14330 matches found
CVE-2025-39861
CVE-2025-39861 (Linux kernel) : A Bluetooth vulnerability in vhci can cause use-after-free when accessing debugfs files. The fix moves debugfs file creation into a dedicated function and ensures all debugfs files (e.g., force_suspend, force_wakeup) are removed during vhci_release() before freeing...
CVE-2025-39862
The CVE-2025-39862 entry pertains to the Linux kernel WiFi driver mt76/mt7915, where list corruption could occur after hardware restart. The identified fix clears all WCID-related lists and resets each wcid entry (wcid->sta = 0) before ieee80211_restart_hw, ensuring stations aren’t re-added pr...
CVE-2025-39884
Mode C: The provided documents describe CVE-2025-39884 as a Linux kernel (btrfs) race where eviction and inode caching can lose a live btrfs_inode in root->inodes, breaking subvolume deletion. The root cause is a window in evict() between unhashed inode removal and xarray deletion, allowing a ...
CVE-2025-39889
CVE-2025-39889 affects the Linux kernel Bluetooth L2CAP stack by not properly validating the encryption key size on incoming connections. This failure can cause a mismatch between expected and actual key sizes, impacting security posture. Connected OSV data indicates Root has patched CVE-2025-398...
CVE-2025-39899
CVE-2025-39899 concerns the Linux kernel mm/userfaultfd path where, on 32-bit ARM with CONFIG_HIGHPTE, move_pages_pte() maps PTE pages using kmap_local_page() and must unmap them in LIFO order. The current code unmapped dst_pte then src_pte in the same sequence, violating LIFO and triggering a ku...
CVE-2025-39929
CVE-2025-39929 affects the Linux kernel SMB client code, specifically a leak in smbdirect_recv_io within smbd_negotiate() error path. The vulnerability is mapped to a LOCAL attack, with MEDIUM overall CVSS (base 5.5) and HIGH impact on availability. The description in the initial document notes t...
CVE-2025-39945
The CVE-2025-39945 entry concerns a race in the Linux kernel cnic subsystem where a use-after-free can occur if a delayed work item (delete_task) remains active during cnic_dev deallocation. The root cause is that cancel_delayed_work() does not guarantee the delayed work item has finished if it i...
CVE-2025-68365
CVE-2025-68365 affects the Linux kernel ntfs3 code. The issue is an uninitialized memory use in fs/ntfs3 where memory allocated by __getname() (kmem_cache_alloc()) is used before being cleared. The documented fix is to allocate and clear memory with kmem_cache_zalloc(). The CVSS_base from the pro...
CVE-2025-71077
In the Linux kernel vulnerability CVE-2025-71077, tpm2_get_pcr_allocation() did not cap the number of PCR banks, allowing out-of-bounds values to cause more than minimal harm. The fix caps the limit to eight banks, limiting potential damage from external I/O. The issue affects the TPM/PCR allocat...
CVE-2025-71084
CVE-2025-71084 (Linux kernel) fixes a leak in the multicast GID table reference within RDMA/cm. If the CM ID is destroyed while the multicast creation event is queued, cancel_work_sync() can prevent the work from running and destroy ah_attr, causing a refcount leak and a WARN in kernel logs. Affe...
CVE-2025-71104
The CVE-2025-71104 entry concerns the Linux kernel KVM on x86 with the HV timer. Root cause: when advancing the guest APIC timer expiration in periodic mode, adding a period to a past target expiration can create an unbounded sequence of hrtimer IRQs; if the guest is paused, this can trigger host...
CVE-2025-71107
CVE-2025-71107: In Linux kernel F2FS, a race allows f2fs_put_super() to run before all node-page reads complete, causing an apparent filesystem reference-count leak during unmount (kernel.c fs/f2fs/super.c:1939). Mitigation: upstream patch adds f2fs_wait_on_all_pages() for F2FS_RD_NODE to ensure ...
