13692 matches found
CVE-2026-31446
CVE-2026-31446 is a Linux kernel/ext4 vulnerability describing a use-after-free in update_super_work during unmount races. The root cause: update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() after ext4_unregister_sysfs() frees the kobject, leading to a stale kernfs_node access....
CVE-2026-31456
CVE-2026-31456 affects the Linux kernel mm/pagewalk: a race between concurrent splitting of a PUD entry in walk_pud_range() and a refault can cause a PMD range to disappear, triggering a kernel BUG during certain NUMA reads with VFIO-PCI DMA setup. The fix validates the PUD entry with a stable sn...
CVE-2026-31466
CVE-2026-31466 affects the Linux kernel; root cause is a race in softleaf_to_folio() related to missing memory barrier (smp_rmb) when handling migration/compound pages, leading to potential incorrect folio modification. The issue was addressed by adding the missing memory barrier in softleaf_to_f...
CVE-2026-31468
CVE-2026-31468 affects the Linux kernel vfio/pci dma-buf feature. The issue is an error-path handling bug in vfio_pci_core_feature_dma_buf() that can cause an unbalanced refcount and a double free under certain conditions (e.g., file descriptor exhaustion). The documented fix moves the dma_buf_pu...
CVE-2026-31474
The CVE-2026-31474 issue affects the Linux kernel’s CAN ISO-TP (isotp) path. The bug is a use-after-free involving isotp_sendmsg() and the so->tx.buf buffer: if a signal interrupts wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the release path may free so->tx.bu...
CVE-2026-31475
In CVE-2026-31475, the Linux kernel ASoC sma1307 component had a double-free issue: mode_set entries allocated with devm_kzalloc() were (incorrectly) freed with kfree() in an error path. The remedy documented across multiple sources is to drop the manual kfree() loop and rely on device resource m...
CVE-2026-31480
CVE-2026-31480 concerns a Linux kernel deadlock in CPU hotplug when tracing with osnoise. The vulnerability arises from a lock-ordering issue: a mutex_lock on interface_lock is taken while osnoise_sleep() and subsequent actions hold cpu hotplug state, followed by cpus_read_lock(), which can cause...
CVE-2026-31482
The CVE-2026-31482 issue affects the Linux kernel on s390, where r12 was not scrubbed on kernel entry due to an incomplete update in the s390 entry path. The root cause is that, after removing TIF_ISOLATE_BP, the register-clearing sequence failed to include the xgr %r12,%r12 scrub, leaving the cu...
CVE-2026-31485
The CVE-2026-31485 issue affects the Linux kernel SPI driver for the FSL LPSPI controller. Root cause: teardown order when unregistering the SPI controller can race with in-flight DMA transfers, causing a NULL pointer dereference (UAF) and an I/O error in DMA RX during a transfer. The documented ...
CVE-2026-31503
CVE-2026-31503 concerns a Linux kernel UDP hash2-based wildcard-bind conflict check that can miss an in-use port when many sockets bind to the same port. The issue arises because UDP uses two hashes (hash and hash2) for collision detection and switches to hash2 only when hslot->count > 10, ...
CVE-2026-31504
The CVE-2026-31504 entry describes a race in the Linux kernel’s networking stack: during a NETDEV_UP event, a socket re-registration into a fanout group’s arr[] can leave a dangling pointer if packet_release() doesn’t clear po->num while bind_lock is held. This Use-After-Free risk stems from a...
CVE-2026-31509
CVE-2026-31509 affects the Linux kernel NFC NCI subsystem. The vulnerability stems from nci_close_device() flushing rx_wq and tx_wq while holding req_lock, creating a circular locking dependency with nci_rx_work() and related paths. The fix moves the rx_wq flush to after req_lock is released, rel...
