14330 matches found
CVE-2026-23010
CVE-2026-23010 is a Linux kernel use-after-free affecting inet6_addr_del() in IPv6 address deletion. The issue arises from the commit that moved ipv6_del_addr() for temporary addresses before reading the ifp->flags, causing a UAF in inet6_addr_del() when handling inet6_ifaddr during address de...
CVE-2026-23012
CVE-2026-23012 affects the Linux kernel (mm/damon/core): a use-after-free in damon_call_control handling when a DAMON context is inactive. If damon_call() runs against a non-running context, the call returns an error but the damon_call_control object remains linked to the context’s call_controls ...
CVE-2026-23017
CVE-2026-23017 affects the Linux kernel idpf driver. Root cause: if init_task fails during driver load, vports/netdevs are not created and a reset can crash while service/mailbox tasks run. Fix: in the init_task error path, disable service/mailbox tasks and stop PTP callbacks; ensures proper clea...
CVE-2026-23063
CVE-2026-23063 pertains to the Linux kernel, specifically the UACCE accelerator framework. The issue arises in the queue release path for uacce_queue when resources could be freed concurrently (e.g., during poweroff -f with accelerators still active). The root cause is unsafe sequencing of operat...
CVE-2026-23067
CVE-2026-23067 centers on an integer signedness bug in the Linux kernel’s ARM IOMMU path (io-pgtable-arm). __arm_lpae_unmap() returned a size_t (unsigned) but could yield -ENOENT on error, turning into a large positive value on 64-bit systems and propagating through the call chain to __iommu_unma...
CVE-2026-23068
CVE-2026-23068 (Linux kernel) : The spi-sprd-adi driver could double-free the spi_controller on probe failure due to using spi_alloc_host() with devm_spi_register_controller(), then falling through to spi_controller_put() when a restart handler registration failed. The fix switches to devm_spi_al...
CVE-2026-23085
CVE-2026-23085 affects the Linux kernel irqchip/gic-v3-its on 32-bit ARM with CONFIG_ARM_LPAE, where lowmem allocations could be backed by physical memory above 4 GB. The ITS driver stored a 32-bit address in an unsigned long, triggering truncation. The fix changes the itt_addr and related physic...
CVE-2026-23114
Summary (CVE-2026-23114) The Linux kernel arm64 FPSIMD/SVE state management vulnerability arises when SVE is supported but SME is not: a ptrace write to the NT_ARM_SVE regset can place the tracee in an invalid state, storing non-streaming SVE data in FP_STATE_SVE format while TIF_SVE is not set. ...
CVE-2026-23206
Summary: CVE-2026-23206 affects the Linux kernel dpaa2-switch driver where zero interfaces (num_ifs == 0) caused a NULL-like ZERO_SIZE_PTR allocation and a kernel panic during probe. The issue stems from allocating arrays with kcalloc() using ethsw->sw_attr.num_ifs and dereferencing ports[0] i...
CVE-2026-23232
The CVE-2026-23232 entry pertains to the Linux kernel and the f2fs file system. According to the connected data, a patch intended to enable a block cache/DIO write during f2fs_enable_checkpoint() was reverted because the original patch could cause a deadlock. The revert sequence involves lock ord...
CVE-2026-23238
CVE-2026-23238 (Linux kernel — romfs): The romfs implementation in the kernel failed to honor the return value of sb_set_blocksize(), continuing a mount when the requested ROMBSIZE (e.g., 4096) was incompatible with the device’s logical_block_size (e.g., 32768). This could occur by using LOOP_SET...
CVE-2026-23266
CVE-2026-23266 : In the Linux kernel fbdev rivafb driver, nv3_arb() can divide by state->mclk_khz (derived from PRAMDAC MCLK PLL) if an attacker exposes a zero value, causing a divide error and kernel crash. The fix adds a zero-check for state->mclk_khz before division. Affected: fbdev/riva...
CVE-2026-23312
CVE-2026-23312 concerns the Linux kernel: the net: usb: kaweth driver did not validate USB endpoint counts/types when probing a device. The root cause is lack of validation before binding, which could allow a malicious device to cause a crash by accessing endpoints that aren’t present or correctl...
CVE-2026-23318
CVE-2026-23318 affects the Linux kernel ALSA USB-audio UAC3 header validation. The validator table for UAC3 AC header descriptors used UAC_VERSION_2 instead of UAC_VERSION_3, so real UAC3 devices were not validated and could trigger out-of-bounds reads when the driver accesses unvalidated descrip...
CVE-2026-23386
CVE-2026-23386 concerns the Linux kernel gve driver in QPL mode, where gve_tx_clean_pending_packets() could misinterpret the dma_addr_t array as buffer IDs, causing out-of-bounds/unmap errors. The root cause was an improper buffer cleanup path in gve_tx_clean_pending_packets() that could referenc...
CVE-2026-23404
CVE-2026-23404 affects the Linux kernel AppArmor profile management. The issue arises from recursive profile removal in the AppArmor code path; nested profiles could trigger deep recursion, risking kernel stack exhaustion and system crashes. The connected documents confirm the root cause is the r...
