13692 matches found
CVE-2026-23438
In the Linux kernel mvpp2 driver, CVE-2026-23438 arises from an unconditional access to CM3 flow control via mvpp2_cm3_read()/mvpp2_cm3_write() in mvpp2_bm_switch_buffers(), when priv->cm3_base is NULL (e.g., CM3 SRAM not present in device tree). This can crash the kernel on MTU changes that c...
CVE-2026-23446
CVE-2026-23446 affects the Linux kernel aqc111 USB driver. The vulnerability arises when aqc111_suspend uses the PM variant of write_cmd during suspend, causing pm_runtime_resume_and_get to propagate a suspend wait into rpm_resume on the parent, which can block and hang the network stack. The doc...
CVE-2026-23454
CVE-2026-23454 (Linux kernel, mana subsystem) : A race in mana_hwc_destroy_channel() can free hwc->caller_ctx before CQ/EQ are destroyed, enabling a use-after-free/NULL dereference in mana_hwc_handle_resp(). The root cause is lack of IRQ synchronization and a teardown order that frees resource...
CVE-2026-23462
CVE-2026-23462 affects the Linux kernel Bluetooth stack (HIDP/L2CAP). The issue is a use-after-free related to not dropping the l2cap_conn reference during user remove callbacks, leading to a trace like l2cap_conn_free and cascading calls in the Bluetooth/hci_core paths. Connected sources confirm...
CVE-2026-23467
CVE-2026-23467 affects the Linux kernel drm/i915/dmc driver. The vulnerability is a NULL pointer dereference that can occur during probe when DC6 is unexpectedly enabled, due to intel_power_domains_init_hw() calling intel_dmc_update_dc6_allowed_count() before intel_dmc_init(). The root cause is u...
CVE-2026-31401
The CVE-2026-31401 issue affects the Linux kernel HID BPF path, specifically hid_hw_request. The vulnerability arises from an uncontrolled/arbitrary return value from dispatch_hid_bpf_raw_requests() (via struct_ops), which can cause a buffer overflow and memory corruption. Exploitation is describ...
CVE-2026-31403
CVE-2026-31403 is a Linux kernel vulnerability affecting NFSD where a proc entry (/proc/fs/nfs/exports) captured the caller’s network namespace without holding a reference. If the namespace is torn down after opening the exports fd (e.g., container destruction with setns), nfsd_net_exit() may fre...
CVE-2026-31406
The CVE-2026-31406 issue is a race in the Linux kernel xfrm path during network cleanup. After cancel_delayed_work_sync() is invoked from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes states and __xfrm_state_delete() calls xfrm_nat_keepalive_state_updated(), which can re-schedule nat_k...
CVE-2026-31409
CVE-2026-31409 affects the Linux kernel ksmbd component. A multichannel SMB2_SESSION_SETUP with SMB2_SESSION_REQ_FLAG_BINDING could fail, but ksmbd did not clear conn->binding on the error path, leaving the connection in a binding state. This caused ksmbd_session_lookup_all() to fall back to t...
CVE-2026-31417
The CVE-2026-31417 issue affects the Linux kernel’s net/x25 implementation. Affected component: x25_sock.fraglen can overflow during packet accumulation, with the root cause involving missing overflow checks and an incorrect fraglen reset when fragment_queue is purged in x25_clear_queues(). The p...
CVE-2026-31421
CVE-2026-31421 – Linux kernel net/sched cls_fw NULL pointer dereference . Root cause: in fw_classify(), the old-method path uses tcf_block_q() and dereferences q->handle; for shared blocks, block->q is NULL, causing a NULL pointer dereference when a nonzero skb is classified. The fix preven...
CVE-2026-31424
CVE-2026-31424 concerns a Linux kernel netfilter xtables extension handling bug for NFPROTO_ARP. The issue arises because xt_match/xt_target structs registered with NFPROTO_UNSPEC could be loaded by any protocol family via nft_compat, and ARP’s hook layout differs from IPv4/IPv6. When a match/tar...