CVE-2026-31521
The CVE-2026-31521 issue is in the Linux kernel module loader’s simplify_symbols() where an out-of-bounds st_shndx (eg SHN_XINDEX) could cause a kernel panic. The patch adds validation of st_shndx against the valid range before using it, preventing the potential crash. Several OSV entries (Debian...
CVE-2026-31528
The CVE-2026-31528 issue affects the Linux kernel PMU subsystem in perf, specifically during handling of performance event groups. The root cause is an incorrect use of event pointers across group operations: when group_sched_in() fails, the code may rollback using the wrong PMU, risking an out-o...
CVE-2026-31559
This CVE (CVE-2026-31559) affects the LoongArch implementation in the Linux kernel. The issue is a missing NULL check in kstrdup() during device-tree processing, fixed by replacing of_find_node_by_path("/") with of_root to avoid multiple of_node_put() calls, and by preventing a kernel oops during...
CVE-2026-31566
CVE-2026-31566 concerns the Linux kernel amdgpu driver (amdgpu_amdkfd_submit_ib). The issue arises when a fence reference is dma_fence_put()’ed before dma_fence_wait() completes, which can free the fence prematurely and trigger a use-after-free during job completion. Publicly documented fixes sho...
CVE-2026-31577
CVE-2026-31577 affects the Linux kernel nilfs2 filesystem. The vulnerability is a NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map during GC if NILFS_IOCTL_CLEAN_SEGMENTS is invoked immediately after mount, before any btree operation on the DAT inode. The root cause is i_assoc_inode...
CVE-2026-31610
CVE-2026-31610 affects ksmbd in the Linux kernel. The issue is a memory-leak in the SPNEGO decode path: during ksmbd_decode_negTokenInit, the code allocates conn->mechToken and may fail parsing later elements, leaving the previously allocated token. If the continuation path marks use_spnego fa...
CVE-2026-31633
In the Linux kernel rxrpc subsystem, CVE-2026-31633 is addressed by fixing an integer overflow in rxgk_verify_response(). The bug arises when token_len is rounded up before the length check, allowing the check to be bypassed. The patch ensures the unrounded token_len is also compared against len,...
CVE-2026-31646
CVE-2026-31646 affects the Linux kernel LAN966X driver. The root cause is improper handling of the return value from page_pool_create(): on failure it can yield an ERR_PTR that is unconditionally passed through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(), where it is dereferenced, c...
CVE-2026-31650
The CVE concerns the Linux kernel mmc vub300 driver. The root cause is a use-after-free risk from device-managed controller allocation and a lifetime tie to the parent USB device rather than the interface, which can cause memory leaks if the driver is unbound without a disconnect. A last referenc...
CVE-2026-31683
The CVE-2026-31683 issue affects the Linux kernel’s batman-adv module. When the Optimized Global Messaging (OGM) aggregation state is toggled at runtime, a forwarded packet that was allocated with insufficient tailroom may be appended to by a later packet, leading to skb_put overflow conditions. ...
CVE-2026-31686
CVE-2026-31686 concerns the Linux kernel kasan double-free in kasan_remove_zero_shadow related to kasan_free_pxd() handling of pxd_page() vs start of the pxd table on architectures like PowerPC with 64K pages. The issue arises when the PUD table is not page-aligned, risking double-free during mem...
CVE-2026-31689
The CVE-2026-31689 issue affects the Linux kernel EDAC/mc path: edac_mc_alloc() may call put_device() during an error path before device_init completes, causing a kobject initialization/cleanup hazard and in-kernel MCE decoding symptoms. The fix reorders the initialization so the device (and its ...
CVE-2026-31704
CVE-2026-31704 affects the Linux kernel’s ksmbd ACL handling. The vulnerability arises when accumulating ACL entry sizes uses 16-bit counters (u16) in set_posix_acl_entries_dacl() and set_ntacl_dacl(), allowing wraparound past 65535 and causing pointer arithmetic on pndace to land within already-...
