13692 matches found
CVE-2026-43134
The CVE-2026-43134 entry affects the Linux kernel Bluetooth stack. The root cause is a missing encryption key size check in the L2CAP_LE_CONN_REQ handling, which could permit a malformed L2CAP LE connection request and trigger a protocol violation. A patch was added to perform the key-size valida...
CVE-2026-31674
The CVE-2026-31674 issue affects the Linux kernel netfilter ip6t_rt module, where processing IPv6 routing header (RT) match rules can overflow addrnr if it exceeds IP6T_RT_HOPS. The root cause is rt_mt6() using addrnr outside rtinfo->addrs[] bounds. A patch added validation of addrnr during ru...
CVE-2026-31675
CVE-2026-31675 — Linux kernel netem out-of-bounds in packet corruption The issue arises in net/sched: sch_netem where the packet corruption logic selects an index into skb->data using get_random_u32_below(skb_headlen(skb)). For AF_PACKET TX_RING sending fully non-linear packets over an IPIP tu...
CVE-2026-31690
CVE-2026-31690 affects the Linux kernel TH1520 AON firmware protocol driver. The issue combined a potential buffer overflow from unsafe pointer arithmetic when accessing the 'mode' field via a resource offset, and the use of custom RPC_SET_BE*/RPC_GET_BE* macros replaced with standard endianness ...
CVE-2026-31730
CVE-2026-31730 affects the Linux kernel fastrpc component, where a double-free of cctx->remote_heap could occur if INIT_CREATE_STATIC ioctl hits an error path and the rpmsg device is removed. The root cause is that fastrpc_init_create_static_process() frees cctx->remote_heap on the err_map ...
CVE-2026-31734
CVE-2026-31734 (Linux kernel sched_ext) has been fixed. The issue was a false negative where is_bpf_migration_disabled() could be incorrect on systems without CONFIG_PREEMPT_RCU, causing migration_disabled == 1 to be treated as truly migration-disabled even for the current task. The BPF prolog no...
CVE-2026-31735
The CVE-2026-31735 issue affects the Linux kernel IOMMU page table handling. Specifically, when an unmap operation partially overlaps a large or contiguous IOPTE, the invalidation/gather logic could flush only the requested range, causing a short invalidation where part of the unmapped area remai...
CVE-2026-31775
The CVE-2026-31775 issue affects the Linux kernel ALSA ctxfi driver. A refactor caused atc_get_resources() to loop over all DAIOTYP entries, causing SPDIF1 (a special type used only on hw20k1 CTSB073X) to be considered for hw20k2 where it has no definition. This could crash the kernel during DAIO...
CVE-2026-31779
The CVE-2026-31779 issue is in the Linux kernel’s wifi iw lwifi mvm path, specifically iwl_mvm_nd_match_info_handler(). A memcpy may copy more bytes than the dynamic notif->matches array can safely hold, enabling an out-of-bounds read and potential information disclosure. Debian and Red Hat ad...
CVE-2026-43007
The CVE-2026-43007 entry relates to the Linux kernel accel/qaic component. Root cause: when a DBC is released, QAIC sends QAIC_TRANS_DEACTIVATE_FROM_DEV and resources are freed via decode_deactivate() in qaic_manage_ioctl() context. If the initiating user process terminates before the deactivatio...
CVE-2026-43015
The CVE-2026-43015 issue is in the Linux kernel macb PCI glue driver where clk handling during platform_device_unregister() can be used after the device is unregistered. The root cause is that platform_device_unregister may still use registered clks during a runtime resume callback, leading to a ...
CVE-2026-43018
The CVE-2026-43018 entry is confirmed: a Use-After-Free in Linux kernel Bluetooth HCI event handling (hci_le_remote_conn_param_req_evt) due to insufficient locking during hci_conn lookup/access. The vulnerability arises from hci_conn lookup and field access not always being protected by the hdev ...
