CVE-2026-23314

The CVE-2026-23314 entry describes a Linux kernel issue in the regulator/bq257xx subsystem: in bq257xx_reg_dt_parse_gpio(), if it fails to obtain a subchild, it may return without calling of_node_put(child), leaking a device node reference. The vulnerability is reported as resolved in the Linux k...

CVE-2026-23325

CVE-2026-23325 affects the Linux kernel wifi stack (mt76/mt7996). The flaw is an out-of-bounds access in mt7996_mac_write_txwi_80211() due to insufficient frame-length checks on management fields. Affected component: mt7996 hardware path in the kernel’s wifi driver. Impact per sources: potential ...

CVE-2026-23341

CVE-2026-23341 affects the Linux kernel accel/amdxdna path. The issue occurs when userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, which may crash due to a NULL mailbox channel pointer accessed in aie2_destroy_context(). The fix adds a mailbox...

CVE-2026-23343

CVE-2026-23343 involves the Linux kernel XDP tailroom calculation. Docked fixes describe that many ethernet drivers expose rx queue frag size, while xdp_frags_increase_tail() expects a truesize, causing unsigned tailroom to drift toward UINT_MAX and potentially grow tail space, leading to memory ...

CVE-2026-23378

CVE-2026-23378 concerns a Linux kernel net/sched issue in act_ife where metalist entries were appended on replace instead of replacing existing data, risking unbounded metadata growth and potential out-of-bounds encode errors. The root cause is fixed by adding metalist to the ife RCU data structu...

CVE-2026-23380

CVE-2026-23380 (Linux kernel) describes a local vulnerability in tracing buffers memory management. When a process forks, the child’s VMAs copy the parent’s without incrementing user_mapped, so exiting both processes may cause tracing_buffers_mmap_close() to run twice; on the second call user_map...

CVE-2026-23412

The CVE-2026-23412 issue affects the Linux kernel’s netfilter/BPF path. It describes a use-after-free (UaF) in nfnetlink_hooks where a concurrent process dumps hooks, triggering a KASAN slab-use-after-free in nfnl_hook_dump_one. The root cause is deferring the release of hook memory until RCU rea...

CVE-2026-23433

CVE-2026-23433 concerns the Linux kernel arm_mpam component and memory bandwidth monitoring. The root cause is a null pointer dereference in mpam_restore_mbwu_state: when an MSC is offline then online, __ris_msmon_read() is invoked via IPIs to restore bandwidth-counter configuration, but mbwu_arg...

CVE-2026-23453

CVE-2026-23453 affects the Linux kernel net:ti icssg-prueth XDP_DROP in non-zero-copy mode, causing a memory leak where pages aren’t returned to the page pool, potentially leading to OOM. The documented fix updates the caller path: when emac_run_xdp() returns ICSSG_XDP_CONSUMED for XDP_DROP, emac...

CVE-2026-23463

The CVE-2026-23463 issue concerns a race condition in the Linux kernel’s QMAN/FQ handling (qbman) where fq_table[fq->idx] may be freed and reallocated concurrently when QMAN_FQ_FLAG_DYNAMIC_FQID is set. The root cause is a race between qman_destroy_fq() releasing the fqid and qman_create_fq() ...

CVE-2026-23470

CVE-2026-23470 concerns the Linux kernel’s DRM/imagination path where the soft reset sequence can deadlock because it runs in a threaded IRQ handler and cannot call disable_irq() (which would wait on IRQ handlers). The fix is to use disable_irq_nosync() during the soft reset to avoid waiting on t...

CVE-2026-31390

CVE-2026-31390 affects the Linux kernel's drm/xe path, causing a memory leak in the function path used by xe_vm_madvise_ioctl when check_bo_args_are_sane() validation fails. The underlying issue was incorrect resource cleanup, now addressed by jumping to a new free_vmas cleanup label to properly ...

