CVE-2026-23206

Summary: CVE-2026-23206 affects the Linux kernel dpaa2-switch driver where zero interfaces (num_ifs == 0) caused a NULL-like ZERO_SIZE_PTR allocation and a kernel panic during probe. The issue stems from allocating arrays with kcalloc() using ethsw->sw_attr.num_ifs and dereferencing ports[0] i...

CVE-2026-23216

Technical details for CVE-2026-23216 are not publicly provided in the supplied documents. The available description mentions a fix in iscsit_dec_conn_usage_count() and a kernel patch, but no vendor/product specifics.

CVE-2026-23217

CVE-2026-23217 relates to the Linux kernel on RISC-V where tracing the sbi_ecall functions can cause a deadlock in the snapshot path. The root cause is that sbi_ecall triggers a ringbuffer snapshot which may re-enter __sbi_ecall via an IPI, creating an endless loop when initial __sbi_ecall is pre...

CVE-2026-23228

The CVE-2026-23228 issue is in the Linux kernel smb server (ksmbd) where, on ksmbd_tcp_new_connection() failure, free_transport() did not decrement active_num_conn, leaking the counter. This occurs in the kthread_run() path during transport cleanup. The documented fix replaces free_transport() wi...

CVE-2026-23275

CVE-2026-23275 (Linux kernel, io_uring): The issue arises when DEFER_TASKRUN | SETUP_TASKRUN are used and task work is added while the ring is resized, allowing an overlap window where IORING_SQ_TASKRUN could be OR’ed on the old/new rings during swapping. The fix adds a 2nd rings pointer, →rings_...

CVE-2026-31415

CVE-2026-31415 affects Linux kernels where ipv6: ip6_datagram_send_ctl() accepts repeated IPV6_DSTOPTS, accumulating into a 16-bit opt_flen without deduplicating. This can cause opt_flen to wrap while dst1opt points to the last 2048-byte destination-options header, leading to under-headroom pushe...

CVE-2026-31570

CVE-2026-31570 relates to the Linux kernel CAN gateway module. The vulnerability is an OOB heap access in cgw_csum_crc8_rel(), caused by looping and writing using raw s8 indices (from_idx/to_idx/result_idx) instead of the precomputed bounds-safe values (from/to/res). calc_idx() yields bounds-safe...

CVE-2026-31588

CVE-2026-31588 concerns the Linux kernel KVM MMIO handling bug where an MMIO write that spans multiple pages could reference on‑stack data, enabling a use‑after‑free path. The root cause is an internal temporary variable path during complete_emulated_mmio when emulated MMIO writes cross page boun...

CVE-2026-31660

The CVE-2026-31660 entry concerns the Linux kernel NFC pn533 driver. The root cause is that pn532_receive_buf() may hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer; if alloc_skb() fails, the callback returns 0 while bytes have already been consumed, leaving re...

CVE-2026-31708

CVE-2026-31708 affects the Linux kernel SMB client. The issue occurs in smb2_ioctl_query_info() where, in the QUERY_INFO path, qi.input_buffer_length is clamped to the server’s OutputBufferLength and copied from qi_rsp->Buffer to userspace without verifying that the payload fits within rsp_iov...

CVE-2026-31715

In Linux kernel (f2fs), CVE-2026-31715 is a use-after-free triggered by decrementing sbi->nr_pages[] during F2FS_WB_CP_DATA handling. The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and NULLs the node_inode after the counter reaches zero, allowing f2fs_in_warm_node_list(...

CVE-2026-43071

CVE-2026-43071 affects the Linux kernel dcache component, specifically an OOB read in dentry_hashtable when dhash_entries is set to 1. The root cause is incorrect d_hash_shift calculation, causing an access to unallocated memory and potential kernel panic/DoS. The issue is mitigated by patching t...

