223 matches found
CVE-2026-46243
The CVE-2026-46243 entry concerns the Linux kernel CIFS client. It fixes a bug where cifs.spnego key descriptions could be created by userspace (via request_key(2) or add_key(2)) and include fields (pid, uid, creduid, upcall_target) that are treated as kernel-origin inputs. The fix restricts acce...
CVE-2026-43503
The CVE-2026-43503 entry concerns Linux kernel net/skbuff handling: when frags are moved by frag-transfer helpers (notably __pskb_copy_fclone() and skb_shift()), the SKBFL_SHARED_FRAG flag was not propagated to the destination skb, causing destination pages to remain shared while skb_has_shared_f...
CVE-2026-46300
The CVE-2026-46300 issue affects the Linux kernel's net: skbuff code: skb_try_coalesce() can transfer paged frags from one skb to another while losing the SKBFL_SHARED_FRAG marker, breaking the invariant relied on by ESP decryption logic. This can allow an in-place decrypt path to operate on page...
CVE-2026-46333
CVE-2026-46333 concerns a logic bug in the Linux kernel’s ptrace access check (__ptrace_may_access). When a thread lacks an MM pointer, ptrace_may_access uses a cached “last dumpable” flag, which can be bypassed by CAP_SYS_PTRACE to override. This can enable local privilege escalation or informat...
CVE-2026-43500
Summary: CVE-2026-43500 affects the Linux kernel RXRPC path for DATA/RESPONSE packets. The issue occurs when skb fragments are externally owned (e.g., via splice() or frag lists) and the code path decrypts in place, binding frag pages into the AEAD/skcipher SGL. The fix extends the gate to unshar...
CVE-2026-46195
The CVE-2026-46195 entry concerns a Linux kernel SMB client vulnerability. 32-bit servers can supply a crafted dacloffset that wraps a DACL pointer, allowing dereferencing of DACL fields during chmod/chown if validated only after pointer arithmetic. The flaw occurs in parse_sec_desc(), build_sec_...
CVE-2026-46135
CVE-2026-46135 affects the Linux kernel nvmet-tcp (NVMe over TCP). A race between ICReq handling and target‑side queue teardown can transition queue state in a non‑serialized way, potentially allowing a second teardown path and a re‑entry after a disconnect, including a possible double free scena...
CVE-2026-46244
The CVE-2026-46244 issue affects the Linux kernel netfilter nft_inner path. In nft_inner_parse_l2l3(), while handling inner IPv6 packets, ipv6_find_hdr() computes the transport header offset correctly across extension headers, but the code later overwrites this value with nhoff + sizeof(_ip6h) (4...
CVE-2026-43494
CVE-2026-43494 affects the Linux kernel’s net/rds zerocopy path. When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), pinned pages are released and rm->data.op_mmp_znotifier is cleared, but rm->data.op_nents may not be reset. This leads to the cleanup loop in rds_message_purge...
CVE-2026-53176
CVE-2026-53176 affects the Linux kernel iSER (IB/isert) login handling in ib_isert.c. A remote iSER initiator could send a login PDU shorter than ISER_HEADERS_LEN (76), causing an integer underflow in isert_login_recv_done() when computing login_req_len, leading to a negative length used in a mem...
CVE-2026-46099
The CVE-2026-46099 entry describes a use-after-free race in Linux kernel IPv6 handling for seg6 and rpl lightweight tunnels. A NOREF destination cached during ip6_route_input() can be freed by a concurrent FIB lookup on a shared nexthop under PREEMPT_RT, leading to a WARN or potential instability...
CVE-2026-46124
CVE-2026-46124 affects the Linux kernel isofs filesystem. The vulnerability arises because isofs_fh_to_dentry/isofs_fh_to_parent pass an attacker-controlled block number from an NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget and sb_bread. A crafted...