CVE-2026-31391

CVE-2026-31391 is reported in the OSV records as patched by the Root project in the rootio-linux package across multiple RootOS releases (Debian 11/12/13 and Ubuntu 22.04/24.04 variants). The affected component is the Linux kernel package in rootio-linux, with fixes available in multiple versions...

CVE-2026-31395

The CVE-2026-31395 issue affects the bnxt_en driver in the Linux kernel. The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler uses a firmware‑supplied 16‑bit type field as an index into bp->bs_trace[] without proper bounds validation, allowing values 0–65535 to trigger out‑of‑bounds access i...

CVE-2026-31430

CVE-2026-31430 affects the Linux kernel: X.509 extensions parsing could read the first byte of an extension before checking length, causing out-of-bounds access. The vulnerability can be triggered by an unprivileged user submitting a crafted certificate via the keyrings(7) API. A PoC exists. The ...

CVE-2026-31437

The CVE-2026-31437 issue is in the Linux kernel netfs path: when a write subrequest is marked NETFS_SREQ_NEED_RETRY, netfs_unbuffered_write() could dereference stream->prepare_write if it is NULL (not all filesystems, e.g., 9P, set prepare_write). The fixed behavior mirrors write_retry.c: if s...

CVE-2026-31439

The CVE-2026-31439 entry refers to a Linux kernel issue in dmaengine: xilinx: xdma, where devm_regmap_init_mmio could return an ERR_PTR and the error handling/ messaging were incorrect. The description and connected advisories confirm this is a kernel regression/fix in the regmap init path, with ...

CVE-2026-31457

The CVE-2026-31457 entry describes a Linux kernel vulnerability in DAMON (mm/damon/sysfs) where damon_sysfs_repeat_call_fn() dereferences contexts_arr[0] when nr_contexts is set to 0 via sysfs, due to a missing check on contexts->nr. This can occur while DAMON is running and cause a NULL point...

CVE-2026-31460

In the Linux kernel, the drm/amd/display path was fixed to validate the ext_caps pointer before using it in BL setup, specifically for LVDS connectors that do not have extended backlight caps. The root cause was dereferencing an invalid ext_caps pointer, which could crash the system. The fix (che...

CVE-2026-31463

Summary : CVE-2026-31463 concerns the Linux kernel iomap subsystem. A mismatch between inode block size (i_blkbits) and the IO granularity can cause invalid folio access during reads. The root cause was that, when IO is submitted for less than a full folio in the !ifs path, the code would fail to...

CVE-2026-31467

CVE-2026-31467 concerns the Linux kernel vulnerability where the bio completion path in certain process contexts (e.g., dm-verity) could call into decompression and then into vm_map_ram() with GFP_KERNEL, risking memory pressure and a potential deadlock in submit_bio_wait. The issue is tied to th...

CVE-2026-31470

CVE-2026-31470 concerns the Linux kernel TDX guest path, specifically the virt: tdx-guest component. Multiple connected sources confirm a fix for handling of the host-controlled quote buffer length, where the host can set quote_buf->out_len to influence how many bytes of the quote are copied t...

CVE-2026-31484

In the Linux kernel, CVE-2026-31484 is addressed in io_uring/fdinfo: fix OOB read during SQE_MIXED wrap checks in __io_uring_show_fdinfo(). The issue occurred when processing 128-byte SQEs on IORING_SETUP_SQE_MIXED rings: the previous wrap condition (++sq_head & sq_mask) == 0 could pass while the...

CVE-2026-31493

The CVE-2026-31493 issue exists in Linux kernel RDMA/efa admin queue completion handling: when a command completes with an error, the code may print from a completion context that has already been freed, leading to use-after-free-like behavior. The root cause is use of a freed completion context ...

CVE-2026-31498

Linux kernel CVE-2026-31498 affects Bluetooth L2CAP by exposing memory leaks during reconfiguration (ERTM data structures) and a zero-valued max_pdu_size path that can lead to an infinite loop in l2cap_segment_sdu. Root cause: reconfiguration previously re-initialized ERTM state and NULL’d sdu wi...