CVE-2026-23409
The CVE-2026-23409 issue is in the Linux kernel AppArmor differential encoding verification. It describes two bugs: (1) mixing states that have already been verified with those currently being checked, which can cause loops in the current chain to be treated as verified, and (2) an incorrect bail...
CVE-2026-23427
Summary: CVE-2026-23427 affects ksmbd in the Linux kernel and has been fixed to address a use-after-free in durable v2 replay of active SMB file handles. The root cause is that parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling D...
CVE-2026-31403
CVE-2026-31403 is a Linux kernel vulnerability affecting NFSD where a proc entry (/proc/fs/nfs/exports) captured the caller’s network namespace without holding a reference. If the namespace is torn down after opening the exports fd (e.g., container destruction with setns), nfsd_net_exit() may fre...
CVE-2026-31411
CVE-2026-31411: Linux kernel ATM signaling path (net/atm) allowed forged user pointers via sendmsg(), leading to potential memory safety risks. A fix adds find_get_vcc() to validate the vcc pointer against the vcc_hash and uses sock_hold() to keep the object alive during processing of signaling o...
CVE-2026-31450
CVE-2026-31450 describes a race in ext4 where ei->jinode was published to concurrent readers before jbd2_journal_init_jbd_inode() completed, allowing a non-NULL jinode to be observed with i_vfs_inode still NULL. The mitigated issue could lead to a crash when a reader passes jinode to jbd2_wait...
CVE-2026-31489
This CVE (CVE-2026-31489) affects the Linux kernel meson-spicc SPI controller driver. The vulnerability arises from a double-put: meson_spicc_probe() registers the controller with devm_spi_register_controller(), and the removal path erroneously calls spi_controller_put() again in meson_spicc_remo...
CVE-2026-31491
In the Linux kernel’s RDMA/irdma component, CVE-2026-31491 stems from depth calculation functions that fail to properly guard against U32_MAX inputs for SQ/RQ/SRQ sizes. The issue can cause integer overflow and truncation, leading to the function returning success when it should fail. Public repo...
CVE-2026-31536
The vulnerability CVE-2026-31536 affects the Linux kernel SMB direct server implementation. In smb: server: let send_done handle a completion without IB_SEND_SIGNALED, during smbdirect_send_batch processing requests may be processed without IB_SEND_SIGNALED and could be destroyed in the final req...
CVE-2026-31593
CVE-2026-31593 is a Linux kernel KVM SEV SNP issue. The vulnerability arises when updating an already-launched and encrypted vCPU state: attempting to sync the vCPU's VMSA can trigger an SEV-SNP cryptographic memory protection (RMP) violation, causing a host panic/DoS. Technical details across mu...
CVE-2026-31595
CVE-2026-31595 affects the Linux kernel PCI endpoint driver for the vntb (pci-epf-vntb) where the cleanup path epf_ntb_epc_cleanup does not disable the delayed work before clearing BAR mappings and doorbells. The referenced details describe that if the delayed work isn’t disabled, the cmd_handler...
CVE-2026-31668
The CVE-2026-31668 issue affects the Linux kernel’s seg6 lwtunnel, where a single dst_cache was shared between input and output paths. This allowed the post-encap SID lookup to be performed in different routing contexts, with the second path potentially reusing the first path’s cached data and by...
CVE-2026-31699
Technical details about CVE-2026-31699 are not publicly available in the provided documents. Monitor for updates from OSV, Red Hat, SUSE, Debian and other trackers for affected products and fixes.
CVE-2026-31707
The CVE-2026-31707 issue affects the Linux kernel ksmbd component. The overflow vulnerability in ipc_validate_msg() arises from arithmetic on attacker-controlled fields when computing per-response message sizes, allowing wraparound in three cases (RPC_REQUEST, SHARE_CONFIG_REQUEST, LOGIN_REQUEST_...
CVE-2026-43027
The CVE-2026-43027 vulnerability in the Linux kernel arises from nf_conntrack_helper_unregister() freeing a helper while expectations still reference it due to NULL data in nf_ct_expect_iterate_destroy(), leading to use-after-free when later access occurs. The fix is to pass the actual helper poi...
CVE-2026-43036
Summary (CVE-2026-43036) : The issue resides in the Linux kernel networking path, where gso_features_check() read IPv4 header offsets (iph->frag_off) in a way that could dereference uninitialized data when packets are injected via PF_PACKET paths. The root cause is unsafe header dereferencing ...
CVE-2026-43049
CVE-2026-43049 affects the Linux kernel HID logitech-hidpp driver (Logitech G920 force feedback). If force feedback init fails, resources may be torn down inconsistently, enabling a use-after-free (UAF) if userspace still references dangling objects. The fixed approach chose to warn but return su...
CVE-2026-43080
Summary of CVE-2026-43080 (Linux kernel) : The issue resides in the L2TP/PPP over L2TP code path where an oversized PPPoL2TP packet sent with UDP encapsulation can trigger an overflow of the 16‑bit UDP length field, causing the length to be trimmed and potentially sending malformed packets. The p...