CVE-2026-46155
CVE-2026-46155 affects the Linux kernel SMB client. The vulnerability is an out-of-bounds read in smb2_compound_op() caused by memcpy reading size[0] (OutputBufferLength) when iov_len is smaller than that length after a truncated server response. This can leak adjacent kernel heap memory. Impact ...
CVE-2026-46113
CVE-2026-46113 (Linux kernel KVM x86 shadow paging use-after-free) is a resolved vulnerability in the KVM shadow paging path. The issue arises when the shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index and guest page-table modifications between VM entries can c...
CVE-2026-46137
CVE-2026-46137 affects the Linux kernel MPTCP implementation. The mptcp_pm_add_timer() helper runs as a timer callback in softirq context and can race with socket state unless the socket lock is held with bh_lock_sock(). The mitigation is to hold the lock and retry if the socket is in use, mirror...
CVE-2026-46181
Summary: CVE-2026-46181 concerns the Linux kernel RDMA/mlx4 component. The root cause is improper use of Read-Copy Update (RCU) in mlx4_srq_event(), which could allow a race where an event is delivered before the srq object is fully initialized, potentially crashing the system. The documented fix...
CVE-2026-46215
The CVE concerns a race condition in the Linux kernel’s DRM change_handle path. A concurrent gem_close could remove one handle while another remained dangling, enabling a use-after-free. The fix uses the same sequence as gem_close: first replace the old handle with NULL via idr_replace, then, if ...
CVE-2026-46116
CVE-2026-46116 affects the Linux kernel xfrm subsystem (xfrm_state). The root cause is a local-use-after-free in __xfrm_state_delete due to unsafe deletions from byseq/byspi hash chains. The patch changes deletions to hlist_del_init_rcu and uses hlist_unhashed() checks, preventing writes after LI...
CVE-2026-46206
The CVE-2026-46206 issue affects the Linux kernel’s batman-adv implementation, where the tp_meter component could start new sender or receiver sessions after mesh_state had exited BATADV_MESH_ACTIVE during teardown. The vulnerability stems from improper state management in batman-adv/tp_meter, po...
CVE-2026-43501
CVE-2026-43501 - Linux kernel IPv6 SRH headroom bug : The issue occurs in ipv6_rpl_srh_rcv() when decompressing and recompressing RFC 6554 Source Routing Headers, where the recompressed IPv6 header can grow beyond the received header. The root cause is an unsafe headroom handling in pskb_expand_h...
CVE-2026-46090
CVE-2026-46090 affects the Linux kernel ALSA aloop driver. A use-after-free in loopback_check_format() can occur when playback starts with parameters that no longer match a running capture stream, while a concurrent close may detach or free the runtime. The issue arises after a patch that moved t...
CVE-2026-46174
In CVE-2026-46174, the Linux kernel vulnerability affects x86/CPU/AMD Zen2 by allowing improper isolation of shared resources in the Zen2 op cache, potentially leading to instruction corruption. The issue has been resolved in the Linux kernel, with Debian and Root packaging advisories noting fixe...
CVE-2026-31700
Summary (CVE-2026-31700): In the Linux kernel, a TOCTOU race in tpacket_snd() when PACKET_VNET_HDR is enabled allows a user-space race on vnet_hdr fields between validation and use, bypassing safety checks. The vulnerability affects the mmap’d TX ring buffer where vnet_hdr points into user-contro...
CVE-2026-46145
The CVE-2026-46145 vulnerability affects the Linux kernel, specifically the RDMA/mana component. A user-supplied rx_hash_key_len value supplied via a uAPI structure is blindly passed to memcpy, enabling localized kernel memory corruption if bounds checks are not enforced. Reports from multiple so...
CVE-2026-46238
CVE-2026-46238 affects the Linux kernel’s BAT IV implementation via the batman-adv subsystem. The issue stems from caching an auxiliary originator pointer derived from a temporary lookup in neigh_node state, where the pointer can be freed or become stale after purge handling. The documented fix i...