CVE-2025-71112
The CVE-2025-71112 entry concerns the Linux kernel net/hns3 VLAN handling. A VLAN ID may be used without validation when receiving a VLAN configuration mailbox from a VF, because vlan_del_fail_bmap length (BITS_TO_LONGS(VLAN_N_VID)) can permit out-of-bounds access if the VLAN ID is >= VLAN_N_V...
CVE-2025-71161
CVE-2025-71161 affects the Linux kernel dm-verity feature, where recursive forward error correction could cause denial of service and potential data handling issues. The root cause is an overly deep recursive path in fec_read_bufs (up to four nested levels) that may loop excessively, and a shared...
CVE-2025-71221
CVE-2025-71221: The Linux kernel mmp_pdma driver contained a race in mmp_pdma_residue() that could cause use-after-free when descriptors are freed while tx_status() iterates the descriptor list. The race occurs as CPU0 unwinds the descriptor list without proper locking while CPU1's tasklet can fr...
CVE-2025-71223
CVE-2025-71223 affects the Linux kernel's ksmbd SMB server path (smb2_open and ksmbd_vfs_getattr). The issue is a refcount leak when ksmbd_vfs_getattr() fails, potentially causing resource leakage and local impact. A kernel update fixing the refcount leak is provided by the referenced advisories ...
CVE-2025-71229
CVE-2025-71229 is a Linux kernel vulnerability affecting the rtw88 Wi‑Fi driver (rtw_core_enable_beacon). The issue arises when the function reads 4 bytes from a non-4-byte-aligned address, which can trigger an alignment fault and crash the kernel on some systems. The fixed patch changes the acce...
CVE-2025-71313
Summary (CVE-2025-71313) : In the Linux kernel PCI endpoint driver, there is a missing NULL check after alloc_workqueue(), which can return NULL on memory allocation failure. If a NULL workqueue pointer is later passed to queue_work() in epf_ntb_epc_init(), this can cause a NULL pointer dereferen...
CVE-2026-22986
CVE-2026-22986 concerns a race in Linux kernel gpiolib where two drivers calling gpiochip_add_data_with_key() can concurrently traverse gpio_name_to_desc() while another adds gdev to the list, creating a window where gdev->srcu is dereferenced before it is initialized. The result is a crash (k...
CVE-2026-22996
CVE-2026-22996 affects the Linux kernel mlx5e subsystems. The issue arises from storing the unstable mlx5e_priv in mlx5e_dev devlink priv, which could lead to a kernel NULL dereference during profile changes and an oops in mlx5e_remove. The fix stores netdev directly into mlx5e_dev and derives md...
CVE-2026-23072
CVE-2026-23072: Linux kernel l2tp memleak in l2tp_udp_encap_recv() fixed by adding proper error handling after protocol version validation; the patch ensures l2tp_session_put() is called to avoid leaking objects (l2tp_session, l2tp_tunnel, sock). References indicate the commit addresses a memory‑...
CVE-2026-23089
CVE-2026-23089 is a Linux-kernel issue in ALSA USB-audio: use-after-free in snd_usb_mixer_free() when mixer creation fails, causing freed mixer control memory to be referenced by callbacks during card registration. The connected advisories confirm the root cause and state the fix is to remove all...
CVE-2026-23122
The CVE-2026-23122 entry concerns the Linux kernel igc TSN TX packet buffer sizing. Affected component: i226 TSN support in the Linux kernel driver (igc). Root cause: reducing the TX buffer per queue from 7 KB to 5 KB to resolve TX unit hangs under heavy timestamping load. Impact: the change addr...
CVE-2026-23127
CVE-2026-23127 affects the Linux kernel perf subsystem. The issue is caused by a refcount warning in perf_mmap_rb() when updating event->mmap_count during group-member mmap creation with PERF_FLAG_FD_OUTPUT. Specifically, refcount_inc(&event->mmap_count) can run when mmap_count is 0, trigge...