CVE-2026-31714
The CVE-2026-31714 issue affects the Linux kernel F2FS component, where a memory leak occurs in f2fs_rename() due to an unpaired call to f2fs_free_filename() after f2fs_setup_filename() was added in commit 40b2d55e0452. Exploitation details are local (AV:L/AC:L) with a high availability impact (A...
CVE-2026-31721
CVE-2026-31721 affects the Linux kernel USB gadget subsystem, specifically the f_hid driver. The issue arises from initializing wait queues (poll_wait) with init_waitqueue_head inside hidg_bind, which re-initializes queues that may still contain items when the HID gadget is bound/unbound and epol...
CVE-2026-31724
In CVE-2026-31724, the Linux kernel USB gadget EEM function had a lifecycle issue: a net_device was created and registered under the gadget’s sysfs parent, but on unbind the parent could be destroyed, leaving dangling symlinks (for example, /sys/class/net/usb0). The remediation described in conne...
CVE-2026-31728
The CVE-2026-31728 issue in the Linux kernel affects usb: gadget: u_ether, where a race between gether_disconnect() and eth_stop() could dereference a cleared endpoint descriptor, causing a NULL pointer dereference and a potential hardlockup. The root cause is the delayed clearing of dev->port...
CVE-2026-31782
The CVE-2026-31782 entry describes a Linux kernel perf/x86 issue where an auto counter reload could group software events with the x86_hybrid_pmu inside intel_pmu_hw_config. A container_of operation in intel_pmu_set_acr_caused_constr (via the hybrid helper) could read memory out of bounds. The fi...
CVE-2026-31788
The CVE-2026-31788 entry describes a vulnerability in the Linux kernel related to the Xen privcmd driver. The privcmd interface could allow a user-space process to issue hypercalls that affect other domains, which is normally restricted to root. In secure-boot scenarios, an unprivileged domU coul...
CVE-2026-43012
CVE-2026-43012 refers to a Linux kernel issue in the net/mlx5 driver where a failed switchdev mode rollback could cause a kernel panic during an attempted rollback to legacy mode. The public descriptions from NVD/SUSE/Red Hat detail that if switchdev mode initialization/transition fails, the code...
CVE-2026-43026
CVE-2026-43026 concerns the Linux kernel netfilter ctnetlink path: when CTA_EXPECT_NAT is absent, ctnetlink_alloc_expect() can leave saved_addr and saved_proto uninitialized, risking leakage of stale data. The safe nf_ct_expect_init() in the packet path zeros these fields, and the patch adds expl...
CVE-2026-43035
The CVE affects the Linux kernel net: sched: cls_api code path tc_chain_fill_node, where tcm_info in struct tcmsg was not initialized, leaking heap memory to userspace via a 4-byte field. The fix zeros tcm_info alongside other initialized fields. Affected/patched details from connected docs: upst...
CVE-2026-43040
CVE-2026-43040 corresponds to a Linux kernel issue in IPv6 Router Advertisements handling via nduseropt, where three padding fields in nduseroptmsg were not initialized to zero, leaking kernel data. Affected component: net/ipv6/ndisc (ndc ra user options). Root cause: padding fields were not zero...
CVE-2026-43043
The CVE describes a Linux kernel vulnerability in the AF_ALG crypto interface where chaining a new af_alg_tsgl structure can leave the end marker of the previous Scatter/Gather List uncleared when a sendmsg exactly fills MAX_SGL_ENTS. This causes sg_next() to return NULL, potentially leading to a...
CVE-2026-43049
CVE-2026-43049 affects the Linux kernel HID logitech-hidpp driver (Logitech G920 force feedback). If force feedback init fails, resources may be torn down inconsistently, enabling a use-after-free (UAF) if userspace still references dangling objects. The fixed approach chose to warn but return su...