CVE-2026-31434
CVE-2026-31434 affects the Linux kernel's btrfs subsystem. The root cause is a leak of kobject names for sub-group space_info entries: during removal, kobject_init_and_add is paired with allocations, but the corresponding btrfs_sysfs_remove_space_info() is not called on freed elements, causing le...
CVE-2026-31438
CVE-2026-31438 affects the Linux kernel netfs code. A BUG occurs in netfs_limit_iter() when processing ITER_KVEC iterators (e.g., during core-dump to 9P), because ITER_KVEC is not dispatched like other supported types. The fix adds netfs_limit_kvec() (paralleling netfs_limit_bvec()) and dispatche...
CVE-2026-31445
In CVE-2026-31445, the Linux kernel vulnerability stems from damon_commit_ctx() potentially failing during online DAMON parameter updates, leaving the damon_ctx partially updated or corrupted. The fix adds damon_ctx->maybe_corrupted and makes kdamond_call() and related code check this flag aft...
CVE-2026-31458
Technical details (affected product, vulnerable component, and remediation) are not provided in the connected documents. Monitor for updates.
CVE-2026-31461
CVE-2026-31461 affects the Linux kernel’s drm/amd/display component (amdgpu_dm). When a sink is connected, the driver overwrote connector->drm_edid without freeing the previously allocated memory, causing a memory leak on resume. Root cause: failure to free the prior drm_edid before updating. ...
CVE-2026-31469
The CVE-2026-31469 issue affects the Linux kernel virtio_net driver, where a Use-After-Free can occur when IFF_XMIT_DST_RELEASE is cleared and napi_tx is disabled, if the network namespace is destroyed while pending skbs remain in the transmit path. The root cause is the dst_ops reference being f...
CVE-2026-31471
In CVE-2026-31471, the Linux kernel’s xfrm: iptfs path had a use-after-free-like issue during IPTFS clone state setup. iptfs_clone_state() stored x->mode_data before allocating the reorder window; if allocation failed, the code freed the cloned state but left x->mode_data pointing at freed ...
CVE-2026-31472
CVE-2026-31472 concerns the Linux kernel, specifically the xfrm/ IPTFS path. A crafted ESP packet with an inner IPv4 header can cause an infinite loop in __input_process_payload() if the inner header has tot_len=0 or malformed ihl. The fix adds validation to reject inner packets where tot_len <...
CVE-2026-31476
In the Linux kernel component ksmbd, CVE-2026-31476 describes a logic flaw where a multichannel session binding request that fails (for example, due to a wrong password) could cause the targeted session to be marked SMB2_SESSION_EXPIRED. Because the failed binding may reference a session from ano...
CVE-2026-31483
CVE-2026-31483 affects the s390 architecture in the Linux kernel. The root cause is a missing array_index_nospec() boundary in the syscall dispatch table, allowing a user-controlled syscall number to exceed the function pointer table and potentially read kernel memory via speculative execution (S...
CVE-2026-31486
The CVE-2026-31486 entry concerns the Linux kernel hwmon/pmbus/core regulator operations (get_voltage, set_voltage, list_voltage) not being mutex-protected, risking race conditions when accessing PMBus registers and shared data. The fix reworks pmbus_regulator_notify() to perform notifications vi...
CVE-2026-31488
The CVE-2026-31488 entry concerns a Linux kernel issue in the DRM/AMD display path where DSC (display stream compression) validation could drop the mode_changed flag for an unrelated mode change within the same KMS commit. This could cause new streams to be created for DSC-independent CRTCs, whil...
CVE-2026-31506
The CVE-2026-31506 issue concerns the Linux kernel bcmasp component where the Wake-on-LAN (WoL) IRQ handler could be double-freed. The problem stems from handling of the WoL irq; the patch indicates wol_irq does not need explicit freeing because it is allocated with devm_request_irq, and devres h...