CVE-2026-43091

The CVE-2026-43091 vulnerability affects the Linux kernel xfrm policy handling during netns exit. The root cause is that xfrm_policy_fini() frees the policy_bydst hash tables after flushing work items and deleting policies, but does not wait for concurrent RCU readers to exit read-side critical s...

CVE-2026-43113

In the Linux kernel, CVE-2026-43113 affects the wl1251 Wi‑Fi driver. The function wl1251_tx_packet_cb() uses the firmware completion ID (a raw u8) to index a fixed 16-entry wl->tx_frames[] array without validating that the ID fits. The callback can dereference out-of-range IDs. The fix rejects...

CVE-2026-43155

In the Linux kernel’s mux: mmio subsystem, during device probe a regmap resource may be leaked if probe fails (e.g., probe deferral) or on driver unbind. The issue is resolved by switching to the device-managed allocator so the mmio regmap is automatically released on probe failures and unbind. T...

CVE-2026-43163

Impact: Linux kernel md/bitmap component vulnerable to a use-after-free race during array resize, causing a General Protection Fault in write_page. Root cause: concurrent access to bitmap->storage.filemap between bitmap_daemon_work() and __bitmap_resize(), with md_bitmap_file_unmap() freeing s...

CVE-2026-43249

The CVE-2026-43249 entry describes a race in the Linux kernel 9p/xen frontend: xenwatch and backend change notifications can concurrently call xen_9pfs_front_free, causing a double-free and a general protection fault. The fixes guard the teardown path so only a single caller releases the front-en...

CVE-2026-43376

CVE-2026-43376 affects ksmbd in the Linux kernel. The vulnerability arises from freeing oplock_info with kfree() while it can still be accessed under RCU read-side critical sections (e.g., opinfo_get), allowing a use-after-free. The fixes across connected reports switch to deferred freeing via ca...

CVE-2026-43435

CVE-2026-43435 relates to the Linux kernel rust_binder component where the oneway spam-detection logic in TreeRange (and missing logic in ArrayRange) could allow large spamming transactions to go undetected. The fix moves the spam-check after the new range is inserted and adds an equivalent low_o...

CVE-2026-45970

CVE-2026-45970 affects the Linux kernel bonding driver (Active-Backup Load Balancing, ALB). The root cause is a Use-After-Free in rlb_arp_recv where RX path may access rx_hashtbl concurrently with bond teardown, allowing a race with rlb_deinitialize() to dereference freed memory and trigger a ker...

CVE-2026-45999

The CVE-2026-45999 issue affects the Linux kernel EROFS LZ4 inplace decompression path (z_erofs_lz4_handle_overlap). Crafted extents can trigger an unsigned underflow (outpages

CVE-2026-46027

The CVE-2026-46027 fix targets the Linux kernel net/smc path, addressing a race where a CLC decline during an early handshake could trigger updates to link-group level sync state before the link group is fully initialized. The mitigation guards the link-group state update in smc_clc_wait_msg() so...

CVE-2026-46047

CVE-2026-46047: In the Linux kernel, net: qrtr: ns use-after-free in driver remove is fixed. The vulnerability arises if a packet arrives after destroy_workqueue() but before sock_release(), causing qrtr_ns_data_ready() to queue a work item that dereferences freed memory. Root and distro advisori...

CVE-2026-46059

CVE-2026-46059 : In the Linux kernel, KVM/nSVM handling of NRIPS and NextRIP after the first L2 VMRUN could miscompute NextRIP if NRIPS is disabled and a soft interrupt is injected, leading to a correctness issue after save/restore. The vulnerability arises because L1 may provide an incorrect Nex...

CVE-2026-46063

The CVE-2026-46063 issue affects the Linux kernel with x86 shadow stack (shstk) handling of sigreturn. Root cause: during a shadow-stack sigframe read, the kernel previously held the mmap lock while verifying VMA flags to distinguish shadow stack memory. A page fault during this read could trigge...

