CVE-2026-31645

CVE-2026-31645 pertains to the Linux kernel lan966x network driver. The issue is a memory/resource leak: in error paths of lan966x_fdma_rx_alloc() a created page pool is not destroyed if a subsequent fdma_alloc_coherent() fails, and in lan966x_fdma_init() the page pool created by lan966x_fdma_rx_...

CVE-2026-31652

The CVE-2026-31652 issue is in the Linux kernel’s DAMON feature. When damon_stat_start() allocates damon_ctx and damon_call() subsequently fails, the damon_ctx object is not deallocated, causing a memory leak if DAMON is re-enabled. The leak is not resolved by deallocating after damon_call() fail...

CVE-2026-31653

Summary : CVE-2026-31653 impacts the Linux kernel DAMON subsystem (DAMON_SYSFS). When a monitored process terminates before damon_call() runs, a dynamically allocated repeat_call_control is not deallocated, causing a memory leak. The connected sources document the root cause and confirm the fix: ...

CVE-2026-31691

The CVE-2026-31691 vulnerability affects the Linux kernel igb driver. It describes a race where igb_down() calls napi_synchronize() before napi_disable(), causing a hang: napi_synchronize() waits on NAPI_STATE_SCHED that never clears, blocking TX and leaving the TX queue stalled. The fix removes ...

CVE-2026-31693

CVE-2026-31693 affects the Linux kernel CIFS implementation. The issue arises when replaying a request: certain local variables were not reinitialized after a replay label, which can cause unpredictable behavior and potentially denial of service or instability. The vulnerability is limited to the...

CVE-2026-31695

CVE-2026-31695 is a Linux kernel issue affecting the virt_wifi driver. The root cause is a race during unregistration where a device’s parent pointer could reference freed memory, causing a use-after-free during ethtool operations. The vulnerability arises from using SET_NETDEV_DEV(dev, &priv-&gt...

CVE-2026-31696

Summary (CVE-2026-31696) : In the Linux kernel’s rxrpc code, the non-XDR key parsing path (rxrpc_preparse()) lacked a validation check for ticket length, unlike the XDR path. This allowed an unprivileged user to supply a very large ticket length, causing the computed total token size (toksize) to...

CVE-2026-31697

The CVE-2026-31697 entry concerns the Linux kernel crypto: ccp driver. The issue arises when retrieving the CPU ID: if the firmware command fails (notably with an invalid length), copying the firmware ID to userspace can overflow a kernel buffer and leak data to userspace. Public reports describe...

CVE-2026-31710

CVE-2026-31710 — Linux kernel CIFS SMB1 UNIX mounts: A fix addresses incorrect dir separators caused by not updating @cifs_sb->mnt_cifs_flags after reset_cifs_unix_caps() when mounting SMB1 UNIX shares. The root cause is that the POSIX ACLs/paths flags (CIFS_MOUNT_POSIXACL, CIFS_MOUNT_POSIX_PA...

CVE-2026-31713

The CVE concerns the Linux kernel FUSE handling during sync init. When a FUSE server exits unexpectedly while processing FUSE_INIT, the mounting thread keeps the device fd open, preventing an abort and causing filesystem creation to hang. This is a regression relative to the async mount path, whe...

CVE-2026-31723

The CVE-2026-31723 issue affects the Linux kernel’s usb: gadget: f_subset component, where net_device resources are allocated during function instance creation and registered under the gadget device. On unbind, the parent device can be destroyed while the net_device remains, creating dangling sys...

CVE-2026-31732

Summary (fact-grounded): CVE-2026-31732 affects the Linux kernel GPIO subsystem, where an unset gdev->dev.release led to resource leaks on error paths in gpiochip_add_data_with_key(). The fix drops the reference on errors and reorders error handling to prevent double-free, with the change desc...

CVE-2026-31736

CVE-2026-31736 affects the Linux kernel MTK PPE Ethernet driver. When the gmac0 interface is disabled, a precheck for a valid ingress device can dereference a NULL pointer (eth->netdev[0] is NULL) and crash the system. The underlying issue is that the code was only checking the first net_devic...

CVE-2026-31744

Summary: CVE-2026-31744 concerns the Linux kernel energy model code path that processes perf domain IDs. The function dev_energymodel_nl_get_perf_domains_doit() calls em_perf_domain_get_by_id() and uses its return value without verifying it; if a caller supplies a non-existent perf domain ID, em_...

CVE-2026-31745

CVE-2026-31745 affects the Linux kernel GPIO reset path. The double-free occurs in reset_add_gpio_aux_device(): if __auxiliary_device_add() fails, the code calls auxiliary_device_uninit(adev), the device release callback frees adev, but the error path then frees adev again with kfree(adev). The f...

CVE-2026-31748

CVE-2026-31748 (Linux kernel, comedi me_daq) : A firmware-overrun was fixed in the me2600_xilinx_download() path used by request_firmware(). The code trusts the firmware header and reads file_length from the first 4 bytes, then copies file_length bytes from offset 16 without verifying the data st...

CVE-2026-31756

Technical details about CVE-2026-31756 are not publicly provided in the connected documents. Monitor for updates from vendors and advisories to confirm affected products, impact, and fixes.

