CVE-2026-23187

CVE-2026-23187 is tied to the Linux kernel: a bug in pmdomain/imx8m-blk-ctrl could trigger an out-of-range access to bc->domains in imx8m_blk_ctrl_remove(), potentially leading to memory corruption. The issue is acknowledged and listed in SUSE-SU-2026:1661-1 as CVE-2026-23187, with the fix des...

CVE-2026-23196

CVE-2026-23196 affects the Linux kernel through the Intel THC HID driver, where a NULL pointer dereference can occur when reading a DMA buffer. The root cause is missing a DMA buffer readiness check before access, potentially crashing the kernel. Red Hat’s advisory explicitly cites this NULL dere...

CVE-2026-23200

CVE-2026-23200: In the Linux kernel, a bug in ipv6 ECMP handling occurred when clearing RTF_ADDRCONF during static route addition, causing a mismatch between the fib6_next chain and fib6_siblings list and triggering a kernel BUG. The fix (as described in the report) is to clear RTF_ADDRCONF only ...

CVE-2026-23223

CVE-2026-23223 relates to the Linux kernel where the XFS filesystem code exhibits a use-after-free in xchk_btree_check_block_owner. The issue arises from dereferencing bs->cur after it (or related pointers) may have been freed, leading to incorrect aliasing checks for bs->sc->sa.{bno,rma...

CVE-2026-23224

CVE-2026-23224 relates to the Linux kernel EROFS UAF race on file-backed mounts with the directio option. The issue arises in a race between z_erofs_read_folio, erofs_fileio_submit_bio, and related IO workqueue paths, where a dio ki_complete path frees an iocb/rq while access to the underlying fi...

CVE-2026-23227

CVE-2026-23227 is addressed across several OSV records indicating patches in rootio-linux for Root:Debian/Ubuntu/OpenSUSE platforms, with multiple fixed versions available. The initial Linux kernel Vidi/Exynos memory-alloc race issue is fixed by ensuring proper locking around memory-alloc/free st...

CVE-2026-23237

CVE-2026-23237 affects the Linux kernel, specifically the platform/x86 classmate-laptop driver. The issue arises when sysfs attributes of the input device are accessed before the driver has stored the input device address, causing NULL pointer dereferences via dev_get_drvdata(&inputdev->dev) i...

CVE-2026-23262

CVE-2026-23262 affects the Linux kernel gve driver when queue counts are changed. The NIC and driver share a region in memory for stats reporting; the NIC calculates its offset into this region using the total stats size and the NIC’s own stats size. When the queue count increases, the driver res...

CVE-2026-23266

CVE-2026-23266 : In the Linux kernel fbdev rivafb driver, nv3_arb() can divide by state->mclk_khz (derived from PRAMDAC MCLK PLL) if an attacker exposes a zero value, causing a divide error and kernel crash. The fix adds a zero-check for state->mclk_khz before division. Affected: fbdev/riva...

CVE-2026-23404

CVE-2026-23404 affects the Linux kernel AppArmor profile management. The issue arises from recursive profile removal in the AppArmor code path; nested profiles could trigger deep recursion, risking kernel stack exhaustion and system crashes. The connected documents confirm the root cause is the r...

CVE-2026-23408

The CVE-2026-23408 issue affects the Linux kernel AppArmor module. The root cause was a double free of ns_name in aa_replace_profiles(): ns_name could be NULLed after it had been transferred from ent->ns_name, but ent->ns_name was freed later, and then freed again when kfree(ns_name). The p...

CVE-2026-23409

The CVE-2026-23409 issue is in the Linux kernel AppArmor differential encoding verification. It describes two bugs: (1) mixing states that have already been verified with those currently being checked, which can cause loops in the current chain to be treated as verified, and (2) an incorrect bail...

CVE-2026-23440

CVE-2026-23440 is a Linux kernel vulnerability in the net/mlx5e IPSec ESN update path. A race condition could cause the ESN wrap event to be processed twice: after validating the event, the driver updates the kernel xfrm state and the lock is temporarily released, risking incorrect ESN high-order...