CVE-2026-23219
CVE-2026-23219 concerns the Linux kernel (mm/slab) where alloc_tagging_slab_free_hook was not invoked in memcg_alloc_abort_single, causing a spurious warning: “alloc_tag was not cleared …” when CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled. The issue arises because the existing __memcg_slab_post_al...
CVE-2026-23237
CVE-2026-23237 affects the Linux kernel, specifically the platform/x86 classmate-laptop driver. The issue arises when sysfs attributes of the input device are accessed before the driver has stored the input device address, causing NULL pointer dereferences via dev_get_drvdata(&inputdev->dev) i...
CVE-2026-23244
CVE-2026-23244 affects the Linux kernel and stems from nvme_pr_read_keys() allocating memory based on a user-supplied num_keys value. The code uses num_keys to determine the rse allocation size up to an upper limit PR_KEYS_MAX (64K). A malicious or buggy userspace input can cause a kzalloc-based ...
CVE-2026-23289
CVE-2026-23289 affects the Linux kernel (IB/mthca path) in which a missed mthca_unmap_user_db() for mthca_create_srq can trigger a leak on a failed system call. The vulnerability, with local attack vector and low privileges required, may lead to privilege escalation, DoS, or information leaks as ...
CVE-2026-23443
CVE-2026-23443 refers to a Linux kernel ACPI processor errata handling flaw (piix4). A use-after-free could occur from dereferencing device pointers after their objects were freed, stemming from a NULL-pointer dereference in acpi_processor_errata_piix4(). The fix moves diagnostic message printing...
CVE-2026-23457
CVE-2026-23457 affects the Linux kernel netfilter nf_conntrack_sip parser (sip_help_tcp). The issue arises from parsing the SIP Content-Length header: the code uses simple_strtoul() return value (unsigned long) but stores it in an unsigned int clen, allowing truncation on 64-bit systems when Cont...
CVE-2026-23472
Summary: A Linux kernel vulnerability in the serial core (CVE-2026-23472) arises when handling PORT_UNKNOWN with a NULL transmit buffer, where uart_write_room() can report available space inconsistently with uart_write() , causing an infinite loop in drivers that rely on tty_write_room() to decid...
CVE-2026-31394
CVE-2026-31394 concerns the Linux kernel mac80211 path where AP_VLAN (4addr) stations can trigger a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() due to sta->sdata pointing to VLAN sdata, which may not participate in chanctx reservations. The root cause is that link->reserved.oper...
CVE-2026-31396
Summary: CVE-2026-31396 affects the Linux kernel’s net/macb and PTP clock subsystem. The root cause is a use-after-free in ptp_clock_index() when the PTP clock is accessed via get_ts_info while the interface’s PTP clock object has been deregistered. This allows a local attacker to trigger a crash...
CVE-2026-31426
Summary: CVE-2026-31426 concerns the Linux kernel ACPI EC handling. When ec_install_handlers() defers probing on reduced‑hardware platforms, the error path could leave a dangling EC space handler context if acpi_ec_setup() propagates the error, leading to use‑after‑free when AML accesses an OpReg...
CVE-2026-31462
CVE-2026-31462 concerns the Linux kernel DRM/AMDGPU PASID reuse issue where a process reusing a PASID could leave pending page faults in the IH ring buffer after exit. The fix uses an idr cyclic allocator to prevent immediate PASID reuse. Connected OSV entries show Root has patched this CVE in ro...
CVE-2026-31474
The CVE-2026-31474 issue affects the Linux kernel’s CAN ISO-TP (isotp) path. The bug is a use-after-free involving isotp_sendmsg() and the so->tx.buf buffer: if a signal interrupts wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the release path may free so->tx.bu...
CVE-2026-31660
The CVE-2026-31660 entry concerns the Linux kernel NFC pn533 driver. The root cause is that pn532_receive_buf() may hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer; if alloc_skb() fails, the callback returns 0 while bytes have already been consumed, leaving re...