CVE-2026-31759

CVE-2026-31759 affects the Linux kernel USB ULPI path (usb: ulpi) where a double free could occur in ulpi_register_interface() after a failed device_register(), because the error path freed ulpi twice. The root cause is a missing delegation of cleanup to put_device() via ulpi_dev_release(), preve...

CVE-2026-31764

Summary (CVE-2026-31764) : A vulnerability in the Linux kernel IIO IMU driver for the st_lsm6dsx allows an out-of-bounds access when a non-accelerometer/gyroscope sensor tries to set the buffer sampling frequency via the sysfs attribute. The function st_lsm6dsx_hwfifo_odr_store() calls st_lsm6dsx...

CVE-2026-31767

Summary: CVE-2026-31767 relates to the Linux kernel DRM/i915/dsi path and fixes an issue where DSC horizontal timing adjustments were applied in command mode, potentially causing a div-by-zero when calculating vtotal. The underlying fix prevents adjusting htotal based on compression ratio in comm...

CVE-2026-31773

The CVE-2026-31773 entry concerns the Linux kernel Bluetooth SMP implementation. The root cause is that the legacy responder path in smp_random() marks the STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH, which reflects the requested security level rather than the actual pairi...

CVE-2026-31784

CVE-2026-31784 affects the Linux kernel, specifically the drm/xe/pxp component. The issue arises in pxp_start where a restart flag is not cleared, causing the function to potentially loop back to the start after reaching the end. This has been resolved by cherry-picking a fix from commit 0850ec7b...

CVE-2026-43005

CVE-2026-43005 affects the Linux kernel hwmon driver for tps53679. The bug arises when i2c_smbus_read_block_data() returns 0 (zero-length read); tps53679_identify_chip() then accesses buf[ret-1] (buf[-1]), causing an out-of-bounds read. The fix changes the check from ret < 0 to ret

CVE-2026-43010

CVE-2026-43010 : The Linux kernel fix addresses a bug where sleepable kprobe_multi programs could be attached in a non-sleepable context because bpf_kprobe_multi_link_attach() did not validate the sleepable flag. This allowed sleepable helpers (e.g., bpf_copy_from_user()) to be invoked from an at...

CVE-2026-43036

Summary (CVE-2026-43036) : The issue resides in the Linux kernel networking path, where gso_features_check() read IPv4 header offsets (iph->frag_off) in a way that could dereference uninitialized data when packets are injected via PF_PACKET paths. The root cause is unsafe header dereferencing ...

CVE-2026-43046

CVE-2026-43046 affects the Linux kernel, specifically btrfs relocation logic where a non-zero drop_progress with drop_level == 0 can be observed in a read-back root_item. The root_item invariant is now validated in the tree-checker when reading from disk: if drop_progress.objectid is non-zero, dr...

CVE-2026-43051

The CVE-2026-43051 issue affects the Linux kernel HID driver for Wacom devices, specifically the wacom_intuos_bt_irq() function. A length-bounds flaw in processing Bluetooth HID reports can permit an out-of-bounds read when handling reports 0x03 and 0x04, enabling leakage of memory content. The v...

CVE-2026-43056

Summary: CVE-2026-43056 affects the Linux kernel net: mana component. A use-after-free can occur in add_adev() when auxiliary_device_add() fails and control falls through to init_fail, accessing adev->id after the release callback frees the containing struct mana_adev. Root cause: the code fre...

CVE-2026-43067

Summary of CVE-2026-43067 (Linux kernel, ext4): A wraparound issue in block allocation for indirect-mmapped files could permit referencing blocks beyond the 32-bit block-number limit. The described root cause involves how ext4 allocates blocks for indirect-based files and how grouping logic could...

CVE-2026-43075

The CVE-2026-43075 issue affects the Linux kernel’s ocfs2 filesystem code. A corrupted ocfs2 filesystem mounted on a loop device could trigger an out-of-bounds write in ocfs2_write_end_inline during a copy_file_range splice fallback, caused by trusting on-disk id_count to fit inline data. The roo...

CVE-2026-43081

The CVE-2026-43081 issue lies in the Linux kernel IPA driver where GENERIC_CMD register field masks for IPA v5.0+ were incorrectly configured, risking system instability. The description across multiple connected sources states this could produce a WARN when sending commands (e.g., to the MPSS re...

CVE-2026-43084

CVE-2026-43084 affects the Linux kernel netfilter nfnetlink_queue. The vulnerability stems from sharing a global hash table across all queues, allowing a parallel CPU to access a nf_queue_entry after it has been freed, causing a slab-use-after-free (KASAN) and potential crash/DoS. The fix is to m...

CVE-2026-43089

CVE-2026-43089 : In the Linux kernel, the xfrm_user component exposes an information-disclosure vulnerability caused by a one-byte padding hole in struct xfrm_usersa_id that was not zeroed before copying to userspace. The fix zeros the entire structure before setting fields (build_mapping path). ...

