13804 matches found
CVE-2026-31590
The CVE-2026-31590 issue affects the Linux kernel KVM SEV path: sev_pin_memory() would WARN when npages overflowed an int due to KVM_MEMORY_ENCRYPT_REG_REGION with a large size, enabling a local user to trigger a harmless warning via userspace input (e.g., addr=0, size=-1ul). The root cause is th...
CVE-2026-31596
CVE-2026-31596 affects OCFS2 in the Linux kernel. The vulnerability stems from ocfs2_group_extend assuming a validated global bitmap inode block from ocfs2_inode_lock(), and BUG_ON() when the signature isn’t a dinode. A crafted filesystem can bypass structural validation via the JBD2 path, leadin...
CVE-2026-31605
This CVE concerns the Linux kernel udlfb driver, where FBIOPUT_VSCREENINFO could trigger a divide-by-zero when pixclock is used directly in the udlfb path. The issue mirrors a prior fix in fb_dev paths and has been resolved in the kernel with related commits (e.g., addressing divide-by-zero in si...
CVE-2026-31606
The CVE-2026-31606 issue affects the Linux kernel USB HID gadget driver. When a /dev/hidg* device is still open, unbind/bind operations can reinitialize a live cdev, which is unsafe and can crash the system. The core problem is calling cdev_init while the cdev is still in use; the fix is to alloc...
CVE-2026-31617
The CVE affects the Linux kernel USB Network Control Model (NCM) gadget driver (usb: gadget: f_ncm). A missing lower bound on block_len checks for NTB headers allows an underflow in ndp_index and datagram offset calculations when block_len ndp_size or dpe_size. This can let a malicious USB host c...
CVE-2026-31620
CVE-2026-31620 affects the Linux kernel ALSA usx2y driver (TASCAM US-144MKII). A malicious USB device can present a configuration with bInterfaceNumber=1 but no interface 0, causing usb_ifnum_to_if(dev,0) to dereference NULL. This can crash the kernel (DoS). The fix is to properly check the retur...
CVE-2026-31621
The CVE-2026-31621 issue affects the Linux kernel bnge driver: on failure of auxiliary_device_add(), the error path calls auxiliary_device_uninit() but does not return, causing a null dereference when cleanup runs bnge_aux_dev_release() (bd->auxr_dev is freed and then dereferenced). Red Hat re...
CVE-2026-31639
In the Linux kernel, CVE-2026-31639 affects the rxrpc subsystem. A client call acquires a reference to a key during rxrpc_alloc_client_call(), but this reference is not released when the call is destroyed, causing a key reference-count leak. The documented fix frees call->key in rxrpc_destroy_...
CVE-2026-31640
CVE-2026-31640 affects the Linux kernel rxrpc component. The issue occurs in rxrpc_post_response() where the code compares the challenge serial number using the newer packet private data instead of the cached/older response, causing the comparison to always be false and potentially preventing the...
CVE-2026-31720
CVE-2026-31720 : In the Linux kernel, the USB gadget path f_uac1_legacy incorrectly handles control request length. Specifically, f_audio_complete() copies req->length bytes into a 4-byte stack variable (data) via memcpy, with req->length derived from host-controlled USB requests. This can ...
CVE-2026-31727
The CVE affects the Linux kernel USB gadget subsystem, specifically u_ether, where a NULL pointer dereference could occur when a userspace tool queries a surviving interface during a detached window after unbind. The root cause is a missing NULL check for dev->gadget in eth_get_drvinfo(), lead...
CVE-2026-31729
CVE-2026-31729 affects the Linux kernel USB Type-C Unified Connector and Switch Interface (UCSI) path. A malicious or malfunctioning USB‑C device can report an out‑of‑range connector number in the CCI, which is used to index ucsi_connector_change(); the underlying array is allocated for the devic...