CVE-2026-46145

The CVE-2026-46145 vulnerability affects the Linux kernel, specifically the RDMA/mana component. A user-supplied rx_hash_key_len value supplied via a uAPI structure is blindly passed to memcpy, enabling localized kernel memory corruption if bounds checks are not enforced. Reports from multiple so...

CVE-2026-46151

CVE-2026-46151 affects the Linux kernel USB printer driver usblp, causing a heap leak in IEEE 1284 device ID handling due to short GET_DEVICE_ID responses. The issue stems from usblp_ctrl_msg() discarding actual bytes and usblp_cache_device_id_string() trusting a 2‑byte length prefix, exposing st...

CVE-2026-46152

CVE-2026-46152 affects the Linux kernel’s wifi/mac80211 subsystem. The root cause is that ieee80211_invoke_fast_rx() uses a static per-invocation rx_result, causing concurrent callers to share a single instance and potentially overwrite results between ieee80211_rx_mesh_data() and the switch on r...

CVE-2026-46190

Summary (CVE-2026-46190) : A Linux kernel vulnerability in the MTD SPI-NOR debugfs code caused an out-of-bounds read in spi_nor_params_show() due to passing an array of pointers to spi_nor_print_flags() with sizeof(snor_f_names). Since sizeof on a pointer array yields bytes, not element count, th...

CVE-2026-46191

CVE-2026-46191 concerns the Linux kernel fbcon component: when console rotation fails during fbcon_rotate_font(), the font buffer may overflow due to an OOB access. The fix clears the font buffer if the reallocation during console rotation fails and ensures the rotated buffer does not overflow. D...

CVE-2026-46198

The CVE-2026-46198 issue affects the Linux kernel’s batman-adv component. A mismatch between integer types caused an integer overflow in batadv_iv_ogm_send_to_if, where buff_pos is s16 while the size check uses an int in batadv_iv_ogm_aggr_packet, potentially enabling an out-of-bounds read. The v...

CVE-2026-46200

CVE-2026-46200 affects the Linux kernel SPI MPC52xx driver. The issue stems from improper controller deregistration: the driver may deregister the controller after or without ensuring proper release of resources (interrupts, GPIOs) during driver unbind, risking system instability or resource exha...

CVE-2026-46204

CVE-2026-46204 affects the Linux kernel DRM_AMDGPU driver (drm/amdgpu/vcn4). The root cause is an out-of-bounds read when parsing an Instruction Buffer (IB). The patch rewrites the IB parsing to use amdgpu_ib_get_value(), ensuring bounds checks are performed and preventing OOB reads. Public descr...

CVE-2026-46207

The CVE-2026-46207 issue affects the Linux kernel’s vsock/virtio path, where non-linear skbs could fail to copy payloads to the vsockmon tap device due to iov_iter not being properly initialized. The fix standardizes handling for both linear and non-linear skbs by removing the linear/non-linear s...

CVE-2026-46219

CVE-2026-46219 concerns a use-after-free in the SPI mpc52xx path of the Linux kernel. The description indicates the state machine work is scheduled by the interrupt handler and must be cancelled after interrupts are disabled to avoid use-after-free. Connected OSV entries show patches in rootio-li...

CVE-2026-46234

CVE-2026-46234 affects the Linux kernel vsock code, specifically the vsock_update_buffer_size path. The bug arises from clamping the buffer size: it first enforces the maximum, then the minimum, which allows vsk->buffer_size to exceed vsk->buffer_max_size when a larger minimum is configured...

CVE-2026-46235

CVE-2026-46235 affects the Linux kernel saa7164 media driver. The issue arises from missing return value checks for ioremap calls in saa7164_dev_setup(), specifically for BAR0 and BAR2. When ioremap fails, the code now performs cleanup: releases allocated PCI memory regions, removes the device fr...

