CVE-2026-31733

CVE-2026-31733 concerns the Linux kernel’s sched_ext component, where the direct dispatch state (ddsp_dsq_id) could remain set across paths, causing a spurious warning in mark_direct_dispatch(). The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), and not consistently cleare...

CVE-2026-31737

Technical details (affected product/component/versions/root cause/impact or fixes) for CVE-2026-31737 are not publicly available in the provided connected documents. Monitor for updates.

CVE-2026-31739

CVE-2026-31739 affects the Linux kernel tegra crypto driver. The driver failed to set CRYPTO_ALG_ASYNC on asynchronous algorithms, causing the crypto API to select async paths for users requesting synchronous operations, potentially causing crashes. Mitigation implemented in the patch: explicitly...

CVE-2026-31740

CVE-2026-31740 : In the Linux kernel, a race condition can occur in the rz-mtu3-cnt counter driver where the shared rz_mtu3_channel.dev pointer is overwritten by the counter and PWM sub-drivers when assigning device pointers for channels 1 and 2. This can lead the counter sub-driver to perform ru...

CVE-2026-31741

CVE-2026-31741 affects the Linux kernel rz-mtu3-cnt counter module. Repeated writes to the sysfs enable file can underflow/overflow the Runtime PM usage count, causing clocked-off hardware register accesses and potential instability/DoS. The issue is resolved in upstream kernel (v6.6.137) and dis...

CVE-2026-31743

In the Linux kernel, CVE-2026-31743 affects the nvmem subsystem, specifically the zynqmp_nvmem module, where an incorrect buffer size is used during DMA allocation and memcpy. The resulting undersized DMA buffer access can cause memory corruption, potentially triggering system instability or deni...

CVE-2026-31746

CVE-2026-31746 concerns the Linux kernel’s s390/zcrypt component. When Common Cryptographic Architecture (CCA) cards are used as accelerators for clear key RSA requests (ME and CRT), a memory leak occurs due to an unreleased memory allocation in the AP message handling. The issue stems from a rew...

CVE-2026-31750

CVE-2026-31750 affects the Linux kernel comedi driver. The issue is a memory leak where chanlist was not freed in the exceptional exit path of do_cmd_ioctl because runflags may be unset; do_become_nonbusy() previously freed chanlist only when runflags were set. The fix adds a check in do_become_n...

CVE-2026-31751

Technical details for CVE-2026-31751 are not provided in the connected documents. The initial description contains summary text only; no affected products, versions, or fixes are present. Monitor for updates from OSV/Mageia/Debian advisories.

CVE-2026-31755

Rooted in the Linux kernel usb cdns3 gadget: when an endpoint is disabled or unconfigured, ep->desc can be NULL and __cdns3_gadget_ep_queue() may dereference it, causing a kernel crash. A patch adds a check and returns -ESHUTDOWN for unconfigured endpoints. Upstream fixes exist (commit referen...

CVE-2026-31760

The CVE-2026-31760 issue affects the Linux kernel GPIB gpib: lpvo_usb driver, where the driver incorrectly retains references to USB devices during GPIB attach, causing a memory leak on disconnect. The root cause is not releasing those references after attaching, leading to resource retention. Th...

CVE-2026-31763

CVE-2026-31763 concerns the Linux kernel iio: gyro: mpu3050 driver. The issue arises from using the wrong IRQ handler during free_irq() in the teardown path: free_irq() is called with mpu3050 as the handler instead of the actual irq part pointer mpu3050->trig. The documented fix corrects the I...

CVE-2026-31765

Summary: CVE-2026-31765 affects the Linux kernel AMDGPU driver. A mismatch between the reserved trap area (AMDGPU_VA_RESERVED_TRAP_SIZE) and the allocated KFD GPU memory on systems with 64KB pages can cause a kernel crash, including a NULL pointer dereference, when running certain GPU tests (e.g....