CVE-2026-31733
CVE-2026-31733 concerns the Linux kernel’s sched_ext component, where the direct dispatch state (ddsp_dsq_id) could remain set across paths, causing a spurious warning in mark_direct_dispatch(). The root cause is that ddsp_dsq_id was only cleared in dispatch_enqueue(), and not consistently cleare...
CVE-2026-31740
CVE-2026-31740 : In the Linux kernel, a race condition can occur in the rz-mtu3-cnt counter driver where the shared rz_mtu3_channel.dev pointer is overwritten by the counter and PWM sub-drivers when assigning device pointers for channels 1 and 2. This can lead the counter sub-driver to perform ru...
CVE-2026-31746
CVE-2026-31746 concerns the Linux kernel’s s390/zcrypt component. When Common Cryptographic Architecture (CCA) cards are used as accelerators for clear key RSA requests (ME and CRT), a memory leak occurs due to an unreleased memory allocation in the AP message handling. The issue stems from a rew...
CVE-2026-31749
Technical details for CVE-2026-31749 are not publicly provided in the supplied connected documents; no vendor/product/versions, root cause, or remediation are described beyond the initial summary. Monitor for updates.
CVE-2026-31751
Technical details for CVE-2026-31751 are not provided in the connected documents. The initial description contains summary text only; no affected products, versions, or fixes are present. Monitor for updates from OSV/Mageia/Debian advisories.
CVE-2026-31763
CVE-2026-31763 concerns the Linux kernel iio: gyro: mpu3050 driver. The issue arises from using the wrong IRQ handler during free_irq() in the teardown path: free_irq() is called with mpu3050 as the handler instead of the actual irq part pointer mpu3050->trig. The documented fix corrects the I...
CVE-2026-31765
Summary: CVE-2026-31765 affects the Linux kernel AMDGPU driver. A mismatch between the reserved trap area (AMDGPU_VA_RESERVED_TRAP_SIZE) and the allocated KFD GPU memory on systems with 64KB pages can cause a kernel crash, including a NULL pointer dereference, when running certain GPU tests (e.g....
CVE-2026-31766
The CVE-2026-31766 issue affects the Linux kernel AMDGPU driver: amdgpu_userq_get_doorbell_index() passes user-supplied doorbell_offset to amdgpu_doorbell_index_on_bar() without proper bounds checking. An arbitrarily large doorbell_offset can drive the computed doorbell index outside the allocate...
CVE-2026-31783
The CVE-2026-31783 entry refers to a Linux kernel issue in spi: amlogic: spifc-a4 where the on-host NAND ECC engine teardown was missing in probe unwind and remove-time cleanup. The fix adds a devm cleanup action so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and ...
CVE-2026-43044
The CVE-2026-43044 issue affects the Linux kernel's crypto: caam module. When processing HMAC keys longer than the block size, the copied key’s memory was not properly aligned for DMA, risking corruption of adjacent memory. The vulnerability’s root cause was the allocation of a copy that relied o...
CVE-2026-43132
CVE-2026-43132 affects the Linux kernel dm-verity component. The issue arises when dm_bufio_client_create() fails inside verity_fec_ctr() and the subsequent call to dm_bufio_client_destroy() uses an ERR_PTR(), causing a crash. Red Hat specifies potential local DoS from this crash; Debian/Root-OS ...
CVE-2026-43176
The CVE-2026-43176 entry refers to a vulnerability in the Linux kernel’s rtw89 WiFi driver (PCI path) affecting RTL8922DE where release report content was not properly validated. This could cause a crash (DoS) when handling a malformed TX release report. The root cause is insufficient validation ...
CVE-2026-43192
The provided sources describe CVE-2026-43192 as a Linux kernel issue in the device-mapper multipath (dm mpath) subsystem. A missing cleanup (dm_put_device) when failing to retrieve the SCSI handler name during path parsing (scsi_dh_attached_handler_name) could leak references to the path device. ...