CVE-2026-43021
CVE-2026-43021 affects the Linux kernel Bluetooth hci_sync path. A failure in hci_cmd_sync_queue_once() can skip calling the destroy callback, causing leaks of references/memory. The issue manifests during error paths, potentially leaving resources allocated for the hci_sync queue. Public discuss...
CVE-2026-43022
The CVE-2026-43022 issue affects the Linux kernel Bluetooth HCI synchronization path: hci_cmd_sync_queue_once() did not indicate when a queue item already existed, risking resource leaks. The fix changes hci_cmd_sync_queue_once() to return -EEXIST when a queue item already exists and requires upd...
CVE-2026-43031
The CVE concerns the Linux kernel xilinx axienet driver. When a TX packet spans multiple buffer descriptors, the current accounting in axienet_free_tx_chain summing per-BD lengths into an accumulator can lose earlier bytes if the packet completes across different polls, causing BQL to overestimat...
CVE-2026-43041
CVE-2026-43041 concerns the Linux kernel: the irq/qrtr path (qrtr_tx_flow) used a radix_tree that could leak memory when intermediate nodes were linked but a subsequent allocation failed. The root cause was orphaned internal radix_tree nodes left behind because radix_tree_for_each_slot() only vis...
CVE-2026-43054
CVE-2026-43054 concerns the Linux kernel SCSI target core (tcm_loop). The vulnerability stems from tcm_loop_target_reset() not draining in-flight commands, which can cause SCSI EH to reuse in-flight scsi_cmnd structures and leak LUN references, potentially hanging configfs LUN unlink. The fix dra...
CVE-2026-43059
CVE-2026-43059 affects the Linux kernel Bluetooth MGMT path. A change introducing mgmt_pending_valid() caused completion handlers to unlink commands from the pending list, which could lead to list corruption and potential memory safety issues. The patch fixes two issues: (1) in mgmt_add_adv_patte...
CVE-2026-43070
The CVE describes a Linux kernel BPF verifier flaw: after a BPF_END (byte swap), dst_reg->id is not reset to 0, which can cause the verifier to propagate learned bounds to a linked register, creating a risk of out-of-bounds memory accesses. The concrete impact is potential privilege/escalation...
CVE-2026-43074
CVE-2026-43074 affects the Linux kernel eventpoll code. The vulnerability arises from ep_free() freeing the eventpoll structure while still in use by another thread, creating a use-after-free (UAF). The fix defers kfree() of the epi->ep struct to an RCU grace period to prevent UAF; multiple so...
CVE-2026-43078
The CVE-2026-43078 entry affects the Linux kernel crypto/af_alg component. A root-cause was an overflow in page reassignment within af_alg_pull_tsgl where the update to support page reallocation wasn’t fully reflected in the loop, allowing one extra page to be reassigned. The vulnerability is des...
CVE-2026-43097
CVE-2026-43097 affects the Linux kernel PCI Hyper-V driver. During error handling in hv_pci_probe, the domain_nr is freed twice: first via pci_bus_release_emul_domain_nr(), and again when the bridge release callback pci_release_host_bridge_dev() runs during cleanup, leading to ida_free on an unal...
CVE-2026-43107
CVE-2026-43107 concerns the Linux kernel xfrm subsystem. The root cause is that xfrm_aevent_msgsize() did not reserve space for XFRMA_IF_ID, causing build_aevent() to fail with -EMSGSIZE and potentially trigger a kernel panic via a malformed netlink interaction when if_id is set. The fix uncondit...
CVE-2026-43115
The CVE-2026-43115 entry documents a Linux kernel fix for Tiny SRCU: srcu_gp_start_if_needed() previously called schedule_work(), acquiring pool->lock and triggering a lockdep splat when call_srcu() runs with a scheduler lock held. The remediation adds irq_work_sync() to cleanup_srcu_struct() ...
CVE-2026-43123
Summary: CVE-2026-43123 affects the Linux kernel’s fbcon component. The root cause is a missing return-value check in con2fb_acquire_newinfo(); if fbcon_open() fails during this call, info->fbcon_par may be NULL and dereferenced, potentially crashing the system. The provided documents indicate...
