7 matches found
CVE-2026-43067
Summary of CVE-2026-43067 (Linux kernel, ext4): A wraparound issue in block allocation for indirect-mmapped files could permit referencing blocks beyond the 32-bit block-number limit. The described root cause involves how ext4 allocates blocks for indirect-based files and how grouping logic could...
CVE-2026-43084
CVE-2026-43084 affects the Linux kernel netfilter nfnetlink_queue. The vulnerability stems from sharing a global hash table across all queues, allowing a parallel CPU to access a nf_queue_entry after it has been freed, causing a slab-use-after-free (KASAN) and potential crash/DoS. The fix is to m...
CVE-2026-23288
The CVE-2026-23288 issue is in the Linux kernel’s accel/amdxdna component. It describes an out-of-bounds write caused by clearing the command header with memset() before validating the remaining space in a command slot, when the slot space is smaller than the header. The root cause is performing ...
CVE-2026-31514
The CVE-2026-31514 issue affects the Linux kernel erofs filesystem: I/O requests for file-backed mounts can be interrupted (SIGKILL) and cause unused folios to be incorrectly marked uptodate, potentially leading to data integrity problems or stale data exposure. Mitigation/patches address this by...
CVE-2026-23309
CVE-2026-23309 refers to a Linux kernel vulnerability in the tracing subsystem. The issue was a NULL pointer dereference in trigger_data_free() when data->cmd_ops->set_filter is evaluated after a failed trigger_data_alloc() and returning NULL. The root cause was that trigger_data_free() did...
CVE-2026-23341
CVE-2026-23341 affects the Linux kernel accel/amdxdna path. The issue occurs when userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, which may crash due to a NULL mailbox channel pointer accessed in aie2_destroy_context(). The fix adds a mailbox...
CVE-2026-23355
The CVE-2026-23355 issue affects the Linux kernel libata subsystem. It describes a defect where queued work for a deferred command (deferred_qc) is not canceled when cleared, allowing a WARN_ON() condition to fire later if ap->ops->qc_defer() returns non-zero. The root cause is that, althou...