CVE-2025-39940

CVE-2025-39940 concerns the Linux kernel’s dm-stripe component. A potential integer overflow can occur in stripe_io_hints when the chunk size is too large. The fix tests for an overflow and, if detected, avoids setting limits->io_min and limits->io_opt. This mitigates a local-privilege vect...

CVE-2025-39951

CVE-2025-39951 is a Linux kernel use-after-free issue in virtio_uml during probe, fixed by virtio_uml_probe() logic (vu_dev->registered set only after successful registration). Connected advisories show Debian LTS updates addressing this CVE in linux packages (5.10.247-1 for Debian 11 and linu...

CVE-2025-71081

The CVE-2025-71081 affects the Linux kernel ASoC: stm32 component (SAI) where the OF sync provider node reference was only dropped on a failed set_sync() during DAI probe. The fix ensures the reference is dropped on platform probe failures (e.g., probe deferral) and on driver unbind, preventing a...

CVE-2025-71086

Technical details for CVE-2025-71086 are not publicly available in the provided documents. Monitor for updates from official advisories; the initial description mentions a Linux kernel fix in net rose_kill_by_device but no product/version specifics are provided here.

CVE-2025-71098

The CVE CVE-2025-71098 affects the Linux kernel’s IP6_GRE path. Syzbot crashes were caused by ip6gre_header() relying on dynamic dev->needed_headroom/dev->hard_header_len, enabling skb underflow when an skb with insufficient headroom was used (e.g., during mld_sendpack/mld_finish_output pat...

CVE-2025-71099

Technical details for CVE-2025-71099 are not publicly available in the provided documents; monitor for updates.

CVE-2025-71139

CVE-2025-71139 – Linux kernel kexec CMA/IMA handling : The issue arises when the kexec target address is allocated in CMA space. The kernel’s kimage_map_segment() path assumes IND_SOURCE pages exist and maps them via vmap(), but CMA-based allocation bypasses IND_SOURCE, leading to a warning and i...

CVE-2025-71186

Technical details (affected component, root cause, impact, and patch information) for CVE-2025-71186 are not publicly provided in the supplied documents. Monitor for updates from official advisories and vendor/security bulletins.

CVE-2025-71200

The CVE-2025-71200 entry describes a Linux kernel vulnerability in mmc: sdhci-of-dwcmshc where in HS200/HS400 timing modes lowering the clock below 52MHz could break the link due to the Rockchip DWC MSHC controller requiring a 52MHz minimum. The fix adds a check to prevent illegal clock reduction...

CVE-2025-71201

CVE-2025-71201 concerns the Linux kernel netfs subsystem, specifically a race/logic issue in buffered reads where read results could be collected beyond the intended EOF due to an end-check that used the file end rather than the folio end. The vulnerability manifests during asynchronous subreques...

CVE-2025-71230

CVE-2025-71230 in Linux kernel concerns a leak of filesystem-specific data (sb->s_fs_info) when using the new mount API for hfs. The root cause is that if setup_bdev_super() fails after a new superblock is allocated by sget_fc() but before hfs_fill_super() takes ownership, sb->s_fs_info cou...

CVE-2025-71266

The CVE-2025-71266 entry concerns the Linux kernel ntfs3 filesystem. A malformed directory entry in NTFS3 could trigger an infinite loop in indx_find during lookups, repeatedly reading the same block and allocating 4 KB per iteration, causing memory exhaustion and potential DoS. The vulnerability...

CVE-2025-71267

CVE-2025-71267 : In the Linux kernel ntfs3 file system, a flaw in ATTR_LIST handling can cause an infinite loop and DoS during mount. Specifically, when ntfs_load_attr_list() processes a resident ATTR_LIST with data_size set to zero, memory is still allocated due to al_aligned(0), leaving ni->...

CVE-2026-23023

CVE-2026-23023 concerns the Linux kernel, where a memory leak was fixed in the idpf driver. The vulnerability arises from not freeing vport->rx_ptype_lkup in idpf_vport_rel(), leading to leaked memory during a reset. The fix frees the memory as part of idpf_vport_rel(), preventing the unrefere...

CVE-2026-23026

The CVE-2026-23026 entry concerns the Linux kernel DMA engine Qualcomm gpi driver. It fixes a memory leak in gpi_peripheral_config(): if krealloc() fails and returns NULL, the code directly assigns NULL to gchan->config, discarding the original memory. The patch uses a temporary variable to ho...

CVE-2026-23071

CVE-2026-23071 (Linux kernel) resolves a race in regmap hwspinlock irqsave. The bug occurred when the shared member map->spinlock_flags was passed directly to hwspin_lock_timeout_irqsave, allowing concurrent contexts contending for the lock to overwrite the shared flags and corrupt the lock ow...

CVE-2026-23075

CVE-2026-23075 affects the Linux kernel CAN networking support. The issue arises from the esd_usb_read_bulk_callback() path where URBs for USB-in transfers are unanchored by the USB core after completion, leading to a memory leak if esd_usb_close() frees URBs that are no longer anchored. The fix ...