CVE-2026-43103

CVE-2026-43103 affects the Linux kernel net/lapbether driver: lapbeth_data_transmit() assumes the underlying device type is ARPHRD_ETHER, and returning NOTIFY_BAD from lapbeth_device_event() prevents the bonding driver from violating this expectation. The vulnerability is resolved in upstream ker...

CVE-2026-43117

CVE-2026-43117 affects the Linux kernel’s btrfs tracepoints: when overlay is layered on btrfs, dentry->d_sb may reference the overlay superblock, causing a crash during fsid assignment. The root cause is deriving the wrong superblock for the event btrfs_sync_file(); the fix is to use file_inod...

CVE-2026-43118

This CVE-2026-43118 concerns a Btrfs log replay data integrity issue in the Linux kernel where truncating a file to zero and then creating a hardlink, followed by a power failure and log replay, could leave the original size unchanged. Root cause: during inode logging, a 0 generation is written f...

CVE-2026-43131

CVE-2026-43131 affects the Linux kernel DRM AMD PM path. When SMU is disabled during Reliability, Availability, and Serviceability (RAS) initialization, a null pointer dereference can occur in drm/amd/pm, potentially causing a system crash (DoS). Public-availability details come from multiple sou...

CVE-2026-43135

CVE-2026-43135 affects the Linux kernel media driver cx23885. The issue is a missing unmap in snd_cx23885_hw_params() on error paths, leaving resources unreleased if the error path is triggered, which can lead to resource exhaustion and a potential DoS. The patch adds cx23885_alsa_dma_unmap() in ...

CVE-2026-43138

In the Linux kernel vulnerability CVE-2026-43138, a dynamically created GPIO reset controller device could be unbound via the sysfs interface, triggering a use-after-free condition and potentially destabilizing the system. The issue arises from improper handling of unbinding in the sysfs path for...

CVE-2026-43144

The CVE-2026-43144 entry concerns the Linux kernel brcmfmac Wi‑Fi SDIO driver. Concrete details from multiple sources show that during SDIO probe failure (e.g., missing firmware), sdiodev->bus could be set to a non-NULL error value twice (in brcmf_sdio_probe() and brcmf_sdiod_probe()), causing...

CVE-2026-43149

The CVE-2026-43149 issue affects the Linux kernel: the net: wan/fsl_ucc_hdlc driver allocated priv->rx_buffer and priv->tx_buffer as a single contiguous block in uhdlc_init(), but incorrectly freed them as two buffers in uhdlc_memclean() by calling dma_free_coherent() twice. The fix changes...

CVE-2026-43151

CVE-2026-43151 : Linux kernel issue resolved by reverting the Iris video driver stop streaming sanity check. The revert re-enabled stop_streaming when the IRIS_INST_ERROR path, correcting prior regressions where buffers were not returned to vb2 and teardown could fail, leaving firmware in an inco...

CVE-2026-43160

The vulnerability CVE-2026-43160 concerns the Linux kernel’s mfd: macsmc driver, where a mutex in struct apple_smc was not initialized in apple_smc_probe(). An uninitialized mutex can lead to occasional NULL pointer dereferences in apple_smc_read() invoked by probe() paths of subdevices. A patch ...

CVE-2026-43165

CVE-2026-43165 corresponds to a Linux kernel hwmon issue in the nct7363 driver where of_parse_phandle_with_args() references were not released with of_node_put(), causing a resource leak in nct7363_present_pwm_fanin. The connected OSV entries indicate patches in rootio-linux for various Ubuntu/De...

CVE-2026-43166

CVE-2026-43166 concerns the Linux kernel’s erofs filesystem. A flaw in interlaced plain extent identification occurs when the start position and on-disk physical length are not both aligned to the block size, causing plain data to be misclassified as interlaced instead of shifted. This can lead t...

CVE-2026-43179

Summary: CVE-2026-43179 affects the Linux kernel’s EROFS filesystem. The issue stems from incorrect early exits for invalid metabox-enabled images with metadata compression, which can trigger folio reference leaks. The problem does not apparently cause system crashes or other severe issues accord...

CVE-2026-43182

Concrete details are available: CVE-2026-43182 affects the Linux kernel’s media: ccs component. The root cause is a missing check for a non-zero MIN_X_OUTPUT_SIZE limit register value when computing the maximum M for scaler configuration, risking a division-by-zero. Exploitation status is not pro...

CVE-2026-43185

In Linux kernel ksmbd, a signedness bug in smb_direct_prepare_negotiation() casts unsigned __u32 values from sp->max_recv_size and req->preferred_send_size to signed int before min_t(). A crafted preferred_send_size of 0x80000000 can be treated as smaller than max_recv_size, enabling a subs...

CVE-2026-43207

The vulnerability CVE-2026-43207 affects the Linux kernel mtk-mdp media driver. Root cause: improper error handling in the probe function can cause resource leaks; a missing check for vpu_get_plat_device() may dereference a NULL and the function increases the platform device reference count, risk...

CVE-2026-43210

The CVE-2026-43210 entry concerns the Linux kernel tracing ring-buffer subsystem. The root cause is inadequate validation of event length in rb_read_data_buffer(), which can cause an invalid memory access if an event’s length is corrupted, potentially at boot time. The published fix is to check t...