CVE-2026-23444

CVE-2026-23444 has been addressed in the Linux kernel by fixing skb ownership handling in wifi/mac80211. The patch adds kfree_skb() in the ieee80211_tx_prepare_skb() failure path to ensure all error paths free the skb, and removes redundant frees in callers (ath9k, mt76, mac80211_hwsim). The func...

CVE-2026-23468

CVE-2026-23468 affects the Linux kernel’s DRM/amdgpu BO list handling. The issue was an attacker-controlled bo_number could trigger excessive memory allocation and slow list processing; the fix introduces a hard limit of 128k entries per BO list and returns -EINVAL when exceeded. Connected adviso...

CVE-2026-31394

CVE-2026-31394 concerns the Linux kernel mac80211 path where AP_VLAN (4addr) stations can trigger a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() due to sta->sdata pointing to VLAN sdata, which may not participate in chanctx reservations. The root cause is that link->reserved.oper...

CVE-2026-31397

CVE-2026-31397 relates to the Linux kernel memory management path mm/huge_memory move_pages_huge_pmd(), where the huge zero page branch used a NULL src_folio, causing a bogus PFN (or NULL dereference on some memory models) when constructing PMDs. The fix uses page_folio(src_page) to obtain a vali...

CVE-2026-31422

CVE-2026-31422 affects the Linux kernel’s net/sched subsystem. The vulnerability occurs in flow_change() where tcf_block_q() dereferences q->handle to derive a default baseclass for shared blocks, while block->q can be NULL for shared blocks. The fix adds a check of tcf_block_shared() befor...

CVE-2026-31436

Summary of CVE-2026-31436 : The Linux kernel’s dmaengine idxd driver contains a bug in the llist_abort_desc() function where the code completes the wrong descriptor (the variable “found” rather than the traversal cursor “d”) as the function unwinds a doubly linked list. This can lead to NULL poin...

CVE-2026-31508

The CVE-2026-31508 issue affects the Linux kernel in the Open vSwitch teardown path. The root cause is that after a patch, the teardown code for OVS ports no longer unconditionally takes the RTNL, allowing netdev_destroy() to finish and free the netdev before unregistration completes if the IFF_O...

CVE-2026-31516

The CVE-2026-31516 relates to the Linux kernel XFRM subsystem. A race occurs during net namespace teardown when a work item (policy_hthresh.work) queued by XFRM_MSG_NEWSPDINFO may run after the netns is freed, allowing xfrm_hash_rebuild() to dereference a freed struct net (potential use-after-fre...

CVE-2026-31562

Summary: CVE-2026-31562 affects the Linux kernel DRM/mediatek DSI driver. A local attacker could trigger a NULL pointer dereference due to an uninitialized drvdata being read during mipi_dsi_host_register, causing a crash in mediatek-drm probe and blocking subsequent DRM operations. The fixed beh...

CVE-2026-31622

Summary (CVE-2026-31622): In the Linux kernel NFC digital subsystem, the NFC‑A cascade depth handling in digital_in_recv_sdd_res() could allow a malicious peer to keep sending cascade responses, causing writes past the allocated nfc_target buffer (heap overflow) by exceeding the cascade depth. Th...

CVE-2026-31628

CVE-2026-31628 concerns the Linux kernel on Zen1 CPUs, where the x86/CPU FPDSS issue could allow a local attacker to leak partial results from prior operations via the hardware divider. Patches fix the vulnerability by applying a kernel change (the “chicken bit”) to prevent leakage. Connected adv...

CVE-2026-31636

Summary: CVE-2026-31636 affects the Linux kernel rxrpc subsystem. The root cause is in rxgk_verify_authenticator(), which copies auth_len into a temporary buffer and then uses p + auth_len as the parser limit. Because p is a __be32*, this inflates the parser end pointer by four, enabling a slab-o...

