371 matches found
CVE-2026-46213
The CVE-2026-46213 issue affects the Linux kernel HID Apple keyboard driver (appletb-kbd). A use-after-free (UAF) in the inactivity-timer cleanup path during driver tear-down was fixed by reordering teardown: (1) call hid_hw_close()/hid_hw_stop() before backlight cleanup to prevent late callbacks...
CVE-2026-53202
The CVE-2026-53202 issue affects the Linux kernel component accel/ivpu in IPC receive handling. It describes a signed integer truncation when data_size from firmware is cast to a signed int, leading to a potential unsigned wraparound with large values (≥ 0x80000000). This could enable oversized m...
CVE-2026-53245
CVE-2026-53245 affects the Linux kernel in net/802/mrp due to a parsing logic error in mrp_pdu_parse_vecattr. The vector-attribute event encoding and valen handling could cause out-of-sync FirstValue processing and misapplication of events, leading to corruption of offsets during PDU parsing and,...
CVE-2026-31714
The CVE-2026-31714 issue affects the Linux kernel F2FS component, where a memory leak occurs in f2fs_rename() due to an unpaired call to f2fs_free_filename() after f2fs_setup_filename() was added in commit 40b2d55e0452. Exploitation details are local (AV:L/AC:L) with a high availability impact (A...
CVE-2026-46048
CVE-2026-46048 relates to a leak in the Linux kernel ALSA caiaq driver. The issue arises because create_card() takes a usb_get_dev() reference to a USB device and stores the corresponding usb_put_dev() in card_free(), which is registered as snd_card’s private_free destructor. However, private_fre...
CVE-2026-46107
In Linux kernel dm-thin, a metadata refcount underflow in rebalance_children has been resolved. If an internal btree node with a single entry is shared (refcount > 1), downgrading the child without updating grandchildren leads to mismatched reference counts and can produce device mapper: space...
CVE-2026-46144
The CVE-2026-46144 entry concerns the Linux kernel RDMA mana driver. A resource leak occurs during error unwind in mana_ib_create_qp_rss(), where mana_ib_cfg_vport_steering() is not properly cleaned up; this could cause resource exhaustion (DoS). The issue has been fixed in the kernel (patched), ...
CVE-2026-46201
CVE-2026-46201 affects the Linux kernel drm/xe: an error path in xe_gem_prime_import() leaks a dma_buf attachment when xe_dma_buf_init_obj() fails, because the attachment from dma_buf_dynamic_attach() is not detached. The fix explicitly detaches via dma_buf_detach() before returning an error, avo...
CVE-2026-46278
CVE-2026-46278 : In the Linux kernel, the drm/imagination driver fixes a segfault when updating the ftrace mask and corrects invalid data handling for a debugfs entry. The vulnerability manifested as a NULL pointer dereference leading to an Oops under kernel memory access, with a trace citing pvr...
CVE-2026-46297
CVE-2026-46297 corresponds to a Linux kernel issue in net: libwx regarding VF misc interrupts. The vulnerability arose from using request_threaded_irq() with a primary handler and a NULL threaded handler while setting IRQF_ONESHOT, which triggers a kernel warning (genirq: Warn about using IRQF_ON...
CVE-2026-46309
The CVE-2026-46309 entry describes a Linux kernel issue in drm/xe/uapi where PAT indices with XE_COH_NONE coherency are rejected for CPU cached memory in madvise. The fix adds validation in xe_vm_madvise_ioctl() to prevent using coh_none on CPU cached buffers, as such usage could allow a GPU to b...
CVE-2026-53148
The CVE affects the Linux kernel Thunderbolt driver (tb_xdp_properties_request) where per-packet copy length is derived from the response header without bounds checking against the allocated data buffer, causing a potential out-of-bounds memcpy and memory corruption. The issue can lead to denial ...
CVE-2026-53152
CVE-2026-53152 affects the Linux kernel dw_mmc-rockchip driver. Older RK SoCs (rk2928, rk3066, rk3188) lacked required private data, leading to NULL-pointer dereferences when the init code accessed missing phase/driver data. The vulnerability is resolved by the commit ff6f0286c896, which adds the...
CVE-2026-53159
CVE-2026-53159 affects the Linux kernel in the misc: fastrpc path. The vulnerability arises in fastrpc_get_args(), which uses find_vma() to locate the VMA for a user pointer and compute a DMA address offset. If the address lies in a gap before the returned VMA, the expression (ptr & PAGE_MASK) - ...
CVE-2026-53180
CVE-2026-53180 involves a Linux kernel timers/migration livelock. The issue arises when tmigr_handle_remote_cpu() skips timer_expire_remote() if cpu == smp_processor_id(), under the incorrect assumption that the local softirq path already handled this CPU’s timers. Jiffies can advance after local...
CVE-2026-53215
CVE-2026-53215 affects the Linux kernel mvpp2 driver: the RX path could return a descriptor buffer to the hardware Buffer Manager after it had been handed to XDP or an skb, allowing DMA into memory no longer owned by the RX ring. Root cause is improper handling of RX buffers in mvpp2_rx_refill() ...