CVE-2026-31766

The CVE-2026-31766 issue affects the Linux kernel AMDGPU driver: amdgpu_userq_get_doorbell_index() passes user-supplied doorbell_offset to amdgpu_doorbell_index_on_bar() without proper bounds checking. An arbitrarily large doorbell_offset can drive the computed doorbell index outside the allocate...

CVE-2026-31770

The CVE-2026-31770 issue affects the Linux kernel hwmon/occ path. In occ_show_power_1(), the accumulator could be divided by update_tag without checking for zero when no samples have been collected, leading to a division-by-zero crash. A fix reuses occ_get_powr_avg() (which handles the zero-sampl...

CVE-2026-31772

The CVE-2026-31772 issue affects the Linux kernel Bluetooth HCI path. The root cause is a stack buffer overflow in hci_le_big_create_sync where DEFINE_FLEX allocates a stack struct for BIS entries with room for 17, but conn->num_bis can be up to 31, leading to a memcpy that can write beyond th...

CVE-2026-31774

The CVE-2026-31774 issue affects the Linux kernel io_uring/net path. A 32-bit length value (sqe->len) is stored into sr->len (int), allowing values above INT_MAX (e.g., 0xFFFFFFFF) to overflow and propagate through the bundle recv/send path. This can cause a slab-out-of-bounds read in io_bu...

CVE-2026-31778

Summary: CVE-2026-31778 affects the Linux kernel ALSA caiaq driver (init_card) and is caused by an off-by-one in a whitespace-stripping loop that copies a card id. The 16-byte local buffer can be filled without leaving space for the terminating null, causing a non-null-terminated string to be pas...

CVE-2026-31780

In CVE-2026-31780, the Linux kernel wi l c1000 Wi‑Fi driver is affected by a heap buffer overflow in the SSID scan path. The code accumulates total SSID lengths into a variable declared as u8, allowing up to 330 bytes for 10 SSIDs, but the u8 wrap causes a 75-byte kmalloc allocation followed by a...

CVE-2026-31783

The CVE-2026-31783 entry refers to a Linux kernel issue in spi: amlogic: spifc-a4 where the on-host NAND ECC engine teardown was missing in probe unwind and remove-time cleanup. The fix adds a devm cleanup action so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and ...

CVE-2026-43006

CVE-2026-43006 (Linux kernel io_uring rsr/rsrc): A zero-length fixed-buffer import in io_import_fixed() could trigger a slab-out-of-bounds read due to a boundary check that allows len == 0 to be processed. The underlying issue is in validate_fixed_range(), which permits buf_addr at the end of the...

CVE-2026-43008

CVE-2026-43008 affects the Linux kernel gpio: qixis-fpga driver. The issue is incorrect error handling in devm_regmap_init_mmio(): it returns ERR_PTR() on failure, but code checked for NULL, risking invalid pointer dereference. Mitigation: patch uses IS_ERR() and PTR_ERR() to handle errors correc...

CVE-2026-43009

The CVE-2026-43009 family concerns the Linux kernel BPF verifier. Connected sources describe a bug where backtrack_insn did not correctly account for atomic fetch variants (BPF_ATOMIC with BPF_FETCH) during memory-precision tracking, causing the verifier to prune paths incorrectly. The fix extend...

CVE-2026-43044

The CVE-2026-43044 issue affects the Linux kernel's crypto: caam module. When processing HMAC keys longer than the block size, the copied key’s memory was not properly aligned for DMA, risking corruption of adjacent memory. The vulnerability’s root cause was the allocation of a copy that relied o...

CVE-2026-43060

The CVE-2026-43060 issue affects the Linux kernel netfilter component (nft_ct). When the nft_ct module is removed, packets enqueued in nfqueue may retain stale references to conntrack zone templates or timeout policies, risking instability or DoS. The root cause is references that can outlive the...