CVE-2026-31648

Summary of CVE-2026-31648 (Linux kernel) • Affects the kernel vulnerability in filemap handling: nr_pages overflow in filemap_map_pages() can cause set_pte_range() to map beyond the size of a large folio, potentially corrupting page metadata. • Root cause (as documented): race condition between f...

CVE-2026-31656

The CVE-2026-31656 issue affects the Linux kernel in the drm/i915/gt path, where a race between the heartbeat worker and intel_engine_park_heartbeat() can cause a refcount underflow and potential use-after-free of engine->heartbeat.systole. Root cause: a non-atomic read of the pointer followed...

CVE-2026-31659

The CVE-2026-31659 issue affects the batman-adv component in the Linux kernel. batadv_tt_prepare_tvlv_global_data() computes a 16‑bit allocation length for a global TT response; if a remote originator advertises a large TT, the TT payload length plus VLAN offset can exceed 65,535 and wrap before ...

CVE-2026-31703

The CVE-2026-31703 entry is supported by multiple connected sources describing a Linux kernel use-after-free in the writeback path. Specifically, inode_switch_wbs_work_fn() loops over switch_wbs_ctxs and can have wb->switch_work pending while the wb reference is dropped, enabling a use-after-f...

CVE-2026-31707

The CVE-2026-31707 issue affects the Linux kernel ksmbd component. The overflow vulnerability in ipc_validate_msg() arises from arithmetic on attacker-controlled fields when computing per-response message sizes, allowing wraparound in three cases (RPC_REQUEST, SHARE_CONFIG_REQUEST, LOGIN_REQUEST_...

CVE-2026-31762

CVE-2026-31762 affects the Linux kernel iio gyro mpu3050 driver. The root cause is an IRQ resource leak: during iio_trigger_register() failure, the interrupt handler is not properly released, leading to unreleased IRQ resources. The patch adds a cleanup goto to release the handler on error. Affec...

CVE-2026-43029

The CVE-2026-43029 issue affects the Linux kernel MPTCP implementation. When data is received with MSG_PEEK and MSG_WAITALL, skb’s are not removed from the sk_receive_queue, causing sk_wait_data() to incorrectly report data available and potentially trigger a soft lockup. The root cause is the mi...

CVE-2026-43047

The CVE-2026-43047 issue concerns the Linux kernel HID multitouch subsystem. A malicious or misconfigured HID device could answer a feature request with a different report ID than requested, causing the HID core to misinterpret data and potentially trigger out-of-bounds writes. The bug is fixed b...

CVE-2026-43053

CVE-2026-43053 affects the Linux kernel XFS filesystem. The flaw arises during inode inactivation with node-format extended attributes: xfs_attr3_node_inactive() invalidates child blocks but does not remove their references from the parent, creating a window where the parent can point to cancelle...

CVE-2026-43066

CVE-2026-43066: In Linux kernel ext4_fc_replay_inode(), iloc.bh leak could occur on error paths due to missing brelse at several failure points. The patch adds an out_brelse label before the existing out label to ensure iloc.bh is released, and also makes ext4_fc_replay_inode() propagate errors i...

CVE-2026-43073

CVE-2026-43073 stems from a misnamed x86-64 kernel routine __copy_user_nocache(), a non-temporal destination copy with exception handling that is not actually a pure user-kernel copy and has complex alignment behavior. The fix renames the function and normalizes the prototype so callers perform p...

CVE-2026-43105

The CVE-2026-43105 issue affects the Linux kernel’s DRM VC4 driver. The root cause is a memory leak where the hang state’s BO array is allocated with kzalloc() in vc4_save_hang_state() but is not freed in vc4_free_hang_state(), leaving memory allocated when the hang state is freed. A kfree() for ...

