14330 matches found
CVE-2026-23315
The CVE affects the Linux kernel mt76 wifi driver (mt76_connac2_mac_write_txwi_80211). The root cause is that the function could perform an out-of-bounds access by not validating the frame length before accessing management fields, including mgmt->u.action.u.addba_req.capab. This could enable ...
CVE-2026-23448
Vulnerability summary (CVE-2026-23448). In the Linux kernel, the net: usb: cdc_ncm path has a bounds-check defect related to NDP16/DPE16 processing. The function cdc_ncm_rx_verify_ndp16() correctly accounts for the NDP offset in the first check, but the second check ignores ndpoffset when validat...
CVE-2026-31420
CVE-2026-31420 affects Linux kernel bridge MRP interval handling. Vulerability arises when br_mrp_start_test/br_mrp_start_in_test accept a user-supplied interval from netlink with no validation; if interval is 0, the delay becomes zero and a tight loop can exhaust memory, causing an OOM kernel pa...
CVE-2026-31509
CVE-2026-31509 affects the Linux kernel NFC NCI subsystem. The vulnerability stems from nci_close_device() flushing rx_wq and tx_wq while holding req_lock, creating a circular locking dependency with nci_rx_work() and related paths. The fix moves the rx_wq flush to after req_lock is released, rel...
CVE-2026-31516
The CVE-2026-31516 relates to the Linux kernel XFRM subsystem. A race occurs during net namespace teardown when a work item (policy_hthresh.work) queued by XFRM_MSG_NEWSPDINFO may run after the netns is freed, allowing xfrm_hash_rebuild() to dereference a freed struct net (potential use-after-fre...
CVE-2026-31530
The CVE-2026-31530 entry is backed by concrete details in the connected documents: in the Linux kernel’s cxl subsystem, the vulnerability stems from a use-after-free of parent_port during cxl_detach_ep() when removing CXL memory devices. The root cause is the absence of a lifetime guarantee betwe...
CVE-2026-31570
CVE-2026-31570 relates to the Linux kernel CAN gateway module. The vulnerability is an OOB heap access in cgw_csum_crc8_rel(), caused by looping and writing using raw s8 indices (from_idx/to_idx/result_idx) instead of the precomputed bounds-safe values (from/to/res). calc_idx() yields bounds-safe...
CVE-2026-31588
CVE-2026-31588 concerns the Linux kernel KVM MMIO handling bug where an MMIO write that spans multiple pages could reference on‑stack data, enabling a use‑after‑free path. The root cause is an internal temporary variable path during complete_emulated_mmio when emulated MMIO writes cross page boun...
CVE-2026-31692
In The Linux kernel, CVE-2026-31692 affects the rtnetlink path: the peer namespace CAP_NET_ADMIN check is missing in rtnl_newlink() when creating paired devices (e.g., veth, vxcan, netkit). This enables an unprivileged user with a user namespace to create interfaces in arbitrary network namespace...
CVE-2026-31762
CVE-2026-31762 affects the Linux kernel iio gyro mpu3050 driver. The root cause is an IRQ resource leak: during iio_trigger_register() failure, the interrupt handler is not properly released, leading to unreleased IRQ resources. The patch adds a cleanup goto to release the handler on error. Affec...
CVE-2026-43023
CVE-2026-43023 affects the Linux kernel Bluetooth SCO path. A race condition in sco_sock_connect() allows two concurrent connect() attempts on the same socket to bypass locks, leading to use-after-free and potential socket/state corruption (BT_OPEN -> BT_CONNECT with zombie sk). The issue is d...
CVE-2026-43107
CVE-2026-43107 concerns the Linux kernel xfrm subsystem. The root cause is that xfrm_aevent_msgsize() did not reserve space for XFRMA_IF_ID, causing build_aevent() to fail with -EMSGSIZE and potentially trigger a kernel panic via a malformed netlink interaction when if_id is set. The fix uncondit...