CVE-2026-43093
CVE-2026-43093 is a Linux kernel issue in the xsk (AF_XDP) subsystem where headroom validation for UMEM was tightened in xdp_umem_reg(), addressing potential memory corruption of skb_shared_info and insufficient space for minimum-sized Ethernet frames. The fix accounts for 128-byte alignment as a...
CVE-2026-43205
CVE-2026-43205 affects the Linux kernel's dpaa2-switch handling. The defect arises from the driver obtaining sw_attr.num_ifs from firmware without validating it against DPSW_MAX_IF (64). This allows an out-of-bounds write in dpaa2_switch_fdb_get_flood_cfg() when num_ifs can reach 64, as it writes...
CVE-2026-43206
Summary: CVE-2026-43206 affects the Linux kernel’s drm/amdkfd component. The function kfd_event_page_set() writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes using memset without validating the destination buffer size, allowing an unprivileged local user to trigger an out-of-bounds memory write and potentia...
CVE-2026-43258
CVE-2026-43258 concerns the Linux kernel: on Alpha systems, memory compaction can trigger user-space crashes and heap corruption due to insufficient TLB shootdown during page migration. Root cause involves ASN rollover and stale instruction translations surviving migration. The fix introduces a m...
CVE-2026-43309
The CVE-2026-43309 issue affects the Linux kernel’s md raid and device-mapper (dm-raid) components. When stopping a RAID array managed by dm-raid, the system could hang because md_stop() attempted to flush the write-intent bitmap to metadata sub-devices that were already suspended. The fix preven...
CVE-2026-43328
Root cause: in the Linux kernel cpufreq governor, the error path in cpufreq_dbs_governor_init() could trigger a double free when kobject_init_and_add() fails. The kobject release path previously attempted cleanup via gov->exit(dbs_data) and kfree(dbs_data) twice. The fix keeps a direct kfree(d...
CVE-2026-43345
Summary: The CVE concerns the Linux kernel IPA driver. For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The register definition intended to define this field in CH_C_CNTXT_1 but used the old identifier ERINDEX instead of CH_ERINDEX, causing an incorrect event rin...
CVE-2026-43349
The CVE-2026-43349 entry concerns the Linux kernel’s Flash-Friendly File System (f2fs). The issue arises when f2fs_finish_read_bio() may access uninitialized data in a folio if a read from the device fails, triggering an uninitialized-value access in f2fs_sanity_check_node_footer. The root cause,...
CVE-2026-43357
The CVE-2026-43357 entry concerns the Linux kernel iio: gyro: mpu3050-core driver. The root cause is incorrect PM runtime error handling: pm_runtime_get_sync() return value isn’t checked and the device usage count is incremented unconditionally, potentially allowing access to hardware that failed...
CVE-2026-43361
CVE-2026-43361 affects the Linux kernel Btrfs subsystem. The issue arises when snapshotting a previously received subvolume can overflow BTRFS_UUID_KEY_RECEIVED_SUBVOL, causing a transaction abort and putting the filesystem into read-only mode. The vulnerability can be triggered by repeatedly sna...
CVE-2026-43403
CVE-2026-43403 concerns the Linux kernel nsfs component. The issue arises from insufficient permission checks in ns iteration ioctls, potentially allowing a privileged service to view information from other privileged services and perform information disclosure. Multiple sources (Red Hat, Debian,...
CVE-2026-43430
The issue CVE-2026-43430 affects the Linux kernel USB driver for yurex. A race condition occurs in the probe path where the bbu field is not initialized before the URB completion handler uses it, creating a window during which descriptor data can be overwritten by concurrent probing. This can lea...
CVE-2026-43432
CVE-2026-43432 relates to the Linux kernel USB xHCI driver. The error path in usb/xhci_disable_slot() previously freed only the command structure (via kfree), leaking the associated completion structure. The patch changes the code to call xhci_free_command() , which frees both the command structu...
CVE-2026-43436
The CVE-2026-43436 vulnerability affects the Linux kernel ALSA USB-audio driver (Scarlett2 mixer quirk). A malformed USB descriptor can trigger a NULL dereference in scarlett2_find_fc_interface() due to assuming an endpoint exists. The patch adds a sanity check for bNumEndpoints and skips invalid...
CVE-2026-43472
The CVE describes a Linux kernel unshare(2) bug: when CLONE_NEWNS is requested and current->fs wasn’t previously shared, copy_mnt_ns() could receive a non-private fs_struct. If copy_mnt_ns() succeeds but a subsequent copy_cgroup_ns() fails, the destroyed namespace can leave current->fs->...
CVE-2026-43489
The CVE-2026-43489 issue concerns the Linux kernel liveupdate code path for LUO files, specifically luo_file.retrieve_status. The bug arises because on a failed retrieve, luo_retrieve_file() returns an error without recording that a retrieve was attempted or its error code. This can cause an erro...
CVE-2026-43497
The CVE-2026-43497 issue affects the Linux kernel fbdev path (udlfb/dlfb) where dlfb_ops_mmap maps vmalloc framebuffer pages without vm_ops, preventing mmap tracking. This allowed stale user PTEs to coexist with freed kernel pages after dlfb_realloc_framebuffer() via FBIOPUT_VSCREENINFO, causing ...