CVE-2026-43052
CVE-2026-43052 fixes a Linux kernel mac80211 TDLS handling flaw: NL80211_TDLS_ENABLE_LINK could run TDLS-side effects on non‑TDLS peers. A kernel patch adds an early sta->sta.tdls check to ensure only true TDLS peers proceed, preventing unintended channel HT-protection changes. Remediation is ...
CVE-2026-43057
CVE-2026-43057 concerns the Linux kernel networking stack. The issue arises in how IPv6 traffic with extension headers or with no inner IP protocol is processed when using IPV6_CSUM GSO fallback. The fix, described in the CVE entry and corroborated by Debian/Red Hat advisories, changes the fallba...
CVE-2026-43058
The CVE covers a Linux kernel issue in media: vidtv where vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their argument structs by value, triggering MSAN warnings for uninitialized data. The root cause is stack-copy of the structs; the patch changes the functions to accept them by ...
CVE-2026-43063
CVE-2026-43063 pertains to the Linux kernel XFS attribute recovery path. The vulnerability arises when xlog_recovery_iget* fails to yield a valid pointer and an ensuing irele operates on a dangling pointer, potentially enabling a local attacker to crash the system and cause a DoS. The Red Hat adv...
CVE-2026-43065
CVE-2026-43065 concerns the Linux kernel ext4 subsystem. The issue arises in ext4_mb_release() where, if a filesystem is mounted with -o discard and files are deleted, sbi->s_discard_list accumulates and s_discard_work is queued; if the filesystem is later remounted with nodiscard and the EXT4...
CVE-2026-43068
Linux kernel ext4: CVE-2026-43068 stems from a bug that could cause allocation of blocks from a corrupted block group, leading to repeated delayed block allocation failures and potential data loss. The issue arises in ext4_mb_find_by_goal() through ext4_mb_load_buddy and related bitmap checks, wh...
CVE-2026-43082
CVE-2026-43082 affects the Linux kernel net: txgbe component. The issue arises from how property_entry lists are terminated: the driver allocated exactly the number of entries used and did not reserve space for the terminating empty entry. The fix updates the struct definition of property_entry t...
CVE-2026-43086
CVE-2026-43086 concerns the Linux kernel IPVS component. The vulnerability occurs in the error path of ip_vs_add_service when ip_vs_bind_scheduler() has succeeded and the local variable sched is set to NULL; if ip_vs_start_estimator() then fails, ip_vs_unbind_scheduler(svc, sched) is invoked with...
CVE-2026-43087
The CVE-2026-43087 issue affects the Linux kernel’s pinctrl/mcp23s08 driver. Root cause: during probe, reg_defaults were removed from the regmap, causing the MCP_GPINTEN value to be read from the chip (possibly non-zero) and trigger a nested IRQ handler that may not exist, leading to a kernel cra...
CVE-2026-43092
The CVE-2026-43092 issue affects the Linux kernel AF_XDP subsystem: bind now validates MTU against the usable frame space provided by UMEM chunks. Previously, zero-copy pool configurations could be accepted without confirming that the device MTU fits into the usable frame space, considering tailr...
CVE-2026-43104
The CVE-2026-43104 entry concerns the Linux kernel DRM vc4 driver. Root cause: a memory leak in the hang state path where vc4_save_hang_state() could return early without freeing previously allocated kernel_state. Remediation: consolidated early return paths and added missing kfree() calls. Impac...
CVE-2026-43111
CVE-2026-43111 describes a use-after-free in the Linux kernel HID roccat driver. The function roccat_report_event() traverses the device->readers list without holding the readers_lock mutex, allowing a concurrent roccat_release() to remove and free a reader still in use. The consequence is a u...
CVE-2026-43119
In CVE-2026-43119, the Linux kernel Bluetooth HCI synchronous command infrastructure has a data race on hdev->req_status: __hci_cmd_sync_sk() updates it under req_lock on one workqueue, while other paths (e.g., hci_send_cmd_sync on a different workqueue, plus hci_cmd_sync_complete/cancel) read...