CVE-2026-31515

CVE-2026-31515 affects the Linux kernel and is resolved by validating address families in pfkey_send_migrate(); the flaw allowed overfilling the skb when processing requests due to truncation of the @family argument in set_ipsecrequest. SYZBOT demonstrated a crash in skb_put(), leading to a kerne...

CVE-2026-31520

The CVE-2026-31520 entry concerns the Linux kernel HID Apple driver. The issue is a memory leak in apple_report_fixup(), where a newly kmemdup()-allocated buffer was returned but not freed by the callee, resulting in unreclaimed memory. The caller does not take ownership of the returned pointer, ...

CVE-2026-31524

CVE-2026-31524 affects the Linux kernel HID ASUS driver. The asus_report_fixup() function allocated memory with kmemdup() but did not free it, causing a memory leak; the fix switches to devm_kzalloc() so memory is automatically freed with the device. A harmless out-of-bounds read was also correct...

CVE-2026-31538

CVE-2026-31538 (Linux kernel SMB server) : A race condition in the SMB server’s recv credits logic (smbdirect_socket.recv_io.credits.available) can cause credits to be granted that may already have been consumed by the peer due to mismatched counting of posted recv_io versus granted credits. The ...

CVE-2026-31548

CVE-2026-31548 (Linux kernel, wifi/cfg80211) : A race during interface teardown can cause a pending pmsr_free_wk work item to run after the interface has been removed, leading to undefined behavior or crashes if the driver abort_pmsr callback is invoked on a torn-down interface. The advisory stat...

CVE-2026-31549

CVE-2026-31549 relates to the Linux kernel cp2615 I2C driver. The vulnerability arises when the driver uses the USB device serial string as the i2c adapter name but does not ensure the string exists, potentially causing a NULL pointer dereference if a device lacks a serial number. Documented impa...

CVE-2026-31550

CVE-2026-31550 is a Linux kernel issue in the bcm2835-power component. The bcm2835_asb_control() polling loop could fail to properly disable the V3D master ASB on BCM2711 under heavy workloads, leaving the V3D in a broken state and potentially causing bus faults or system hangs. The mitigation in...

CVE-2026-31564

CVE-2026-31564 (LoongArch KVM) : The Linux kernel fix addresses a faulty address calculation in the LoongArch KVM implementation, specifically in kvm_eiointc_regs_access(). The code previously derived the register base address by adding an offset to an array base address treated as a u64, which c...

CVE-2026-31572

CVE-2026-31572 involves the Linux kernel driver for the i2c: designware: amdisp. A race exists between probe and runtime PM resume: when the ISP is powered on via runtime PM before probe completes, the amdisp I2C resume can occur early, causing a NULL dereference in kernel v7.0. The fix uses genp...

CVE-2026-31573

The vulnerability CVE-2026-31573 affects the Linux kernel media: verisilicon hantro_vpu driver. When built as a module, incorrect use of the __initconst annotation frees data prematurely, and non-init probe code later accesses this freed data, causing a kernel panic (page fault) during hantro_pro...

CVE-2026-31582

CVE-2026-31582 affects the Linux kernel hwmon powerz driver. A use-after-free occurs when a USB disconnect frees the URB and mutex, and a subsequent powerz_read() can dereference the freed URB in powerz_read_data(). The fix, as described across sources, is to set priv->urb to NULL in powerz_di...

CVE-2026-31585

CVE-2026-31585 affects the Linux kernel vidtv media driver. When vidtv_start_streaming() fails inside vidtv_start_feed(), the nfeeds counter is not decremented, leaving the number of active feeds inconsistent with actual starts. This state corruption can cause subsequent start_feed calls to skip ...