CVE-2026-43323
CVE-2026-43323 refers to a Linux kernel scheduler flaw in the fair scheduling component where zero_vruntime tracking could become inconsistent under certain conditions (e.g., frequent yield and multi‑cgroup scenarios). The linked sources describe a specific scenario with two runnable tasks exchan...
CVE-2026-43471
Summary (mode C): The CVE-2026-43471 issue affects the Linux kernel’s SCSI UFS core, specifically a NULL pointer dereference in ufshcd_add_command_trace() when hwq is NULL, which can occur if ufshcd_mcq_req_to_hwq() returns NULL. A patch adds a NULL check for hwq before accessing hwq->id to pr...
CVE-2026-43476
CVE-2026-43476 affects the Linux kernel’s IIO sensor driver for SPS30 (iio: chemical: sps30_i2c). The root cause is a faulty buffer size calculation in sps30_i2c_read_meas() where sizeof(num) yields sizeof(size_t) (8 bytes on 64-bit) instead of the intended 4-byte __be32 element size; the fix use...
CVE-2026-45848
The CVE-2026-45848 issue affects the Linux kernel AppArmor component, where NULL sock or sock-sk can occur during socket setup/teardown, potentially causing a NULL pointer dereference and a kernel oops (DoS) for af_unix sockets. Root cause is dereferencing NULL during socket operations; impact is...
CVE-2026-45867
The CVE-2026-45867 issue affects the Linux kernel power_supply subsystem (act8945a) and is caused by a race condition: requesting the IRQ with the devm_ path before the devm_ path that registers the power_supply handle can lead to use-after-free when the IRQ fires after the power_supply object is...
CVE-2026-45916
CVE-2026-45916 affects the Linux kernel power_supply (sbs-battery) driver. The issue is a race between IRQ handling and power_supply handle lifecycle: requesting IRQ with devm_ before allocating/registering the power_supply handle can cause an interrupt after the handle is freed but before IRQ un...
CVE-2026-45918
CVE-2026-45918 concerns a race condition in the Linux kernel related to OpenVPN TCP handling. When a peer is kept alive and later removed, the kernel temporarily places the peer in a release list and detaches from the socket by restoring its proto and socket callbacks. If userspace closes the soc...
CVE-2026-45928
CVE-2026-45928 relates to the Linux kernel media driver (chips-media wave5). In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is kzalloc()-ed; if the subsequent allocation for inst->codec_info fails, the error path returns -ENOMEM without freeing the previously allocated vpu, c...
CVE-2026-45944
CVE-2026-45944 affects the Linux kernel IOMMU VT-d. During context-entry teardown, the implementation zeros a 128‑bit entry in two 64‑bit writes, risking a torn entry where the Present bit remains set while other fields are zeroed, potentially causing unpredictable behavior or spurious faults. Th...
CVE-2026-45982
CVE-2026-45982 concerns the Linux kernel ACPICA component, specifically a NULL pointer dereference in the function acpi_ev_address_space_dispatch(). The issue arises from a missed execution path due to an incomplete check, which could be exploited locally (as indicated by the CVSS vector and Red ...
CVE-2026-45995
A CVE-2026-45995 has been resolved in the Linux kernel for a local, low-privilege UAF issue in io_uring zcrx handling (io_free_rbuf_ring with a user_struct, freed by io_zcrx_ifq_free before ring destruction). The advisory for openSUSE Tumbleweed indicates the fix is delivered via kernel-devel-7.0...
CVE-2026-46019
CVE-2026-46019 concerns the Linux kernel crypto/atmel-aes path. The issue: atmel_aes_buff_init() allocates 4 pages (ATMEL_AES_BUFFER_ORDER) but atmel_aes_buff_cleanup() frees only the first page via free_page(), leaking 3 pages. Resolution: use free_pages() with ATMEL_AES_BUFFER_ORDER to properly...