CVE-2026-43124
The CVE-2026-43124 issue affects Linux kernel pstore ram_core, where persistent_ram_vmap() could return a non-NULL pointer after vmap() failed, causing persistent_ram_buffer_map() to incorrectly report success and potentially dereference an invalid address on access, leading to a crash (DoS). Roo...
CVE-2026-43135
CVE-2026-43135 affects the Linux kernel media driver cx23885. The issue is a missing unmap in snd_cx23885_hw_params() on error paths, leaving resources unreleased if the error path is triggered, which can lead to resource exhaustion and a potential DoS. The patch adds cx23885_alsa_dma_unmap() in ...
CVE-2026-43137
Summary: CVE-2026-43137 affects the Linux kernel ASoC SOF Intel HDA subsystem. A mismatch between DAI links in the machine driver and the topology can leave the playback/capture widget unset, which may trigger a null pointer dereference. The issue is fixed in the reported OSV entries (Ubuntu root...
CVE-2026-43139
The CVE-2026-43139 entry concerns the Linux kernel xfrm6 subsystem. The issue arises in xfrm6_get_saddr() which does not check the return value of ipv6_dev_get_saddr(); when ipv6_dev_get_saddr() fails with -EADDRNOTAVAIL, saddr->in6 remains uninitialized and xfrm6_get_saddr() incorrectly retur...
CVE-2026-43140
The CVE-2026-43140 vulnerability affects the Linux kernel HID magicmouse driver. Fake USB devices could present their own report descriptors such that input_mapping() does not call, leaving msc->input NULL and causing a crash later. The issue is resolved by detecting this condition in input_co...
CVE-2026-43143
In the Linux kernel, CVE-2026-43143 fixes a concurrency issue in the multi-function device (mfd) core: access/modification of the mfd_of_node_list was not mutex-protected, risking unsafe list manipulation and potential crashes. The fix adds a mutex to guard this list, reducing crash likelihood. P...
CVE-2026-43153
CVE-2026-43153 affects the Linux kernel’s XFS attribute handling: the function xfs_attr_leaf_hasname has an problematic calling convention that can mishandle buffers. The fix is to open-code xfs_attr_leaf_hasname in callers so each caller of xfs_attr3_leaf_read manages buffer release. The issue i...
CVE-2026-43174
The CVE-2026-43174 issue is in the Linux kernel’s io_uring/zcrx subsystem. Descriptions across multiple sources state that post-open error handling was fixed to avoid releasing the zcrx context before all associated page pools are terminated, addressing improper resource cleanup. The practical im...
CVE-2026-43178
In the Linux kernel, the procfs component has a vulnerability in do_procmap_query() that can trigger a double mmput() of an mm_struct when a user passes an incorrectly sized buffer for PROCMAP_QUERY's build ID. The root cause is a change that defers cleanup after unlocking mmap_lock and per-VMA, ...
CVE-2026-43193
The CVE-2026-43193 entry concerns the Linux kernel NFS daemon (nfsd). Affected component: kernel NFS implementation, specifically nfsd_get_dir_deleg(). Root cause: a refcount leak in nfs4_file where the reference to the object fp was not released before returning. Impact stated in sources is a re...
CVE-2026-43208
The CVE-2026-43208 entry describes a Linux kernel networking vulnerability where an incorrect assumption about the Receive Packet Steering (RPS) table size/immutability leads to out-of-bounds access when computing the flow_id in set_rps_cpu(). The fix requires computing flow_id within set_rps_cpu...
CVE-2026-43225
CVE-2026-43225 involves a memory leak in the Linux kernel RTL8723BS staging path. Specifically, cfg80211_inform_bss_frame() may return NULL on a failure path, and the allocated buffer buf was not freed before an early return. This could leak memory. The issue is resolved by ensuring buf is freed ...
CVE-2026-43237
CVE-2026-43237 affects the Linux kernel AMDGPU driver, specifically the amdgpu_gem_va_ioctl handling of fences for VM timeline management. The issue could cause a refcount underflow and use-after-free during fence processing, potentially leading to a kernel panic and denial of service. The descri...
