27 matches found
CVE-2025-22119
CVE-2025-22119 concerns the Linux kernel wireless stack. The issue occurs in cfg80211 where wiphy_work is not fully initialized before rfkill allocation, allowing cfg80211_dev_free to access uninitialized wiphy_work data via a race with the rfkill path. The root cause is an uninitialized wiphy_wo...
CVE-2025-22047
CVE-2025-22047 affects the Linux kernel in the x86 AMD microcode path. The issue arises when verify_sha256_digest() fails and __apply_microcode_amd() does not propagate the failure properly, effectively returning a value that could be interpreted as success due to an incorrect -1 promotion. The f...
CVE-2025-22074
CVE-2025-22074 : In the Linux kernel, ksmbd had a r_count increment/decrement mismatch that could cause r_count to become negative, leading to ksmbd thread termination issues. The issue is fixed by a patch fixing the r_count dec/increment pairing when oplock breaks occur. Affected component is ks...
CVE-2025-22112
CVE-2025-22112 affects the Linux kernel bnxt ethernet driver. The vulnerability arises from out-of-range access to the vnic_info array in bnxt_queue_start/stop where bp->nr_vnics is exceeded, allowing access to bp->vnic_info[bp->nr_vnics]. The issue is fixed in the publicly released comm...
CVE-2025-37760
Technical details about CVE-2025-37760 are not provided in the supplied connected documents. No affected product/version or fix is specified here. Monitor for updates.
CVE-2025-37845
CVE-2025-37845: Linux kernel tracing fprobe events fix prevents use-after-free by unloading a module during tprobe/tracepoint handling. Root cause: a previous relocation of try_module_get() from __find_tracepoint_module_cb() to find_tracepoint() could access a freed module object; the patch resto...
CVE-2025-37779
CVE-2025-37779 pertains to the Linux kernel. A folio refcount bug in lib/iov_iter caused a UAF when an EROFS file-backed mount over 9P (v9fs) on QEMU was exercised, due to pages in bvec being coalesced across a folio boundary. The root cause was inadequate refcount handling for non-slab folios, p...
CVE-2025-37868
Technical details beyond the initial Linux kernel description are not provided in the connected documents. Monitor for updates; this entry notes a fix for notifier vs folio deadlock in drm/xe/userptr in the Linux kernel, cherry-picked from a commit.
CVE-2025-38176
In Linux kernel, binder: fix use-after-free in binderfs_evict_inode() is the root cause of the vulnerability. The issue occurs within binderfs_evict_inode, leading to potential slab-use-after-free conditions observable under stress-ng with binderfs, and is mitigated by the referenced patch fix. C...
CVE-2025-38421
CVE-2025-38421 affects the Linux kernel’s amd-pmf code in platform/x86/amd, where a path that fails smart PC setup could lead to a double free of dev->buf during module removal. The root cause is a freed pointer that isn’t NULL’d, causing amd_pmf_remove() to free it again. The provided fixes c...
CVE-2025-38569
CVE-2025-38569 (Linux kernel benet) arises from a bug in the be2net SR-IOV VF MAC address configuration flow where be_cmd_set_mac_list() calls dma_free_coherent() while still under spin_lock_bh, leading to a kernel crash (BUG at mm/vmalloc.c and OOPs) when SR-IOV VFs are created. The linked advis...
CVE-2026-43351
The CVE-2026-43351 issue affects the Linux kernel’s KVM on arm64 when creating a virtual GIC. If vgic_allocate_private_irqs_locked() fails, kvm_vgic_create() can exit before vgic dist regions are initialised, and kvm_vgic_dist_destroy() may then attempt to free uninitialised data, risking a crash...
CVE-2026-43061
CVE-2026-43061 (Linux kernel): The serial8250 TX DMA deadlock was fixed. The root cause was that dmaengine_terminate_async did not guarantee the __dma_tx_complete callback would run, and that callback is the only place where dma->tx_running is cleared. If a TX DMA transaction is canceled and t...
CVE-2026-31499
CVE-2026-31499 affects the Linux kernel Bluetooth L2CAP code. The vulnerability stems from l2cap_conn_del() canceling delayed work (info_timer and id_addr_timer) while holding conn->lock, while the corresponding work functions (l2cap_info_timeout() and l2cap_conn_update_id_addr()) also acquire...