CVE-2026-46028
CVE-2026-46028 — Linux kernel crypto/AF_ALG: per‑request IV storage for async AEAD . The vulnerability occurs in AF_ALG AEAD async requests that previously reused a socket‑wide IV buffer during processing, allowing later socket activity to modify the shared IV before the original request finished...
CVE-2026-46037
The CVE-2026-46037 issue affects the Linux kernel IPv4 ICMP component. Extended echo replies could use ICMP_EXT_ECHOREPLY outside the icmp_pointers[] range; the fix avoids icmp_pointers[] lookups for out-of-range types and uses array_index_nospec() for in-range lookups. Multiple OS feeds report p...
CVE-2026-46051
CVE-2026-46051 affects the Linux kernel's MD RAID5 path. The vulnerability arises when retry_aligned_read() encounters an overlapped stripe and releases it via raid5_release_stripe(), placing it on the released_stripes list. In a subsequent raid5d loop, release_stripe_list() drains the stripe ont...
CVE-2026-46055
CVE-2026-46055 affects the Linux kernel AppArmor LSM. The issue is a missing string terminator in aa_dfa_match, causing a slab-out-of-bounds read/write during path mounting on ARM64 Ubuntu 26.04 with Linux 7.0-rc4 (Snapdragon X1). Reported impact includes potential DoS or information disclosure. ...
CVE-2026-46077
CVE-2026-46077 involves a Linux kernel crypto module (atmel-tdes) where DMA sync direction was incorrect. The issue occurs when DMA output was consumed by the CPU and the address_out was not synced with the CPU correctly, risking stale data on non‑coherent platforms. The published fixes switch to...
CVE-2026-46080
CVE-2026-46080 : In the Linux kernel, the ocfs2 code path is fixed to prevent credit-exhaustion during direct I/O (dio) by splitting transactions in dio completion and batching extent handling. The patch relocates removing inodes from the orphan list until the extent tree update completes, reduci...
CVE-2026-46081
CVE-2026-46081 is a Linux kernel vulnerability in the crypto/acomp subsystem. The issue arises when an asynchronous hardware implementation (e.g., QAT) completes a request using the DMA virtual address interface, causing acomp_save_req() to store a pointer to the wrong object in req->base.data...
CVE-2026-46103
CVE-2026-46103 affects the Linux kernel, specifically the USB stack where can: ucan fixes the devres lifetime. The root cause is that resources bound to USB interfaces were not guaranteed to outlive the parent USB device, leading to memory leaks when drivers unbind (e.g., during probe deferrals o...
CVE-2026-46108
In the Linux kernel, CVE-2026-46108 affects the ipmi:si path where a failure to allocate a message could leave the driver in a bad state. The root cause is insufficiently returning to normal operation after allocation fails, which can impact availability (local access, low privileges). The vulner...
CVE-2026-46118
CVE-2026-46118 concerns the Linux kernel component pseries/papr-hvpipe, where a null pointer dereference could occur in papr_hvpipe_dev_create_handle() after changing to FD_PREPARE. The root cause described across sources is that src_info is reused post-retain_and_null_ptr when adding to a global...
CVE-2026-46120
Concrete details found: CVE-2026-46120 affects the Linux kernel ip6_gre machinery. The issue is in ip6erspan_changelink(), which wrongly uses dev_net(dev) instead of the correct per-netns hash resolved by link_net, after a patch series that fixed per-netns resolution in ip6erspan_newlink(). This ...
CVE-2026-46126
CVE-2026-46126 affects the Linux kernel RDMA/mana component. The issue stems from the error unwind flow in mana_ib_create_qp_rss() cleanup of the Work Queue (WQ) table, leading to improper resource cleanup. Reports identify two bugs: (1) a double i-- in the first failure path of the unwinding loo...
CVE-2026-46143
The CVE-2026-46143 issue affects the Linux kernel’s ASoC component, specifically qcom: q6apm-lpass-dai. Root cause: prepare may be invoked multiple times, causing multiple graph opens in the playback path and resulting memory leaks. Mitigation in the public documents is a patch that adds a check ...