CVE-2026-43243
CVE-2026-43243 affects the Linux kernel drm/amd/display subsystem, specifically the dcn401 get_phyd32clk_src path, where missing signal type checks can cause a crash when accessing a DP link on DPIA. Connected OSV entries show Root and Debian/Ubuntu patches applied to rootio-linux (Ubuntu 22.04/2...
CVE-2026-43246
The CVE-2026-43246 issue affects the Linux kernel driver media: i2c/tw9906 (tw9906_probe). The root cause is a memory leak where memory allocated for the V4L2 control handler (v4l2_ctrl_handler_init and v4l2_ctrl_new_std) is not freed in an error path, potentially causing resource exhaustion or i...
CVE-2026-43260
The CVE concerns the bnxt_en driver in the Linux kernel. The vulnerability stems from RSS context deletion logic that could leak VNICs in firmware when deleting RSS contexts with the interface down, leading to failures when re-opening and restoring RSS contexts. The fix removes the netif_running(...
CVE-2026-43279
The CVE-2026-43279 entry concerns the Linux kernel ALSA USB-audio subsystem. A discrepancy between playback and capture stream setups (e.g., USB core max packet size) can cause out-of-bounds writes to the buffer, potentially crashing the system. A fix was implemented by adding a sanity check of t...
CVE-2026-43286
The CVE-2026-43286 entry is resolved in the Linux kernel’s hugetlb subsystem (mm/hugetlb). A fix for an underflow in hstate->resv_huge_pages was introduced by commit a833a693a490 to correct fallback behavior for subpools, but it created a new issue where the subpool’s used_hpages could remain ...
CVE-2026-43294
The CVE-2026-43294 entry concerns Linux kernel’s MIPI-DSI driver for Renesas rz-du/rzg2l panels. Root cause: in reboot/unprepare paths, the MIPI-DSI interface could be stopped too late, causing a kernel panic via rzg2l_mipi_dsi_host_transfer(). Fix: move rzg2l_mipi_dsi_stop() to the new callback ...
CVE-2026-43307
The CVE concerns the Linux kernel iio: accel: adxl380 driver. The interrupt handler can miscalculate FIFO entries because the sensor fills FIFO one sample at a time while batches are read, causing the FIFO status to report a non-multiple of N. This can cause the driver to read more entries than p...
CVE-2026-43319
CVE-2026-43319 affects the Linux kernel spidev driver. The vulnerability stemmed from inverted lock ordering between spi_lock and buf_lock across code paths (write/read use buf_lock then spi_lock; ioctl uses spi_lock then buf_lock), enabling potential deadlocks in multi-threaded access. The fix u...
CVE-2026-43369
Summary (CVE-2026-43369): In the Linux kernel’s drm/amd driver, if GPU initialization fails due to an unsupported hardware block, some IP blocks may have a NULL version pointer. During device cleanup, amdgpu_device_set_pg_state and amdgpu_device_set_cg_state access adev->ip_blocks[i].version w...
CVE-2026-43393
CVE-2026-43393 concerns the Linux kernel’s btrfs file system. The vulnerability is a memory/resource leak in btrfs_map_block() where, on an early error return (-EINVAL), the allocated chunk map is not freed, potentially leading to memory exhaustion and instability. Several connected advisories re...
CVE-2026-43394
CVE-2026-43394 (Linux kernel) : A local credential reference leak in nfsd_nl_listener_set_doit() occurs because get_current_cred() is used without a corresponding put_cred(). The function runs in process context during sendmsg(), and current->cred remains valid, so the extra refcount is unnece...
CVE-2026-43398
The CVE-2026-43398 entry concerns the Linux kernel amdgpu driver. A vulnerability arises from improper input validation in the userq_wait ioctl (amdgpu_userq_wait_ioctl), where excessively large input values can cause an Out-Of-Memory (OOM) situation, leading to Denial of Service. The root cause ...