CVE-2026-31508

The CVE-2026-31508 issue affects the Linux kernel in the Open vSwitch teardown path. The root cause is that after a patch, the teardown code for OVS ports no longer unconditionally takes the RTNL, allowing netdev_destroy() to finish and free the netdev before unregistration completes if the IFF_O...

CVE-2026-23306

The CVE-2026-23306 issue affects Linux kernel SCSI pm8001 code. A refactor of pm8001_queue_command() to return -ENODEV in phy-down/device-gone states could inadvertently free the SAS task twice: pm8001_queue_command() would free the underlying SAS task, then libsas sas_ata_qc_issue() would attemp...

CVE-2026-23310

Summary: CVE-2026-23310 affects the Linux kernel bonding/kern XDP path. If a bond is in 802.3ad or balance-xor mode and an XDP program is loaded, changing xmit_hash_policy to vlan+srcmac can escape the existing guard, leaving bond->xdp_prog set and causing an incompatible state during tear-dow...

CVE-2026-23313

CVE-2026-23313 : In the Linux kernel, a preempt-count leak was fixed in the i40e driver by replacing get_cpu() with smp_processor_id() in the napi poll tracepoint assignment. The leak occurred because put_cpu() was not invoked to undo the cpu reference, as illustrated by preempt_count traces. The...

CVE-2026-23315

The CVE affects the Linux kernel mt76 wifi driver (mt76_connac2_mac_write_txwi_80211). The root cause is that the function could perform an out-of-bounds access by not validating the frame length before accessing management fields, including mgmt->u.action.u.addba_req.capab. This could enable ...

CVE-2026-23346

CVE-2026-23346 affects the Linux kernel (arm64) in the ioremap_prot pathway. The root cause is that ioremap_prot() may extract non-address bits from a user mapping’s pgprot_t (including permissions) and generate a new user mapping, which can be accessed by the kernel when PAN is enabled. This can...

CVE-2026-23358

CVE-2026-23358 affects the Linux kernel drm/amdgpu driver. The issue arises during slot reset error handling where an uninitialized hive pointer could be used to decide flow at the error path, potentially leading to accessing an uninitialized list. The fix initializes the list and hive properly a...

CVE-2026-23383

CVE-2026-23383 affects the Linux kernel’s BPF JIT path on arm64. The root cause was 4-byte alignment in bpf_jit_binary_pack_alloc() causing the JIT buffer’s base to be only 4-byte aligned, which could misalign the 64-bit target field in struct bpf_plt. Consequences include UBSAN misaligned-access...

CVE-2026-23394

CVE-2026-23394 – af_unix GC race with MSG_PEEK (Linux kernel) : A race between MSG_PEEK and garbage collection can cause the GC to incorrectly GC dead sockets, since MSG_PEEK silently bumps a file refcount. The issue originates from a change in the current GC algorithm and the removal of the lock...

CVE-2026-23404

CVE-2026-23404 affects the Linux kernel AppArmor profile management. The issue arises from recursive profile removal in the AppArmor code path; nested profiles could trigger deep recursion, risking kernel stack exhaustion and system crashes. The connected documents confirm the root cause is the r...

CVE-2026-23419

CVE-2026-23419 affects the Linux kernel’ s RDS implementation. The issue is a circular locking dependency in net/rds: a memory allocation performed inside the socket lock during the call to sk_net_refcnt_upgrade() creates a deadlock with fs_reclaim. The root cause is that sk_net_refcnt_upgrade() ...

CVE-2026-23452

CVE-2026-23452 refers to a race condition in the Linux kernel PM: runtime code during device removal. The root cause described is the potential dereference of the parent device pointer (parent->power) after the parent is freed within pm_runtime_work(), which could lead to a use-after-free scen...

CVE-2026-23461

CVE-2026-23461: In the Linux kernel Bluetooth L2CAP, l2cap_register_user() and l2cap_unregister_user() did not consistently acquire conn->lock, creating a race with l2cap_conn_del() that can access conn->users and conn->hchan concurrently. This caused use-after-free and list corruption. ...

CVE-2026-31394

CVE-2026-31394 concerns the Linux kernel mac80211 path where AP_VLAN (4addr) stations can trigger a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() due to sta->sdata pointing to VLAN sdata, which may not participate in chanctx reservations. The root cause is that link->reserved.oper...

CVE-2026-31396

Summary: CVE-2026-31396 affects the Linux kernel’s net/macb and PTP clock subsystem. The root cause is a use-after-free in ptp_clock_index() when the PTP clock is accessed via get_ts_info while the interface’s PTP clock object has been deregistered. This allows a local attacker to trigger a crash...

CVE-2026-31428

CVE-2026-31428 — In the Linux kernel, nfnetlink_log’s __build_packet_message() previously built NFULA_PAYLOAD attributes manually via skb_put()/skb_copy_bits(), bypassing nla_reserve()/nla_put(). This caused trailing padding to remain uninitialized, leaking stale heap data to userspace over NFLOG...