CVE-2026-46117
CVE-2026-46117 affects the Linux kernel RDMA/mana component. The issue arises when a user can configure Work Queues to share the same Completion Queue via the uAPI, which triggers a user-writable WARN_ON() and can lead to kernel corruption. The vulnerability has been resolved by removing the trig...
CVE-2026-46132
CVE-2026-46132 - Linux kernel on multiple distros : The flaw is a stack information leak in net/rtnetlink when reporting VF info via IFLA_VF_BROADCAST. A local unprivileged process can trigger RTM_GETLINK and copy a partially uninitialized 32-byte field (vf_broadcast) from the stack, leaking up t...
CVE-2026-31787
CVE-2026-31787 affects the Linux kernel, specifically the xen/privcmd mapping flow. The root cause is a double-free in the VMA splitting path when userspace performs partial munmap() on a privcmd mapping. Because privcmd_vm_ops defines .close but not .may_split or .open, the kernel may_split() pe...
CVE-2026-46180
CVE-2026-46180 concerns a use-after-free in wifi brcmfmac when stopping the watchdog task in the Linux kernel. The vulnerability is addressed by increasing the watchdog task reference count before send_sig() and then dropping it with kthread_stop_put(). Connected OSV entries show patches in Root:...
CVE-2026-46227
CVE-2026-46227 describes a race in the Linux kernel SCTP SENDALL path. The sctp_sendmsg() loop over ep->asocs caches the next entry in @tmp, then calls sctp_sendmsg_to_asoc() after dropping the socket lock, allowing a second thread to peel off the cached association and migrate it to a new end...
CVE-2026-46149
Summary: CVE-2026-46149 affects the Linux kernel SCSI target subsystem, specifically the configfs path in tg_pt_gp_members_show(). The function formats LUN paths with snprintf() into a 256-byte stack buffer and then copies cur_len bytes via memcpy(), but snprintf() may return a length that exceed...
CVE-2026-46150
The CVE-2026-46150 issue affects the Linux kernel fanotify subsystem. It arises because fsnotify_get_mark_safe() may return false for a mark in an unrelated group, bypassing the permission check. The fix patches the logic to skip detached marks that are not in the current group, mitigating the by...
CVE-2026-46152
CVE-2026-46152 affects the Linux kernel’s wifi/mac80211 subsystem. The root cause is that ieee80211_invoke_fast_rx() uses a static per-invocation rx_result, causing concurrent callers to share a single instance and potentially overwrite results between ieee80211_rx_mesh_data() and the switch on r...
CVE-2026-46173
CVE-2026-46173 concerns the Linux kernel. The issue arises when an already-exiting task oopses and make_task_dead() calls do_task_dead() with preemption enabled, while __schedule() must be called with preemption disabled. If a preempted oopsing task is still in the dead-state, finish_task_switch(...
CVE-2026-46177
The CVE-2026-46177 issue affects the Linux kernel IPMI driver. It describes a vulnerability where the driver could continuously fetch events and receive messages from the BMC (or become stuck) due to the BMC not signaling completion or the attn bit getting stuck. The documented fix limits event/m...
CVE-2026-31717
In the Linux kernel ksmbd, a vulnerability allows an authenticated user to hijack an orphaned durable handle by reconnecting with a different security context. The issue stems from ksmbd not verifying that the requester’s SecurityContext matches the original opener when a durable handle is reconn...
CVE-2026-31786
The CVE-2026-31786 issue affects the Linux kernel in drivers/xen/sys-hypervisor.c, where HYPERVISOR_xen_version(XENVER_build_id) returned a build_id that is not NUL-terminated, causing a buffer overflow via sprintf in buildid_show. The root cause is that the build_id was not treated as a proper s...
CVE-2026-43490
The CVE-2026-43490 entry concerns the Linux kernel ksmbd SMB server. The flaw arises in smb_inherit_dacl() where the code validates a fixed SID header but not the variable-length SID described by sid.num_subauth, allowing a malformed inheritable ACE to advertise more subauthorities than present. ...