CVE-2026-46148
CVE-2026-46148 concerns the Linux kernel’s microchip-core-qspi driver where the built-in chip select could be driven active when multiple devices share the QSPI controller, potentially conflicting with GPIO-based CS. The provided records confirm a concrete fix: the driver now controls chip select...
CVE-2026-46156
CVE-2026-46156 affects the Linux kernel LoongArch implementation, specifically loongson_gpu_fixup_dma_hang(), where the code may read device registers using an incorrect base (base+PCI_DEVICE_ID) when a discrete GPU is present. This causes ADE and can trigger a kernel panic, leading to local DoS....
CVE-2026-46163
CVE-2026-46163 concerns the Linux kernel wifi subsystem (b43legacy) where a firmware-controlled key index in b43legacy_rx() could exceed dev->max_nr_keys, allowing an out-of-bounds read of dev->key[]. The fix makes the bounds check enforcing by dropping frames with invalid indices. Patches ...
CVE-2026-46208
In the Linux kernel, batman-adv has a vulnerability where tp_meter sessions are not stopped during mesh teardown in batadv_mesh_free(). This allows a running sender thread or late tp_meter packets to keep operating against a mesh instance that is shutting down, potentially causing system instabil...
CVE-2026-46239
CVE-2026-46239 affects the Linux kernel media: i2c: ov5647 driver. Concrete issue: three control paths (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) return early without pm_runtime_put(), leaking runtime PM references. The patch changes these cases from return to a ret = ... break pattern to ensure pm...
CVE-2026-46287
CVE-2026-46287 concerns the Linux kernel net: txgbe driver. The issue occurs on copper NICs with external PHY where phylink_connect_phy() is called during probe and phylink_disconnect_phy() during removal, triggering an RTNL assertion warning on module removal. The root cause is lack of proper RT...
CVE-2026-46288
CVE-2026-46288 (Linux kernel). The issue is a use-after-free in unittest changeset handling of device-tree nodes: a pointer (parent) shares the same struct device_node as nchangeset, and of_node_put(nchangeset) can drop the refcount to zero while code still uses parent to inspect properties, lead...
CVE-2026-46290
The CVE-2026-46290 issue in Linux kernels’ x86 EFI runtime handling was fixed by replacing in_interrupt() with !in_task() to preserve interrupt/NMI fault handling without being affected by the FPU softirq path. Root cause: kernel_fpu_begin() uses fpregs_lock() with local_bh_disable(), setting SOF...
CVE-2026-46295
CVE-2026-46295 involves the Linux kernel KVM/x86 interrupt handling fix. The patch ensures IRR is scanned via __kvm_apic_update_irr even when PIR is empty, falling back to apic_find_highest_vector() when PID.ON is set but PIR is empty, so the highest pending interrupt is reported from the existin...
CVE-2026-46305
CVE-2026-46305 affects the Linux kernel, specifically the staging/rtl8723bs path. The issue arises when kzalloc_flex()’s return value is used without checking for allocation failure, leading to a potential NULL pointer dereference when accessing the allocated structure. The fix guards access to t...
CVE-2026-46311
CVE-2026-46311 (Linux kernel) involves the drm/amdgpu/userq path where access to a stale wptr mapping could occur during queue creation. The root cause is improper locking when accessing the mapping data, risking unmapping of wptr_obj while a queue is in progress and another BO is at the same add...
CVE-2026-46314
CVE-2026-46314 affects the Linux kernel drm/v3d path. A local attacker can craft a self-referential multisync extension with in_sync_count=0 and out_sync_count=0, causing an infinite loop in v3d_get_extensions() because the existing guard (if (se->in_sync_count || se->out_sync_count)) never...
CVE-2026-46332
The CVE-2026-46332 issue affects the Linux kernel Greybus subsystem (gb-beagleplay) where cc1352_bootloader_rx() appends serdev data into a fixed rx_buffer without validating the chunk size against remaining space. This can allow an overflow when multiple packets arrive in one callback, leading t...