CVE-2026-31590

The CVE-2026-31590 issue affects the Linux kernel KVM SEV path: sev_pin_memory() would WARN when npages overflowed an int due to KVM_MEMORY_ENCRYPT_REG_REGION with a large size, enabling a local user to trigger a harmless warning via userspace input (e.g., addr=0, size=-1ul). The root cause is th...

CVE-2026-31596

CVE-2026-31596 affects OCFS2 in the Linux kernel. The vulnerability stems from ocfs2_group_extend assuming a validated global bitmap inode block from ocfs2_inode_lock(), and BUG_ON() when the signature isn’t a dinode. A crafted filesystem can bypass structural validation via the JBD2 path, leadin...

CVE-2026-31605

This CVE concerns the Linux kernel udlfb driver, where FBIOPUT_VSCREENINFO could trigger a divide-by-zero when pixclock is used directly in the udlfb path. The issue mirrors a prior fix in fb_dev paths and has been resolved in the kernel with related commits (e.g., addressing divide-by-zero in si...

CVE-2026-31606

The CVE-2026-31606 issue affects the Linux kernel USB HID gadget driver. When a /dev/hidg* device is still open, unbind/bind operations can reinitialize a live cdev, which is unsafe and can crash the system. The core problem is calling cdev_init while the cdev is still in use; the fix is to alloc...

CVE-2026-31620

CVE-2026-31620 affects the Linux kernel ALSA usx2y driver (TASCAM US-144MKII). A malicious USB device can present a configuration with bInterfaceNumber=1 but no interface 0, causing usb_ifnum_to_if(dev,0) to dereference NULL. This can crash the kernel (DoS). The fix is to properly check the retur...

CVE-2026-31639

In the Linux kernel, CVE-2026-31639 affects the rxrpc subsystem. A client call acquires a reference to a key during rxrpc_alloc_client_call(), but this reference is not released when the call is destroyed, causing a key reference-count leak. The documented fix frees call->key in rxrpc_destroy_...

CVE-2026-31640

CVE-2026-31640 affects the Linux kernel rxrpc component. The issue occurs in rxrpc_post_response() where the code compares the challenge serial number using the newer packet private data instead of the cached/older response, causing the comparison to always be false and potentially preventing the...

CVE-2026-31663

The CVE-2026-31663 vulnerability affects the Linux kernel xfrm subsystem, where a race between asynchronous crypto completion and device teardown could lead to using a freed dev reference. The fix changes the reference handling: the dev ref is no longer released on async resume entry and is inste...

CVE-2026-31698

CVE-2026-31698 affects the Linux kernel crypto CCP Sev driver. The issue arises when retrieving the PDH certificate: if a firmware command fails with an invalid length, the driver may copy data to userspace, causing a kernel-allocated buffer overflow and potential data leakage to the local user. ...

CVE-2026-31706

In ksmbd (Linux kernel), CVE-2026-31706 is due to a validation flaw in smb_inherit_dacl(): the on-disk num_aces from a parent directory’s security.NTACL is trusted to size a heap allocation (kmalloc(sizeof(struct smb_ace) * num_aces * 2)) without verifying consistency with pdacl_size. An authenti...

CVE-2026-31720

CVE-2026-31720 : In the Linux kernel, the USB gadget path f_uac1_legacy incorrectly handles control request length. Specifically, f_audio_complete() copies req->length bytes into a 4-byte stack variable (data) via memcpy, with req->length derived from host-controlled USB requests. This can ...

CVE-2026-31729

CVE-2026-31729 affects the Linux kernel USB Type-C Unified Connector and Switch Interface (UCSI) path. A malicious or malfunctioning USB‑C device can report an out‑of‑range connector number in the CCI, which is used to index ucsi_connector_change(); the underlying array is allocated for the devic...

CVE-2026-31731

In CVE-2026-31731, the Linux kernel thermal management subsystem has a race where a thermal zone removal during resume can cause use-after-free. Root cause: thermal_zone_pm_complete() and thermal_zone_device_resume() re-initialize the poll_queue delayed work, so cancel_delayed_work_sync() in ther...