CVE-2026-31511
CVE-2026-31511 affects the Linux kernel Bluetooth MGMT subsystem, specifically a dangling pointer in mgmt_add_adv_patterns_monitor_complete where mgmt_pending_free(cmd) could kfree cmd before unlinking from the list. Connected advisories indicate Debian/Root and other OSV entries report a patch w...
CVE-2026-31512
Mode C CVE-2026-31512 affects the Linux kernel Bluetooth L2CAP path. The vulnerability arises in l2cap_ecred_data_rcv() where the SDU length is read from skb->data using get_unaligned_le16() without first ensuring skb contains at least 2 bytes (L2CAP_SDULEN_SIZE). If skb->len
CVE-2026-31514
The CVE-2026-31514 issue affects the Linux kernel erofs filesystem: I/O requests for file-backed mounts can be interrupted (SIGKILL) and cause unused folios to be incorrectly marked uptodate, potentially leading to data integrity problems or stale data exposure. Mitigation/patches address this by...
CVE-2026-31518
CVE-2026-31518 affects the Linux kernel espintcp path when using asynchronous crypto. If the TX queue for espintcp is full, esp_output_tail_tcp returns an error and the skb is not freed under earlier synchronous handling; with async crypto (esp_output_done) the skb must be dropped when esp_output...
CVE-2026-31531
The vulnerability CVE-2026-31531 affects the Linux kernel’s nexthop handling in IPv4 when querying large nexthop groups via RTM_GETNEXTHOP. The fixed issue was a fixed-size NLMSG buffer (NLMSG_GOODSIZE) that could overflow for large groups (e.g., 512 nexthops), causing kernel warnings and potenti...
CVE-2026-31536
The vulnerability CVE-2026-31536 affects the Linux kernel SMB direct server implementation. In smb: server: let send_done handle a completion without IB_SEND_SIGNALED, during smbdirect_send_batch processing requests may be processed without IB_SEND_SIGNALED and could be destroyed in the final req...
CVE-2026-31539
The CVE-2026-31539 entry describes a race condition in the Linux kernel smbdirect module where credits for receive buffers can be granted to a peer that has already consumed them. This could enable resource exhaustion and a DoS condition. The root cause is improper counting of posted recv_io cred...
CVE-2026-31542
CVE-2026-31542 affects the Linux kernel x86/platform/uv component. When a socket is deconfigured, it is mapped to SOCK_EMPTY (0xffff) instead of NUMA_NO_NODE, causing a panic during allocation of UV hub info structures and potentially DoS. The fixes patch the behavior to allocate on valid NUMA no...
CVE-2026-31552
CVE-2026-31552 affects the Linux kernel wlcore wifi path. A memory-allocation failure in wl1271_tx_allocate()/wl1271_prepare_tx_frame() could yield -EAGAIN and be misinterpreted by wlcore_tx_work_locked() as a full aggregation buffer, causing a retry loop under wl->mutex with GFP_ATOMIC. This ...
CVE-2026-31556
CVE-2026-31556 concerns the Linux kernel XFS quota scrub path. Multiple connected sources document the issue: in xfs, during quota scrubbing, xchk_quota_item could return early after xchk_fblock_process_error without dropping the dquot lock dq->q_qlock, risking lock leaks or deadlocks in later...
CVE-2026-31563
CVE-2026-31563 affects the Linux kernel macb network driver. The issue arises from freeing TX SKBs with napi_consume_skb() in IRQ-disabled context; a patch replaces it with dev_consume_skb_any() to avoid the warning trace and potential instability. All connected sources (NVD, SUSE, Red Hat, Debia...
CVE-2026-31567
CVE-2026-31567 concerns the Linux kernel: a patch removes the WARN_ON() check in pm_restore_gfp_mask() to stop spurious warnings during hibernation paths (e.g., SNAPSHOT_CREATE_IMAGE, SNAPSHOT_UNFREEZE, snapshot_release) while keeping the underlying guard. The change is in the GFP mask management...
CVE-2026-31569
The CVE-2026-31569 issue affects the Linux kernel’s LoongArch KVM path, where EIOINTC's coremap can be empty in eiointc_update_sw_coremap(), causing an out-of-bounds access to kvm_arch::phyid_map::phys_map[]. The described impact is system instability or a crash, with potential information disclo...