CVE-2026-23079

CVE-2026-23079 affects the Linux kernel, specifically the gpio cdev path. The issue is that on error handling paths, in lineinfo_changed_notify(), allocated resources are not freed, causing resource leaks. The publicly described fix is to free those resources on error paths. Metrics indicate a CV...

CVE-2026-23100

The CVE-2026-23100 entry concerns the Linux kernel mm/hugetlb code and a fix for hugetlb_pmd_shared(). The vulnerability stemmed from how shared PMD tables were detected; the patch set switches to using an independent shared count and the ptdesc_pmd_is_shared() check, so that shared PMD tables ar...

CVE-2026-23108

The CVE-2026-23108 issue concerns the Linux kernel CAN driver can: usb_8dev. The vulnerability arises from URBs used for USB in transfers in usb_8dev_open()/usb_8dev_start() being anchored to priv->rx_submitted, then re-submitted in usb_8dev_read_bulk_callback(), but the USB framework unanchor...

CVE-2026-23139

CVE-2026-23139 affects the Linux kernel netfilter nf_conncount code. The root cause was that the last_gc timestamp was updated every time a connection was tracked, even when a garbage collection (GC) was not performed, enabling potential GC bypass under high packet rates and unbounded growth of t...

CVE-2026-23143

CVE-2026-23143 affects the Linux kernel virtio_net driver. The root cause is a misalignment between struct virtio_net_rss_config_trailer and rss_hash_key_data in struct virtnet_info, causing the RSS key to be shifted by one byte (last byte truncated and an possibly uninitialized byte prepended). ...

CVE-2026-23150

Technical details about CVE-2026-23150 are not publicly provided in the supplied documents. The description mentions a memory leak fix in NFC LLCP, but no vendor/product/version specifics or remediation steps are included here. Monitor for updates.

CVE-2026-23162

CVE-2026-23162 relates to the Intel Xe GPU driver in the Linux kernel (drm/xe/nvm). A double-free vulnerability occurs during initialization: after auxiliary_device_init() succeeds, if auxiliary_device_add() then fails, the memory may be freed twice (via the device release path and a premature fr...

CVE-2026-23165

CVE-2026-23165 affects the Linux kernel sfc (Solarflare) network driver. The issue is a deadlock when reading RSS config with ethtool -x because the driver locks the net_device rss_lock that is already held by the core; the fix is to remove the driver-side lock acquisition (deadlock avoidance). P...

CVE-2026-23238

CVE-2026-23238 (Linux kernel — romfs): The romfs implementation in the kernel failed to honor the return value of sb_set_blocksize(), continuing a mount when the requested ROMBSIZE (e.g., 4096) was incompatible with the device’s logical_block_size (e.g., 32768). This could occur by using LOOP_SET...

CVE-2026-23246

CVE-2026-23246 affects the Linux kernel wifi mac80211 bounds-check in the ML Reconfiguration path. The issue arises from linking link_id (0-15) to the link_removal_timeout array (size 15), allowing an out-of-bounds write when link_id equals 15. The advisories state to skip subelements with link_i...

CVE-2026-23254

CVE-2026-23254 (Linux kernel): The issue affects UDP GRO in the net/ gro path, where the complete stage incorrectly uses the inner network offset when the encapsulation flag is not reliably zeroed by hardware offloads. The root cause is an assumption that all RX-inserted packets have encapsulatio...

CVE-2026-23271

CVE-2026-23271 affects the Linux kernel perf subsystem. The vulnerability arises from a race between __perf_event_overflow() and perf_remove_from_context() where __perf_event_overflow() may run with only preemption disabled for some callchains, allowing a race against perf_event_exit_event() and ...

CVE-2026-23296

CVE-2026-23296 affects the Linux kernel SCSI core, specifically a refcount leak in tagset_refcnt that can cause a hang when tearing down a SCSI host (e.g., iscsid hang during SCSI scanning). The vulnerability is local in nature with a base score of 5.5 (MEDIUM); exploitation details are not provi...

CVE-2026-23310

Summary: CVE-2026-23310 affects the Linux kernel bonding/kern XDP path. If a bond is in 802.3ad or balance-xor mode and an XDP program is loaded, changing xmit_hash_policy to vlan+srcmac can escape the existing guard, leaving bond->xdp_prog set and causing an incompatible state during tear-dow...

CVE-2026-23321

CVE-2026-23321 relates to the Linux kernel MPTCP subsystem (mptcp: pm: in-kernel: always mark signal+subflow endp as used). The vulnerability was addressed in the upstream kernel by patching endp handling in the PM code, reducing warning/usage inconsistencies when signaling ADD_ADDRs and subflows...

CVE-2026-23347

CVE-2026-23347 : Linux kernel vulnerability where the read bulk callback in the USB can driver (f81604) failed to anchor the urb before submitting in the anchor pattern. This could lead to urb leakage if usb_kill_anchored_urbs() is invoked. The issue is addressed by anchoring the urb in the read ...

CVE-2026-23376

CVE-2026-23376 affects the Linux kernel nvmet-fcloop component. The vulnerability arises from not checking remoteport port_state before freeing resources in the fcloop_t2h_xmt_ls_rsp path, where lsrsp resources may be freed incorrectly if the remote port is not online. The fix updates fcloop_t2h_...

