2_check_message() accepts a CREATE status without valid...

CVE-2026-31682

CVE-2026-31682 affects the Linux kernel bridge implementation, where br_nd_send may parse non-linear ND options from ns->opt[]. The root cause is failure to linearize the skb before ND option parsing, risking reads past the buffer and potential memory exposure or crash. The fix is to linearize...

CVE-2026-31702

Summary of CVE-2026-31702 details from connected docs: The vulnerability is in the Linux kernel’s f2fs compression path. In f2fs_compress_write_end_io(), dec_page_count(sbi, type) could decrement the F2FS_WB_CP_DATA counter to zero while a concurrent unmount is unrolling, leading to a use-after-f...

CVE-2026-31709

In the Linux kernel SMB client (cifsacl), CVE-2026-31709 arises from insufficient validation of a server-provided DACL when rewriting security descriptors. The fix extends structural validation to ensure the DACL header, size, and per-ACE bounds are checked before any rewrite paths (replace_sids_...

CVE-2026-43011

The CVE-2026-43011 issue concerns the Linux kernel net/x25 path where a skb may be freed twice due to a double-free path: if alloc_skb fails in x25_queue_rx_frame, kfree_skb(skb) is called, and later x25_backlog_rcv may free the same skb again, causing a crash/DoS. Public advisories confirm this ...

CVE-2026-43020

CVE-2026-43020 concerns the Linux kernel Bluetooth MGMT path: load-time Long Term Keys can overflow a fixed-size stack buffer if enc_size exceeds the 16-byte key buffer. The root cause is validation of enc_size not rejecting oversized values during management LTK record validation, allowing inval...

CVE-2026-43048

The CVE concerns the Linux kernel HID core. The issue arises in hid_report_raw_event() where a memset() intended to clear bogus data can trigger out-of-bounds reads/writes when the incoming event buffer is not large enough for the report. The fix removes the problematic memset() and instead retur...

CVE-2026-43247

CVE-2026-43247 affects the Linux kernel media driver for wave5 (chips-media). The issue causes a kernel panic triggered by an asynchronous SError interrupt when the system enters suspend mode due to an autosuspend delay timeout, leading to an unresponsive system (DoS-like impact). The vulnerabili...