CVE-2026-53273
CVE-2026-53273 describes a use-after-free in the Linux kernel TEE/OP-TEE path. When a client exits before the supplicant finishes processing, freed request memory could be dereferenced, enabling a potential crash or code execution path. The root cause is a race around request lifetime between the...
CVE-2026-46139
CVE-2026-46139 covers the Linux kernel SMB client: when building an ACL descriptor in build_sec_desc(), a kzalloc-based allocation fix was introduced to zero-initialize the security descriptor buffer, replacing a previous kmalloc path. The change splits struct smb_acl's __le32 num_aces into __le1...
CVE-2025-68351
The CVE-2025-68351 issue is in the Linux kernel exfat code, specifically a refcount leak in exfat_find. The root cause is that exfat_get_dentry_set increments es->bh on success but the corresponding exfat_put_dentry_set may not be consistently invoked, leading to leaks. The patch relocates two...
CVE-2025-39948
The CVE-2025-39948 issue is in the Linux kernel ice driver’s RX path for multi-buffer/XDP frames. A zero-size descriptor could cause ice_put_rx_mbuf() to skip a buffer, preventing ice_put_rx_buf() and leaving a stale page in the RX ring. This could break page reuse/free logic (ice_reuse_rx_page) ...
CVE-2026-23461
CVE-2026-23461: In the Linux kernel Bluetooth L2CAP, l2cap_register_user() and l2cap_unregister_user() did not consistently acquire conn->lock, creating a race with l2cap_conn_del() that can access conn->users and conn->hchan concurrently. This caused use-after-free and list corruption. ...
CVE-2026-43382
Summary: CVE-2026-43382 affects the Linux kernel batman-adv component. The issue arises when batadv_v_elp_get_throughput() runs with the RTNL lock already held, which could cause a deadlock during cancellation of a work item. The fix switches to rtnl_trylock to skip ethtool retrieval if the RTNL ...
CVE-2026-45925
CVE-2026-45925 affects the Linux kernel thermal subsystem. In thermal_of_cm_lookup(), a device node pointer (tr_np) obtained via of_parse_phandle() is not released, causing a reference leak. The documented fix is to release the node automatically using the __free(device_node) cleanup attribute to...
CVE-2026-23418
The CVE-2026-23418 issue affects the Linux kernel component drm/xe/reg_sr. It describes a memory leak that occurs when xa_store() fails to store a newly allocated entry, leaving the entry not freed on the error path. The patched fix frees the allocated entry on error (notably via a goto fail_free...
CVE-2026-31472
CVE-2026-31472 concerns the Linux kernel, specifically the xfrm/ IPTFS path. A crafted ESP packet with an inner IPv4 header can cause an infinite loop in __input_process_payload() if the inner header has tot_len=0 or malformed ihl. The fix adds validation to reject inner packets where tot_len <...
CVE-2026-31517
The CVE-2026-31517 vulnerability affects the Linux kernel’s IP-TFS (xfrm_iptfs) reassembly path. During datagram reassembly, an optimization can make newskb non-linear; if a subsequent fragment is appended via skb_put(), the code may trigger a SKB_LINEAR_ASSERT and crash (OOPS). The documented fi...
CVE-2026-23328
CVE-2026-23328 – Linux kernel (accel/amdxdna): The vulnerability is a NULL pointer dereference in mgmt_chann when the firmware returns an unexpected error in aie2_send_mgmt_msg_wait(), which may set mgmt_chann to NULL and cause a later NULL dereference in aie2_hw_stop(). The fixed patch introduce...
CVE-2026-23424
The CVE-2026-23424 vulnerability affects the Linux kernel’s accel/amdxdna component, caused by insufficient validation of the command buffer payload count. The count field in the command header determines the payload size, and the data must not exceed the remaining buffer space. If not properly c...
CVE-2026-23425
CVE-2026-23425 (Linux kernel KVM arm64) — The issue stems from non-protected pKVM guests where the hypervisor copies only the KVM_ARCH_FLAG_ID_REGS_INITIALIZED flag from the host to the hypervisor during pkvm_init_features_from_host, while the actual id_regs data are not initialized. This can cau...