CVE-2026-46250

The CVE-2026-46250 entries describe a Linux kernel issue on MIPS where LLVM erroneously restores the global gp register when it is used as a global register variable (__current_thread_info), causing the gp pointer to point to the unrelocated kernel after relocate_kernel. This leads to a crash dur...

CVE-2026-46252

CVE-2026-46252 affects the Linux kernel regulator core. The vulnerability stems from improper locking in regulator_resolve_supply() error handling, where late-failing supply enable paths could trigger a lockdep warning due to holding the regulator_list_mutex while calling _regulator_put(). The fi...

CVE-2026-46253

In Linux kernel pstore/ram, CVE-2026-46253, the vulnerability is a heap buffer overflow during persistent_ram_save_old(). If the buffer size has grown since the first allocation, the code updates old_log_size to the new size and then copies with memcpy_fromio(), risking an out-of-bounds write (an...

CVE-2022-49996

CVE-2022-49996 is a Linux kernel issue affecting the btrfs subsystem. The vulnerability arises when btrfs_get_dev_args_from_path() calls btrfs_get_bdev_and_sb() with an invalid path, causing the function to return without freeing previously allocated memory for args->uuid and args->fsid, wh...

CVE-2022-50236

CVE-2022-50236 (Linux kernel, iommu/mediatek) : A crash occurs when rebooting via isr(), where the IRQ handler can fire before the IOMMU domain initialization, leading to an invalid memory access. The fix is in the kernel code path for mtk_iommu_isr, preventing handling before proper domain setup...

CVE-2022-50241

CVE-2022-50241 is a Linux kernel local-use-after-free in NFSD during inter-server copy. The race occurs when a CLOSE may be sent before FREE_STATEID, leaving a freed lock/state entry on the s2s_cp_stateids/sc_cp_list and triggering a BAD_STATEID on subsequent FREE_STATEID. The referenced patches ...

CVE-2022-50243

CVE-2022-50243 – Linux kernel SCTP use-after-free (summary from connected advisories) The vulnerability arises in SCTP when an error is returned from sctp_auth_asoc_init_active_key(): the old sh_key could be freed while still in use as the active key, leading to a use-after-free during packet sen...

CVE-2022-50245

CVE-2022-50245 concerns a Linux kernel issue in the rapidio driver where a UAF can occur if kfifo_alloc() fails during mport_cdev_open(). The fix removes priv from the chdev->file_list before freeing it to prevent traversal from accessing a freed object (the smatch warning reference). Affected...

CVE-2022-50251

CVE-2022-50251 affects the Linux kernel mmc/vub300 driver. The vulnerability arises when mmc_add_host() returns an error but its return value is ignored, leading to a memory leak from mmc_alloc_host() and a potential kernel crash due to removing an unadded device in the remove path. The accompany...

CVE-2022-50255

CVE-2022-50255 (Linux kernel tracing) : The issue affects the tracing subsystem where the synthetic event field, specifically the character array file[], could be read as a string without validating the user-space address. This caused crashes when reading from user memory during open/openat strin...

CVE-2022-50257

The CVE-2022-50257 issue is in the Linux kernel Xen grant handling (xen/gntdev) where partial grant mapping failures could leak grants. In paravirtualized domains (use_ptemod = true), alloced was not updated for all successful map_ops or kmap_ops, risking incorrect live_grants and leaks. The fix ...

CVE-2022-50260

CVE-2022-50260 concerns the Linux kernel DRM MSM driver where .remove and .shutdown callbacks run via different code paths, creating a risk of calling drm_atomic_helper_shutdown() on an uninitialized DRM device. The initial description explains this mismatch can trigger kernel panics, especially ...

CVE-2022-50265

CVE-2022-50265 pertains to the Linux kernel and concerns data races in the kernel crypto/messaging flow involving kcm->rx_wait and kcm->rx_psock. The description states that kcm->rx_psock can be read locklessly in kcm_rfree(), and the issue was mitigated by annotating the corresponding r...