CVE-2026-31673
The connected sources describe a Linux kernel vulnerability CVE-2026-31673 in the af_unix/UNIX_DIAG_VFS path. A race condition can occur when reading inode and device numbers for UNIX_DIAG_VFS without holding unix_state_lock consistently while u->path may be cleared by unix_release_sock(). The...
CVE-2026-31686
CVE-2026-31686 concerns the Linux kernel kasan double-free in kasan_remove_zero_shadow related to kasan_free_pxd() handling of pxd_page() vs start of the pxd table on architectures like PowerPC with 64K pages. The issue arises when the PUD table is not page-aligned, risking double-free during mem...
CVE-2026-43025
CVE-2026-43025 affects the Linux kernel netfilter component. A local attacker can trigger a slab-out-of-bounds read when creating new expectations by supplying a non-master conntrack helper, potentially enabling information disclosure from kernel memory. The issue is described across multiple sou...
CVE-2026-43062
CVE-2026-43062 concerns the Linux kernel Bluetooth L2CAP path, where l2cap_ecred_reconf_rsp() incorrectly casts incoming data to struct l2cap_ecred_conn_rsp instead of struct l2cap_ecred_reconf_rsp. This type confusion causes: (1) the length check to require 8 bytes instead of 2, rejecting valid ...
CVE-2026-43066
CVE-2026-43066: In Linux kernel ext4_fc_replay_inode(), iloc.bh leak could occur on error paths due to missing brelse at several failure points. The patch adds an out_brelse label before the existing out label to ensure iloc.bh is released, and also makes ext4_fc_replay_inode() propagate errors i...
CVE-2026-43072
CVE-2026-43072 affects the Linux kernel drm/vc4 code path: platform_get_irq_byname() may return a negative error value, which was previously passed directly to devm_request_threaded_irq() without proper checking. The issue has been resolved in updated kernel code, and multiple OS-specific advisor...
CVE-2026-43109
The CVE-2026-43109 issue concerns Linux kernel x86 shadow stacks where shstk_pop_sigframe() did not check errors from mmap_read_lock_killable(), and related __must_check annotations were missing. The connected OSV entries confirm patches in rootio-linux for Ubuntu/Debian releases (e.g., Ubuntu 22...
CVE-2026-43211
CVE-2026-43211 – Linux kernel PCI slot lock handling fix The issue arises in PCI lock management: pci_slot_trylock() incorrectly handled unlocking when nested locks fail, due to an extra pci_dev_unlock(dev) on the failure path after delegating to pci_bus_trylock(). This could trigger a warning ab...
CVE-2026-43254
CVE-2026-43254: Linux kernel openvpn TCP stream handling corrected. Ovpn_tcp_recv now allocates a separate skb per packet and uses skb_copy_bits to copy only the packet payload, skipping the 2-byte length prefix; length checks guard allocation to prevent invalid skbs. This resolves header offset ...
CVE-2026-43276
Summary: CVE-2026-43276 is a Linux kernel issue in the mana network driver causing a use-after-free during PCI service rescan. The crash occurs when mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() frees gc->service_wq, and a subsequent resume path leads to a second removal via man...
CVE-2026-43315
CVE-2026-43315 involves the Linux kernel KVM nSVM warning path. Technical details across connected docs show that a user-triggerable WARN is raised in svm_set_nested_state() when nested_svm_load_cr3() succeeds, and the patch removes this WARN. The rationale is that userspace can easily trigger th...
CVE-2026-43333
CVE-2026-43333 (Linux kernel BPF): The vulnerability arises from direct dereference of nullable PTR_TO_BUF pointers in check_mem_access(), where PTR_TO_BUF is matched via base_type() after PTR_MAYBE_NULL stripping, allowing NULL dereferences in map iterators ctx->key/value (NULL on stop callba...
CVE-2026-43340
Summary (CVE-2026-43340): The Linux kernel COMEDI subsystem contains a spinlock (dev->spinlock) in struct comedi_device that can be reinitialized when a COMEDI device is reattached to different low-level drivers via COMEDI_DEVCONFIG. This race can occur if multiple drivers with different lockd...