CVE-2026-31571
The CVE-2026-31571 entry concerns the Linux kernel DRM/I915: unlink_nv12_plane() could clobber plane state after plane_atomic_check() when a Y-plane is repurposed as a normal plane. The fix is to unlink the NV12 planes before computing the new plane state, preventing the race condition that could...
CVE-2026-31594
The CVE-2026-31594 issue is in the Linux kernel PCI endpoint framework (pci-epf-vntb). The root cause is a duplicate resource teardown in epf_ntb_epc_destroy(), causing an oops/kernel crash when .allow_link fails or .drop_link runs. The documented fix removes the helper and drops pci_epc_put(), t...
CVE-2026-31598
Summary of CVE-2026-31598 (ocfs2 deadlock) : In the Linux kernel OCFS2, a potential deadlock arises from ABBA lock ordering between unlink and dio_end_io_write. The path in unlink acquires inode_lock (orphan_dir_inode) before ip_alloc_sem, while dio_end_io_write acquires ip_alloc_sem first, then ...
CVE-2026-31602
The CVE-2026-31602 issue affects the Linux kernel ALSA ctxfi driver, where ct_vm_map() may access memory beyond allocated space when CT_PTP_NUM exceeds 1 (AMD64), causing a page fault and potential system crash. The root cause is that ct_vm_map() always uses PTEs in vm->ptp[0].area regardless ...
CVE-2026-31603
CVE-2026-31603 affects the Linux kernel staging: sm750fb driver. The issue occurs when a zero pixclock is passed via FBIOPUT_VSCREENINFO, causing ps_to_hz() to divide by zero in hw_sm750_crtc_set_mode(). The vulnerability is resolved by rejecting zero pixclock in lynxfb_ops_check_var(), aligning ...
CVE-2026-31612
The CVE-2026-31612 entry concerns ksmbd in the Linux kernel. The vulnerability arises in smb2_get_ea(): the code reads EaNameLength from the client request and passes it directly to strncmp() as the comparison length without validating that the name length matches the input buffer size. The publi...
CVE-2026-31624
CVE-2026-31624) affects the Linux kernel HID core. The vulnerability arises when a HID device supplies a report descriptor with a large report_size, causing s32ton() to shift by n-1 with n > 32. The issue is resolved by clamping n to the same maximum used by snto32(), per commit ec61b41918587,...
CVE-2026-31634
The CVE-2026-31634 item concerns the Linux kernel rxrpc subsystem. Affected component: rxrpc_server_keyring() within the rxrpc code path. Root cause: a reference count leak that could occur if the code path handles security pointers improperly. The provided patch fixes the leak by adding a check ...
CVE-2026-31638
The CVE-2026-31638 issue affects the Linux kernel rxrpc subsystem. When a client call on a channel has already been torn down, rxrpc_input_packet_on_conn() could still process a to-client packet; rxrpc_try_get_call() could return NULL and there would be no reference to drop. The code path then un...
CVE-2026-31641
The CVE-2026-31641 entry relates to the Linux kernel rxrpc token parsing bug. A heap buffer overflow could occur when rxrpc_preparse_xdr_yfs_rxgk() reads raw key and ticket lengths from an XDR token, applies round_up(x,4), and then uses the rounded values for validation/allocation, while the unro...
CVE-2026-31642
The CVE-2026-31642 entry concerns the Linux kernel rxrpc module, where a flaw in call removal was fixed by using list_del_rcu() instead of list_del_init() to prevent infinite loops when reading /proc/net/rxrpc/calls. The underlying issue is that improperly deleting calls could disrupt list handli...
CVE-2026-31644
CVE-2026-31644 affects the Linux kernel LAN966X network driver. The issue arises in lan966x_fdma_reload() when allocation of new RX buffers fails, causing the restore path to restart DMA with old descriptors whose pages were already freed, and because page_pool_put_full_page() can release pages b...