CVE-2026-43064

CVE-2026-43064 affects the Linux kernel’s dmaengine idxd, where the workqueue for a DSA/IAA device was not released on object release. The underlying cause is that the workqueue remained bound to the freed object, leading to resource leaks. The issue is now fixed: the workqueue is released after ...

CVE-2026-43079

CVE-2026-43079 affects the Linux kernel’s perf/x86/intel/uncore component. When NUMA is disabled and the system boots with fewer CPUs than those in die 0, the kernel continues to parse the discovery table for offline dies, which can trigger an array overflow at pmu->boxes[die] and may lead to ...

CVE-2026-43083

The CVE pertains to Linux kernel ioam6: a fix for an out-of-bounds access in skb_get_tx_queue when is_input is true, caused by a RX->TX queue-mapping mismatch (ingress device having more RX queues than egress TX queues). The issue could access dev->_tx[] beyond its bounds. A lock around qdi...

CVE-2026-43090

CVE-2026-43090 concerns a Linux kernel memory-leak in the XFRM subsystem. The root cause is a double call to xfrm_pol_hold_rcu() inside xfrm_migrate_policy_find(), even though the lookup function already returns a policy with a held reference. This leads to a refcount imbalance and memory leak of...

CVE-2026-43095

In CVE-2026-43095, the Linux kernel ASoC SDCA subsystem fixes an IRQ cleanup flaw. IRQs are currently enabled via sdca_irq_populate() from component probe using devm_request_threaded_irq(), which can cause IRQs to persist after a sound card teardown. Some IRQ handlers hold references to the card ...

CVE-2026-43098

Summary (concrete details from provided documents): CVE-2026-43098 affects the Linux kernel NFC subsystem, specifically the s3fwrn5 driver, where s3fwrn82_uart_read() may consume bytes into recv_skb and deliver a complete frame before a new receive buffer is allocated. If alloc_skb() fails, the c...

CVE-2026-43101

The CVE-2026-43101 entry refers to a Linux kernel IPv6 IOAM issue: __ioam6_fill_trace_data() could dereference NULL if __in6_dev_get() returns NULL. The fix replaces skb_dst_dev() with skb_dst_dev_rcu() and adds two missing READ_ONCE() checks; it also enforces that @dev cannot be NULL. Patches ar...

CVE-2026-43102

CVE-2026-43102 affects the Linux kernel net/airoha driver: a memory leak in the airoha_qdma_rx_process() when processing subsequent buffers in the non-linear skb portion. If an error occurs, the page_pool fragment may fail to be linked back to the skb, preventing it from being returned to the poo...

CVE-2026-43116

The CVE-2026-43116 issue affects the Linux kernel’s netfilter ctnetlink master conntrack handling. The root cause is insufficient locking around the master conntrack object, which can become invalid while still referenced (exp->master). The fix extends the nf_conntrack_expect_lock and the spin...

CVE-2026-43126

CVE-2026-43126 affects the Linux kernel ALSA OSS mixer. The vulnerability arises when pending kcontrol operations are not consistently handled during card/disconnect, risking use-after-free and potential local impact. Multiple OSV entries ( Debian 12/11 patches in rootio-linux, Ubuntu, Red Hat) i...

CVE-2026-43129

The CVE-2026-43129 issue stems from the Linux kernel IMA subsystem: when booting a second-stage kernel via kexec with a memory-limited command line, the IMA measurement buffer from the previous kernel could lie outside the new kernel’s addressable RAM, causing an early-page fault on x86_64. The f...

CVE-2026-43130

The CVE-2026-43130 issue affects the Linux kernel iommu/vt-d path, where flushing the dev-IOTLB can occur during resource release in scalable PCIe mode. The root cause is a path that attempted ATS invalidation without adequately verifying whether the PCIe device is still accessible after a link-d...

CVE-2026-43136

The CVE-2026-43136 issue affects the Linux kernel HID subsystem (logitech-hidpp) where fake USB devices could craft HID report descriptors without valid fields, potentially crashing the kernel over USB. The root cause is a missing validation in hidpp_get_report_length() that allowed reports with ...