CVE-2026-31449

The CVE-2026-31449 entry concerns the Linux kernel ext4 extent code. A vulnerability was fixed in ext4_ext_correct_indexes where path[k].p_idx could point outside the valid index range if the on-disk eh_entries were corrupted, causing a slab-out-of-bounds read. The fix validates path[k].p_idx aga...

CVE-2026-31491

In the Linux kernel’s RDMA/irdma component, CVE-2026-31491 stems from depth calculation functions that fail to properly guard against U32_MAX inputs for SQ/RQ/SRQ sizes. The issue can cause integer overflow and truncation, leading to the function returning success when it should fail. Public repo...

CVE-2026-31505

The CVE-2026-31505 issue affects the Linux kernel iavf driver: out-of-bounds writes occur because iavf_get_ethtool_stats() uses real_num_tx_queues for ETH_SS_STATS while other paths use num_tx_queues, enabling memory corruption when ethtool -L and ethtool -S run concurrently. The fix is to use im...

CVE-2026-31509

CVE-2026-31509 affects the Linux kernel NFC NCI subsystem. The vulnerability stems from nci_close_device() flushing rx_wq and tx_wq while holding req_lock, creating a circular locking dependency with nci_rx_work() and related paths. The fix moves the rx_wq flush to after req_lock is released, rel...

CVE-2026-31592

CVE-2026-31592 affects the Linux kernel KVM subsystem. The vulnerability arises when sev_mem_enc_register_region() is not protected by kvm->lock before sev_guest() is checked, risking state corruption if KVM_INIT{2} fails and an uninitialized sev->regions_list is touched, potentially causin...

CVE-2026-31662

CVE-2026-31662 concerns the Linux kernel’s TIPc grouping protocol. The bug in tipc_group_proto_rcv() decrements bc_ackers for every inbound GRP_ACK_MSG, even if the sender already acknowledged the current broadcast round. Since bc_ackers is a 16-bit unsigned, a duplicate ACK after the last legiti...

CVE-2026-31667

CVE-2026-31667 concerns the Linux kernel’s uinput and ff-core, where a circular locking dependency could cause a local deadlock when a force-feedback gamepad is used. The concrete sequence involves four lock paths that form a cycle: ff->mutex, udev->mutex, input_mutex, dev->mutex, and ba...

CVE-2026-31678

CVE-2026-31678 – Linux kernel Open vSwitch tunnel netdev handling fix. The issue arose when ovs_netdev_tunnel_destroy() could run after NETDEV_UNREGISTER detached the device, risking a race as it dropped the netdev reference while readers still observed vport->dev. The resolution is to not rel...

CVE-2026-31681

CVE-2026-31681 affects the Linux kernel netfilter xt_multiport component. The issue is in ports_match_v1() where a non-zero pflags entry is treated as a range start, causing the end of the range to be consumed incorrectly and potentially reading past the last ports[] element when a malformed rule...

CVE-2026-31694

Summary: CVE-2026-31694 fixes a Linux kernel FUSE directory-entry handling flaw. A malicious FUSE server could cause a 24-byte overflow by returning a dirent whose serialized size (based on namelen) exceeds a single PAGE_SIZE. The bug arises in fuse_add_dirent_to_cache(), which previously only ch...

CVE-2026-31716

The CVE-2026-31716 entry covers a Linux kernel NTFS3 flaw in journal replay. Description from multiple sources states that check_file_record() validates rec->total against the record size but not rec->used. The journal-replay handlers read rec->used from disk and use it to compute memmov...

CVE-2026-31725

CVE-2026-31725 affects the Linux kernel’s USB gadget f_ecm functionality. The vulnerability arises during function unbinds when the net_device is created and registered under the gadget device, but is not de-parented correctly, leaving dangling sysfs links under /sys/class/net and /sys/devices/pl...

CVE-2026-31726

Technical details for CVE-2026-31726 are not publicly available in the provided Connected documents. The Initial Description outlines a Linux kernel UVC unbind race fix, but no vendor/product/version specifics are given here. Monitor for updates from OSV/Mageia/Debian advisories.

CVE-2026-31788

The CVE-2026-31788 entry describes a vulnerability in the Linux kernel related to the Xen privcmd driver. The privcmd interface could allow a user-space process to issue hypercalls that affect other domains, which is normally restricted to root. In secure-boot scenarios, an unprivileged domU coul...

CVE-2026-43023

CVE-2026-43023 affects the Linux kernel Bluetooth SCO path. A race condition in sco_sock_connect() allows two concurrent connect() attempts on the same socket to bypass locks, leading to use-after-free and potential socket/state corruption (BT_OPEN -> BT_CONNECT with zombie sk). The issue is d...

CVE-2026-43024

CVE-2026-43024 affects Linux kernel nf_tables/netfilter: nf_queue. The issue is that immediate NF_QUEUE verdicts were emitted and could be misused; upstream patch rejects immediate NF_QUEUE verdicts to fix it. Downstream advisories indicate fixes implemented in kernel updates (e.g., upstream kern...

CVE-2026-43042

The CVE-2026-43042 issue affects the Linux kernel MPLS code. It describes a race condition where concurrent operations on platform label data can yield an inconsistent view during a resize of the platform_label tables, particularly in the RCU-protected paths mpls_forward and mpls_dump_routes unde...