CVE-2026-46273
The CVE-2026-46273 entry describes a Linux kernel vulnerability in the ibmveth driver affecting Power systems: GSO offload fails when MSS < 224 bytes, potentially freezing the network adapter and causing DoS until a manual reset. The fix adds an ndo_features_check to disable GSO for MSS 1; si...
CVE-2026-46033
The CVE-2026-46033 issue in the Linux kernel crypto/authencesn was fixed: authenc ESN paths require either a zero authsize or an authsize of at least 4 bytes, but a later path could copy digestsize into inst->alg.maxauthsize without validation, allowing ahash digests of 1–3 bytes (e.g., cbcmac...
CVE-2026-46167
CVE-2026-46167 – Linux kernel usb/usblp heap leak : The vulnerability stems from an uninitialized status buffer (statusbuf) allocated at probe time for LPGETSTATUS. If a malicious printer returns zero bytes, a stale 8-byte heap region could be copied to userspace via LPGETSTATUS, causing a heap l...
CVE-2026-46178
The CVE-2026-46178 entry concerns the Linux kernel RDMA/mlx4 component. A resource leak could occur during error handling in mlx4_ib_create_srq(), because mlx4_srq_alloc() was not undone during error unwinding. The fix adds a call to mlx4_srq_free() to properly release the resource when an error ...
CVE-2026-46189
CVE-2026-46189 affects the Linux kernel RDMA pvrdma component (pvrdma_alloc_ucontext). The issue is a double free: pvrdma_uar_free() is invoked in pvrdma_dealloc_ucontext() and is erroneously called before, creating a double free condition. Concrete fixes exist in OSV entries for multiple distrib...
CVE-2026-46112
CVE-2026-46112 relates to the Linux kernel RDMA/hns driver. The vulnerability arises from an unlocked call to hns_roce_qp_remove() during error unwinding in hns_roce_create_qp_common(), where the caller did not hold the required locks, risking memory corruption. The fixes synchronize by grabbing ...
CVE-2026-46157
The CVE-2026-46157 entry concerns the ALSA PCM OSS subsystem in the Linux kernel, where runtime.oss.trigger could be accessed concurrently without protection, causing a data race on a bit field and risking corruption of adjacent fields. The issue is addressed by extending the existing params_lock...
CVE-2026-46166
The CVE-2026-46166 affects the Linux kernel’s wireless subsystem (mac80211) in the radar detect work. The root cause is unsafe list iteration during radar processing, where ieee80211_dfs_cac_cancel can free the iterated chanctx and remove it from the list, causing a slab-use-after-free. A guarded...
CVE-2026-46182
The CVE-2026-46182 issue affects the Linux kernel component pseries/papr-hvpipe . The root cause is that a local kernel stack variable hdr (papr_hvpipe_hdr) is allocated on the stack and only hdr.version and hdr.flags are initialized, leaving reserved padding bytes uninitialized. When copied to u...
CVE-2026-45835
CVE-2026-45835: In the Linux kernel, Bluetooth L2CAP code is vulnerable to a NULL pointer dereference in l2cap_sock_new_connection_cb() due to a missing NULL guard. The fix adds the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(), addressing the null-ptr-deref ...
CVE-2026-46110
CVE-2026-46110 affects the Linux kernel stmmac driver. When RX memory is exhausted, stmmac_rx() could misinterpret descriptors (full vs dirty), risking a NULL pointer dereference and potential kernel panic. The fix adds an explicit check to bail out when the next RX descriptor is dirty before adv...
CVE-2026-46133
The CVE-2026-46133 issue affects Linux kernel’s Soft RoCE (RDMA/rxe) where an unauthenticated UDP packet with an unknown opcode could trigger an out-of-bounds read during ICRC/CRC processing due to missing validation of opcodes before length arithmetic. The advisory describes that entries in the ...