CVE-2026-43220

The CVE-2026-43220 entry concerns the Linux kernel iommu/amd component. The issue arises under concurrent TLB invalidations when CMD_COMPL_WAIT sequencing can be broken because cmd_sem_val was incremented outside the IOMMU spinlock, causing out-of-sequence command queuing and a disrupted completi...

CVE-2026-43229

The CVE-2026-43229 issue affects the Linux kernel via the chips-media wave5 driver. The root cause is an incorrect device cleanup order: video device unregistration was performed after power/runtime disable and hardware power-down, allowing a kthread worker to read hardware registers after autosu...

CVE-2026-43254

CVE-2026-43254: Linux kernel openvpn TCP stream handling corrected. Ovpn_tcp_recv now allocates a separate skb per packet and uses skb_copy_bits to copy only the packet payload, skipping the 2-byte length prefix; length checks guard allocation to prevent invalid skbs. This resolves header offset ...

CVE-2026-43256

CVE-2026-43256 is a Linux kernel vulnerability in the media subsystem (Qualcomm CAMSS VM) where the vfe_isr_reg_update() function may perform an out-of-bounds access. The code loops with MSM_VFE_IMAGE_MASTERS_NUM(7) but accesses vfe->line[] defined as struct vfe_line lineVFE_LINE_NUM_MAX . Whe...

CVE-2026-43308

CVE-2026-43308 affects the Linux kernel’s Btrfs code path, where an unexpected delayed ref type could previously trigger a BUG() in run_one_delayed_ref(). The issue could enable a local attacker to induce a system crash/DoS by triggering the faulty delay path. The advisory notes that the code can...

CVE-2026-43318

The CVE-2026-43318 entry affects the Linux kernel’s drm/amdgpu component, specifically the amdgpu_dma_buf_move_notify path. A synchronization bug arises when a dmabuf is moved and the issuing process signals the move while another process has not yet updated its page table; the ticket-based handl...

CVE-2026-43366

Summary: CVE-2026-43366 affects the Linux kernel’s io_uring/kbuf recycling path. A gap existed between when a buffer was grabbed and when it could be recycled; if the target list is empty, it could be upgraded to a ring-provided type without proper validation. The issue arises from missing checks...

CVE-2026-43373

The CVE-2026-43373 entry describes a Linux kernel vulnerability in the net: ncsi subsystem. Early return paths in NCSI RX and AEN handlers fail to release received skbuffers (skb) when processing invalid AEN packets or failing to resolve NCSI devices/handlers, leading to a memory leak. The impact...

CVE-2026-43409

CVE-2026-43409 affects the Linux kernel kprobes subsystem: when ftrace is disabled due to errors, removing a module that uses kprobes can crash the system because kprobes_ftrace_disabled is not correctly handled. Root cause: kprobe_ftrace_disabled flag mishandling in __disarm_kprobe_ftrace(). Mit...

CVE-2026-43430

The issue CVE-2026-43430 affects the Linux kernel USB driver for yurex. A race condition occurs in the probe path where the bbu field is not initialized before the URB completion handler uses it, creating a window during which descriptor data can be overwritten by concurrent probing. This can lea...

CVE-2026-45946

CVE-2026-45946 affects the Linux kernel ab8500 power supply driver. A race condition arises when IRQs are requested before the power_supply handle is fully registered, leading to a use-after-free if an interrupt fires after deallocation but before IRQ unregistration. The issue can crash the syste...

CVE-2026-45983

In CVE-2026-45983, the Linux kernel NFS server (nfsd) vulnerability stems from idmap lookup upcalls during v4 request decoding: if upcall responses are delayed beyond the time limit, cache_check() postpones the request and it gets dropped, causing NFSD4_SLOT_INUSE to block subsequent SEQUENCE ope...

CVE-2026-45984

The CVE-2026-45984 issue is a concrete Linux-kernel vulnerability in the GFS2 iomap inline data write path. A data buffer head (dibh) is released prematurely via release_metapath() in gfs2_iomap_begin(), while iomap->inline_data still references dibh->b_data, causing a use-after-free when i...