CVE-2026-43497
The CVE-2026-43497 issue affects the Linux kernel fbdev path (udlfb/dlfb) where dlfb_ops_mmap maps vmalloc framebuffer pages without vm_ops, preventing mmap tracking. This allowed stale user PTEs to coexist with freed kernel pages after dlfb_realloc_framebuffer() via FBIOPUT_VSCREENINFO, causing ...
CVE-2026-46111
The CVE concerns a use-after-free in the Linux kernel Bluetooth stack (hci_conn, BIG creation). The patch adds hci_conn_valid() in create_big_sync() to detect stale connections before BIG creation, handles -ECANCELED in create_big_complete(), and re-validates under hci_dev_lock() before dereferen...
CVE-2026-46121
The CVE-2026-46121 issue affects the Linux kernel DAMON sysfs interface (mm/damon/sysfs-schemes). A race between reads and writes of memcg_path and path can lead to a use-after-free when a user reads or writes the sysfs files while a buffer is being deallocated. The root cause is that user-direct...
CVE-2026-52919
CVE-2026-52919 affects the batman-adv component in the Linux kernel. The root cause is an underflow of the atomic counter “sending” in batadv_tp_sender_shutdown(), which is decremented unconditionally and can become -1 when multiple code paths call it. A negative value causes the sender kthread t...
CVE-2026-53218
CVE-2026-53218 affects the Linux kernel netfilter nft_exthdr path. The root cause is a mismatch in register initialization: nft_exthdr_init() passes priv->len to nft_parse_register_store(), which marks that many bytes as initialized, but when NFT_EXTHDR_F_PRESENT is set the eval paths write on...
CVE-2026-53221
Linux kernel CVE-2026-53221 affects ip6_vti’s vti6_tnl_lookup() where, after an exact tunnel match fails, the fallback search for wildcard tunnels did not consistently verify that candidate tunnels actually have wildcard addresses. This mismatching happens because all tunnel types are stored in a...
CVE-2026-53225
The CVE-2026-53225 entry describes a Linux kernel SCTP vulnerability in __sctp_rcv_asconf_lookup() where an unauthenticated peer can send a truncated ASCONF chunk; the code may read 16 bytes of uninitialized memory past the address parameter when the chunk’s length is misdeclared. Affected compon...
CVE-2026-53274
CVE-2026-53274 affects the Linux kernel net/smc code. A logic flaw in __smc_setsockopt() allowed a local unprivileged user to cause a Denial of Service by keeping the socket lock held during a copy_from_sockptr() operation. The vulnerability occurs because the copy is performed while holding lock...
CVE-2026-53277
CVE-2026-53277 – Linux kernel (arm64 KVM) : A flaw where certain page-table walk operations (walk_s1 and kvm_walk_nested_s2) did not acquire the Sleepable RCU lock (SRCU) via kvm->srcu, risking memslot changes and potential instability during fault injection and Address Translation emulation. ...
CVE-2026-53281
The CVE-2026-53281 entries describe a Linux kernel IOMMU VT-d issue where NULL pointer dereference or refcount corruption could occur during teardown if dev_pasid was not found in the dev_pasids list or if domain was never attached. The root cause was improper teardown execution after potential N...
CVE-2026-31699
Technical details about CVE-2026-31699 are not publicly available in the provided documents. Monitor for updates from OSV, Red Hat, SUSE, Debian and other trackers for affected products and fixes.
CVE-2026-43495
CVE-2026-43495 concerns the Linux kernel net/wwan/t7xx subsystem. The issue arises in t7xx_port_enum_msg_handler, which uses a modem-provided port_count to loop over port_msg->data[] without ensuring the message buffer is long enough, enabling a potential slab-out-of-bounds read when port_coun...
CVE-2026-46029
In the Linux kernel, CVE-2026-46029 describes a race within the slab allocator where kmalloc_nolock() called from NMI on uniprocessor (UP) configurations can re-enter the allocator and acquire n->list_lock that the interrupted context already holds, corrupting slab state and potentially causin...
CVE-2026-46127
CVE-2026-46127 affects the Linux kernel RDMA/ocrdma; the bug is a NULL dereference in ocrdma_copy_pd_uresp() when uctx is uninitialized, potentially causing a crash. Connected sources indicate patches exist in multiple OSV entries (Root:rootio-linux for Ubuntu 24.04 and Debian 11/12, OpenSUSE/ope...
CVE-2026-46165
CVE-2026-46165 affects the Linux kernel openvswitch vport code, where a self-deadlock could occur on tunnel port release due to improper ordering between RCU callbacks and RTNL/normally synchronized code paths. The root cause: vports are protected by RCU and must have netdev_put() after the RCU g...
CVE-2026-46172
** CWE-XXXX**: CVE-2026-46172 affects the Linux kernel IPv6 xfrm6 path. The issue occurs in xfrm6_rcv_encap() during an IPv6 route lookup when a dst is not yet attached; ip6_route_input_lookup() can return a dst with an error, and if dst->error is set, the skb is dropped without attaching/rele...