CVE-2026-23388

CVE-2026-23388 concerns the Linux kernel Squashfs subsystem. A corrupted index lookup can yield a negative metadata block offset, leading to an out-of-bounds access in squashfs_copy_data via squashfs_read_metadata. The issue is resolved by adding a metadata offset range check in squashfs_read_met...

CVE-2026-23393

CVE-2026-23393 – Linux kernel (bridge/cfm) race fix : A race during peer MEP deletion could occur because br_cfm_frame_rx() could re-schedule ccm_rx_dwork while peer_mep is freed under RCU, risking use-after-free. The fix replaces cancel_delayed_work_sync() with disable_delayed_work_sync() in bot...

CVE-2026-23395

CVE-2026-23395 affects the Linux kernel Bluetooth L2CAP handling of ECRED connection requests. The issue stems from accepting multiple L2CAP_ECRED_CONN_REQs regardless of the command identifier, which can cause multiple requests to be marked pending (FLAG_DEFER_SETUP) and may lead to allocating m...

CVE-2026-23411

CVE-2026-23411 corresponds to a Linux kernel AppArmor race condition: freeing i_private data can race with filesystem access because the inode may outlive references. The issue is resolved by moving the put of i_private referenced data to the correct place during inode eviction. Affects AppArmor ...

CVE-2026-23419

CVE-2026-23419 affects the Linux kernel’ s RDS implementation. The issue is a circular locking dependency in net/rds: a memory allocation performed inside the socket lock during the call to sk_net_refcnt_upgrade() creates a deadlock with fs_reclaim. The root cause is that sk_net_refcnt_upgrade() ...

CVE-2026-23420

CVE-2026-23420 affects the Linux kernel wlcore Wi‑Fi driver. The issue is a locking-order bug where wl->mutex could be unlocked without being held, as identified by a Clang thread-safety analyzer. This is associated with potential synchronization instability; patches exist in Rootio‑Linux pack...

CVE-2026-23427

Summary: CVE-2026-23427 affects ksmbd in the Linux kernel and has been fixed to address a use-after-free in durable v2 replay of active SMB file handles. The root cause is that parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling D...

CVE-2026-23464

CVE-2026-23464 concerns the Linux kernel vulnerability in the Microchip PolarFire SoC mpfs driver. The issue is a memory leak in mpfs_sys_controller_probe(): if of_get_mtd_device_by_node() fails, the function returns early without freeing allocated memory for sys_controller. The fix routes error ...

CVE-2026-23472

Summary: A Linux kernel vulnerability in the serial core (CVE-2026-23472) arises when handling PORT_UNKNOWN with a NULL transmit buffer, where uart_write_room() can report available space inconsistently with uart_write() , causing an infinite loop in drivers that rely on tty_write_room() to decid...

CVE-2026-31394

CVE-2026-31394 concerns the Linux kernel mac80211 path where AP_VLAN (4addr) stations can trigger a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() due to sta->sdata pointing to VLAN sdata, which may not participate in chanctx reservations. The root cause is that link->reserved.oper...

CVE-2026-31409

CVE-2026-31409 affects the Linux kernel ksmbd component. A multichannel SMB2_SESSION_SETUP with SMB2_SESSION_REQ_FLAG_BINDING could fail, but ksmbd did not clear conn->binding on the error path, leaving the connection in a binding state. This caused ksmbd_session_lookup_all() to fall back to t...

CVE-2026-31420

CVE-2026-31420 affects Linux kernel bridge MRP interval handling. Vulerability arises when br_mrp_start_test/br_mrp_start_in_test accept a user-supplied interval from netlink with no validation; if interval is 0, the delay becomes zero and a tight loop can exhaust memory, causing an OOM kernel pa...

CVE-2026-31426

Summary: CVE-2026-31426 concerns the Linux kernel ACPI EC handling. When ec_install_handlers() defers probing on reduced‑hardware platforms, the error path could leave a dangling EC space handler context if acpi_ec_setup() propagates the error, leading to use‑after‑free when AML accesses an OpReg...

CVE-2026-31450

CVE-2026-31450 describes a race in ext4 where ei->jinode was published to concurrent readers before jbd2_journal_init_jbd_inode() completed, allowing a non-NULL jinode to be observed with i_vfs_inode still NULL. The mitigated issue could lead to a crash when a reader passes jinode to jbd2_wait...

CVE-2026-31473

The CVE-2026-31473 affects the Linux kernel media subsystems (mc, v4l2). A race can occur when MEDIA_REQUEST_IOC_REINIT runs concurrently with VIDIOC_REQBUFS queue teardown, risking use-after-free of request objects. The root cause is lack of serialization across these paths; it is addressed by e...

CVE-2026-31480

CVE-2026-31480 concerns a Linux kernel deadlock in CPU hotplug when tracing with osnoise. The vulnerability arises from a lock-ordering issue: a mutex_lock on interface_lock is taken while osnoise_sleep() and subsequent actions hold cpu hotplug state, followed by cpus_read_lock(), which can cause...