CVE-2026-43203
The CVE covers a Linux kernel fore200e ATM driver use-after-free during device removal (PCA-200E/SBA-200E). Vulnerability arises when tx_tasklet/rx_tasklet run or pending after fore200e is freed, risking access to freed memory. The published fixes synchronize tasklets with device shutdown by addi...
CVE-2026-43209
CVE-2026-43209 – minix filesystem sanity check in Linux kernel : The minix filesystem implementation lacked proper sanity checks in minix_check_superblock(), notably for s_log_zone_size, which the patch now enforces (only 0 is supported). The update also adds sanity checks for other superblock fi...
CVE-2026-43230
The CVE-2026-43230 issue affects the Linux kernel’s Reliable Datagram Sockets (RDS) by not clearing the reconnect-pending bit when canceling the reconnect worker before it has been scheduled. This can cause the system to believe a reconnect is pending indefinitely, potentially impairing network o...
CVE-2026-43231
CVE-2026-43231 : In the Linux kernel, the media: radio-keene driver has a memory-leak in usb_keene_probe() where the v4l2 control handler is not freed if registration fails. The underlying issue is that the v4l2_ctrl_handler is initialized and controls are added, but error paths after v4l2_device...
CVE-2026-43454
CVE-2026-43454 concerns the Linux kernel nf_tables netfilter component. The issue arises when handling NETDEV_REGISTER notifications: a device may be registered twice because nft_netdev_hook_alloc() could have already added the device when the hook was created. The result is duplicate device regi...
CVE-2026-43457
CVE-2026-43457 affects the Linux kernel MCTP over I2C receive path. When midev->allow_rx is false, a newly allocated skb is not consumed by netif_rx() and must be freed directly, otherwise a memory leak can occur leading to potential DoS through memory exhaustion. The available connected sourc...
CVE-2026-23299
CVE-2026-23299 relates to a Linux kernel Bluetooth issue where, when TX timestamping is enabled (SO_TIMESTAMPING), SKBs may be queued in the sk_error_queue during socket destruction and could leak if unread or if the controller is removed. The fixed mitigation is the addition of skb_queue_purge()...
CVE-2026-23301
The CVE-2026-23301 issue affects the Linux kernel ASoC SDCA component, specifically the find_sdca_entity_iot() path that allocates a string for an Entity name but does not verify the allocation result. Red Hat and Debian-family advisories describe this as a local vulnerability that could enable a...
CVE-2026-23365
The CVE-2026-23365 entry concerns the Linux kernel kalmia USB driver, where probing code must validate the device’s endpoints before binding. If a malicious device omits or mismatches expected endpoints, the driver may access invalid endpoints and crash. The issue is resolved in upstream kernel b...
CVE-2026-23377
CVE-2026-23377 affects the Linux kernel in the ice network driver under XDP. The root cause is an incorrect use of frag_size in XDP RxQ info, which should reflect the whole buffer size but was treated as a DMA write length, causing negative tailroom and potential kernel panic when crafting packet...
CVE-2026-23436
The CVE-2026-23436 issue affects the Linux kernel's net: shaper component. A race could occur when a netdev is unregistered between taking a reference during Netlink prep and locking/RCU in the callback, potentially leaking the hierarchy after a flush. The fix applies the instance lock in pre- st...
CVE-2026-31500
The CVE-2026-31500 issue affects the Linux kernel Bluetooth Intel btintel driver. A data race allowed two __hci_cmd_sync() paths (HCI_OP_RESET and Intel-exception-info) to run without hci_req_sync_lock, risking concurrent access to hdev->req_status/req_rsp and a slab-use-after-free in kfree_sk...
CVE-2026-31535
Summary: CVE-2026-31535 affects the Linux kernel SMB client receive credit management. A race in handling smbdirect_socket.recv_io.credits.available can cause over- or under-counted credits, potentially destabilizing the SMB receive path. The root cause is a window where a peer might have consume...