CVE-2026-43072

CVE-2026-43072 affects the Linux kernel drm/vc4 code path: platform_get_irq_byname() may return a negative error value, which was previously passed directly to devm_request_threaded_irq() without proper checking. The issue has been resolved in updated kernel code, and multiple OS-specific advisor...

CVE-2026-43078

The CVE-2026-43078 entry affects the Linux kernel crypto/af_alg component. A root-cause was an overflow in page reassignment within af_alg_pull_tsgl where the update to support page reallocation wasn’t fully reflected in the loop, allowing one extra page to be reassigned. The vulnerability is des...

CVE-2026-43080

Summary of CVE-2026-43080 (Linux kernel) : The issue resides in the L2TP/PPP over L2TP code path where an oversized PPPoL2TP packet sent with UDP encapsulation can trigger an overflow of the 16‑bit UDP length field, causing the length to be trimmed and potentially sending malformed packets. The p...

CVE-2026-43125

CVE-2026-43125 affects the Linux kernel dlm module. The vulnerability stems from unvalidated length in dlm_dump_rsb_name() coming from network messages, allowing an out-of-bounds write in dlm_search_rsb_tree() when the length exceeds DLM_RESNAME_MAXLEN. This could enable denial of service and, in...

CVE-2026-43222

In the Linux kernel, the media: verisilicon: AV1 driver patch fixes a buffer-size miscalculation for tile information. The tile info structure (row_sb, col_sb, start_pos, end_pos) requires AV1_MAX_TILES × 16 bytes; using the incorrect define caused writes to non-allocated memory, risking memory c...

CVE-2026-43241

CVE-2026-43241 affects the Linux kernel component ntb_hw_switchtec. The root cause is an array-index-out-of-bounds access related to the number of MW LUTs (dependent on NTB configuration) which can access mw_sizes incorrectly. A patch was applied to guard against invalid index accesses and to pri...

CVE-2026-43270

The CVE-2026-43270 issue affects the Linux kernel media: mtk-mdp module. In mtk_mdp_probe(), vpu_get_plat_device() increases the platform device reference count and is not consistently released in mtk_mdp_remove(), creating a reference-leak vulnerability. Red Hat and Debian OS/tracking entries co...

CVE-2026-43276

Summary: CVE-2026-43276 is a Linux kernel issue in the mana network driver causing a use-after-free during PCI service rescan. The crash occurs when mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() frees gc->service_wq, and a subsequent resume path leads to a second removal via man...

CVE-2026-43281

CVE-2026-43281 affects the Linux kernel mailbox subsystem. The flaw is an out-of-bounds access in fw_mbox_index_xlate() that can occur when #mbox-cells is

CVE-2026-43288

Summary: CVE-2026-43288 relates to the Linux kernel ext4 filesystem. The root cause is a per-CPU counter accessed before it is initialized during block bitmap validation, which can cause a kernel panic and potential DoS when mounting a specially crafted ext4 filesystem with quota/project options....

CVE-2026-43289

CVE-2026-43289 relates to the Linux kernel kexec flow. The patch fixes kexec_load_purgatory() so image->start is derived from the purgatory_start symbol when present, rather than blindly locating e_entry within an SHF_EXECINSTR section. This prevents the entrypoint check from matching multiple...

CVE-2026-43292

The CVE-2026-43292 issue affects the Linux kernel mm/vmalloc path when CONFIG_PAGE_OWNER is enabled. During vmalloc cleanup, freeing KASAN shadow pages can trigger stack unwinding under an RCU read lock, and processing a large purge_list (kasan_release_vmalloc_node) may cause long RCU stalls (10+...

CVE-2026-43300

CVE-2026-43300 affects the Linux kernel DRM panel code, specifically a NULL-pointer dereference in jdi_panel_dsi_remove(). When jdi is NULL, the function can proceed to call jdi_panel_disable(), which dereferences jdi unconditionally, causing a crash. The advisory shows the fix: return early from...

CVE-2026-43308

CVE-2026-43308 affects the Linux kernel’s Btrfs code path, where an unexpected delayed ref type could previously trigger a BUG() in run_one_delayed_ref(). The issue could enable a local attacker to induce a system crash/DoS by triggering the faulty delay path. The advisory notes that the code can...

CVE-2026-43309

The CVE-2026-43309 issue affects the Linux kernel’s md raid and device-mapper (dm-raid) components. When stopping a RAID array managed by dm-raid, the system could hang because md_stop() attempted to flush the write-intent bitmap to metadata sub-devices that were already suspended. The fix preven...

CVE-2026-43317

CVE-2026-43317 affects the Linux kernel under the internal module path described as the “most: core” component. The issue is a resource leak that occurs during early registration failures, where resources associated with the interface are not properly released. A recent commit fixes a leak in the...

CVE-2026-43324

The CVE-2026-43324 entry covers a Linux kernel USB dummy-hcd synchronization bug. The issue stems from an emulated synchronize_irq() that ran before emulated interrupt-disable, allowing potential callback races when a gadget driver is unbound. The fix moved synchronization to the dummy_udc_async_...