CVE-2026-43141

Summary : CVE-2026-43141 affects the Linux kernel ntb_hw_switchtec code, where the number of MW LUTs can be configured to zero. In that scenario, a call to rounddown_pow_of_two could trigger undefined behavior. The patch ensures rounddown_pow_of_two is only applied to a valid value. Impact : Unde...

CVE-2026-43142

CVE-2026-43142 affects the Linux kernel media: iris: gen1 driver. The issue arises because the driver does not destroy internal buffers after firmware releases, leaving stale allocations (notably when display resolutions change). This can waste memory until session close and may contribute to res...

CVE-2026-43145

The CVE-2026-43145 issue is in the Linux kernel remoteproc imx_rproc driver. The function imx_rproc_elf_find_loaded_rsc_table() could incorrectly report a loaded resource table when the firmware provided no resource table, because it returning priv->rsc_table even if rproc->table_ptr was NU...

CVE-2026-43147

CVE-2026-43147 concerns a deadlock in the Linux kernel SR-IOV removal path. The issue arises when sriov_del_vfs() is invoked during pci_stop_and_remove_bus_device(), causing a recursive lock acquisition on pci_rescan_remove_lock and leading to system unresponsiveness. The public description confi...

CVE-2026-43148

The CVE-2026-43148 issue concerns the Linux kernel, specifically the powerpc/smp code path for parse_thread_groups(). A missing check for the return value of kcalloc() could allow a NULL pointer dereference when the allocation result is later used by of_property_read_u32_array(). The vulnerabilit...

CVE-2026-43150

The CVE-2026-43150 issue affects the Linux kernel’s perf/arm-cmn component, where the kernel now rejects unsupported CMN hardware configurations. The root cause is the kernel’s prior assumptions about maximum sizes and counts for CMN models and revisions, which could allow larger or unknown confi...

CVE-2026-43157

Summary: CVE-2026-43157 affects the Linux kernel octeontx2-af CGX driver. The RX/TX flow-control bitmaps (rx_fc_pfvf_bmap, tx_fc_pfvf_bmap) are allocated during cgx_lmac_init() but not freed during cgx_lmac_exit(), enabling a kernel memory leak (kmemleak) when the driver is unbound and rebound. I...

CVE-2026-43162

In the Linux kernel, the media: tegra-video path has a memory leak in __tegra_channel_try_format() caused by failing to free the allocated __v4l2_subdev_state (sd_state) in two error paths after v4l2_subdev_call() failures. The fix introduces a cleanup label and goto-based error handling to ensur...

CVE-2026-43164

CVE-2026-43164 affects the Linux kernel UDP-Lite implementation. The issue is a null-pointer dereference in __udp_enqueue_schedule_skb() triggered during UDP-Lite socket initialization, as reported by syzbot. Post-commit changes allow udp_lib_init_sock(), udp_init_sock(), and udpv6_init_sock() to...

CVE-2026-43168

CVE-2026-43168 concerns the Linux kernel OCFS2 reflink preserve cleanup issue. Multiple connected sources confirm a bug in the cleanup of preserved xattr entries: the last pointer should be shifted by one unit after an array entry cleanup, and the first entry may not be cleaned when xh_count is 1...

CVE-2026-43169

The CVE-2026-43169 issue lies in the Linux kernel DRM_BUDDY code (drm/buddy) where contiguous allocations (and large non-contiguous allocations) are rounded up to a power of two or aligned, potentially producing a size > mm->size and triggering BUG_ON(order > mm->max_order). If such a...

CVE-2026-43172

CVE-2026-43172 affects the Linux kernel iwlwifi driver. If the firmware reports three LMACs (which hardware does not have), the code can overrun the array fwrt->smem_cfg.lmac[2]. The fix rejects such configurations and uses IWL_FW_CHECK instead of WARN_ON, mitigating a potential instability/Do...