CVE-2026-31583
The CVE-2026-31583 issue affects the Linux kernel em28xx media driver. A race in em28xx_v4l2_open() occurs because dev->v4l2 is read without holding dev->lock, racing with em28xx_v4l2_init()/em28xx_v4l2_fini() that free the structure and set dev->v4l2 to NULL under lock. This leads to us...
CVE-2026-31654
CVE-2026-31654 affects the Linux kernel mm/vma path for mmap-backed shared mappings (notably /dev/zero). The root cause was a memory leak: when __mmap_new_vma() fails after shmem_zero_setup_desc() allocates a replacement shmem file, that new file isn’t released in the error path, leaving an unref...
CVE-2026-31753
CVE-2026-31753 affects the Linux kernel’s auxdisplay/line-display path. A NULL dereference in linedisp_release can occur if the enclosing linedisp object has already been detached when the release callback runs, causing a crash while freeing display resources. The fix retrieves the enclosing obje...
CVE-2026-31757
CVE-2026-31757 affects the Linux kernel USB subsystem (usbio). The issue is a memory leak where, if usb_submit_urb() fails during device probing (usbio_probe()), the previously allocated URB is not freed. The fix directs control flow to an error path (err_free_urb) to properly release the URB and...
CVE-2026-31769
The CVE-2026-31769 issue in the Linux kernel gpib module is resolved by adding a kernel-only descriptor_busy reference count in struct gpib_descriptor to prevent use-after-free of gpib_descriptor objects during concurrent IO ioctl handling (IBRD, IBWRT, IBCMD, IBWAIT). Each IO path increments des...
CVE-2026-31781
CVE-2026-31781 concerns the Linux kernel drm/ioc32 compat ioctl path, where a user-controlled pointer was used to index a table of function pointers (spectre-like pattern). The issue is mitigated by applying array_index_nospec on the index to the function-pointer list, as described in the fix. Co...
CVE-2026-43167
CVE-2026-43167 relates to the Linux kernel xfrm subsystem where a reference-count leak in xfrm_state occurs when a network device is unregistered. The issue stems from an IPsec hardware-offload API change (commit d77e38e612a0) that made xfrm_dev_unregister() a no-op, even though xfrm_dev_state_ad...
CVE-2026-23337
The CVE-2026-23337 entry concerns the Linux kernel, specifically the pinconf-generic driver in the pinctrl subsystem. The root cause is a memory leak in pinconf_generic_parse_dt_config() when parse_dt_cfg() fails and exits early, bypassing cleanup. The resulting leak is of the cfg buffer. The fix...
CVE-2026-31490
CVE-2026-31490 affects the Linux kernel drm/xe/pf component. A use-after-free vulnerability occurs when xe_sriov_pf_migration_restore_produce() returns an error and the data pointer is not cleared, potentially enabling memory corruption or a crash. The fix sets the data pointer to NULL on error t...
CVE-2026-31501
The CVE-2026-31501 issue affects the Linux kernel net: ti: icssg-prueth driver and is a use-after-free in the RX path. cpp i5_hdesc_get_psdata() returns a pointer into the CPPI descriptor, and the descriptor is freed via k3_cppi_desc_pool_free() before psdata[0]/psdata[1] are used by emac_rx_time...
CVE-2026-31584
CVE-2026-31584 - Linux kernel (MediaTek vcodec) use-after-free in encoder release path : The fops_vcodec_release() frees the context (ctx) without cancelling or synchronizing pending/running encode work, allowing the mtk_venc_worker to dereference freed ctx. Root cause: v4l2_m2m_ctx_release() wai...
CVE-2026-31742
The CVE-2026-31742 issue affects the Linux kernel’s virtual terminal (vt) handling of alternate screen mode. When entering alt screen, vc_uni_lines is saved to vc_saved_uni_lines and vc_uni_lines is set to NULL. A subsequent console resize can skip reallocating the unicode buffer because vc_uni_l...