CVE-2026-46183
CVE-2026-46183 affects the Linux kernel DAMON sysfs code. The vulnerability is a use-after-free in damon_sysfs_quot_goal->path: user reads/writes to the sysfs 'path' file can deallocate the underlying buffer, and current protection only guards parameter reads during commit; direct user access ...
CVE-2026-46216
The CVE-2026-46216 issue affects the Linux kernel drm/xe/hdcp module. When media GT is disabled via configfs, media_gt may be NULL, causing intel_hdcp_gsc_check_status() to dereference an invalid address and trigger a kernel pagefault. The fix adds a NULL check on media_gt and returns early if NU...
CVE-2026-46240
The CVE-2026-46240 issue affects the Linux kernel iris driver. A use-after-free occurs when iris_release_internal_buffers() accesses a buffer after session_release_buf() frees it, caused by a regression from a change that destroys internal buffers after FW releases. The documented fix sets BUF_AT...
CVE-2026-52924
The CVE-2026-52924 entry describes a Linux kernel SCTP use-after-free vulnerability triggered during Stale COOKIE-ECHO handling. In COOKIE_WAIT transitions, sctp_stream_update() can leave a stale out_curr pointer after rolling back from COOKIE_ECHOED to COOKIE_WAIT, so scheduler paths (FCFS/RR/PR...
CVE-2026-53265
The CVE-2026-53265 entry describes a Linux kernel race in the dm-cache policy SMQ path. A check-then-act race occurs in smq_invalidate_mapping where an e->allocated check was left outside the mq->lock after the destructive section was serialized; two concurrent invalidators can observe allo...
CVE-2026-46134
CVE-2026-46134 affects the Linux kernel cros_ec_typec component. The root cause is that cros_typec_register_thunderbolt() failed to initialize the adata->lock mutex, leading to a NULL dereference when the mutex is later acquired (for example in cros_typec_altmode_work). The issue is mitigated ...
CVE-2026-46142
The CVE-2026-46142 issue affects the Linux kernel’s net: libwx code, where reading the PF-restricted WX_CFG_PORT_ST register during VF initialization can trigger an illegal register access, potentially causing a system hang. The root cause is that a VF’s bus function ID can be read directly from ...
CVE-2026-46186
Summary: CVE-2026-46186 affects the Linux kernel Bluetooth virtio_bt driver. The vulnerability arises in virtbt_rx_handle(), which reads the leading pkt_type byte from RX skb and forwards the rest to hci_recv_frame() for multiple packet types without validating that the remaining payload is large...
CVE-2026-46192
CVE-2026-46192 concerns the Linux kernel spi: microchip-core-qspi driver, where transmitting garbage data during emulated read-only dual/quad operations could brick the QSPI transfer. The issue was resolved in the kernel, with reads handled by the core via clock cycles, removing the need to emit ...
CVE-2026-52937
CVE-2026-52937 concerns the Linux kernel where the tap_ioctl() path handling SIOCGIFHWADDR leaks kernel stack contents by copying 16 bytes of an uninitialised sockaddr_storage to userspace. Specifically, netif_get_mac_address() writes only sa_family and dev->addr_len (6 bytes), leaving sa_data...
CVE-2026-53189
CVE-2026-53189 affects the Linux kernel memory management for huge pages (mm/huge_memory). The vulnerability arises from the order of operations when splitting a huge PMD: the RSS/file counters are updated after releasing the folio reference, which can let freed folio state be observed by mm_coun...
CVE-2026-53224
The vulnerability CVE-2026-53224 affects the Linux kernel SCTP implementation. The issue arises from insufficient validation of embedded INIT chunks and address list lengths in cookies: sctp_unpack_cookie() may accept a truncated INIT chunk, and the subsequent sctp_process_init() could read INIT ...
CVE-2026-53275
CVE-2026-53275 affects the Linux kernel IPv6 multicast path (net/ipv6/mcast.c) during MLD query processing. A pointer to the multicast group address is captured during initial packet parsing but is not reloaded after skb header changes from pskb_may_pull(), leading to a use-after-free in __mld_qu...
CVE-2026-31698
CVE-2026-31698 affects the Linux kernel crypto CCP Sev driver. The issue arises when retrieving the PDH certificate: if a firmware command fails with an invalid length, the driver may copy data to userspace, causing a kernel-allocated buffer overflow and potential data leakage to the local user. ...
CVE-2026-31701
In CVE-2026-31701, the Linux kernel ALSA caiaq driver (USB audio) stored a pointer to the parent usb_device without a reference. The snd_usb_caiaq_card_free() path can run after the USB device is disconnected, dereferencing freed memory (use-after-free). The fix is to take a reference on the USB ...
CVE-2026-31719
CVE-2026-31719 concerns the Linux kernel crypto/krb5enc async decrypt path where the skcipher completion could bypass the hash verification, bypassing integrity checks. The root cause is krb5enc_dispatch_decrypt() signaling completion without invoking krb5enc_dispatch_decrypt_hash(). The fix adds...
CVE-2026-46035
CVE-2026-46035 affects the Linux kernel on UP (non-SMP) configurations and describes a vulnerability in mm/page_alloc. The issue arises because on UP, spin_trylock() is a no-op and may always succeed even if the lock is held, allowing alloc_frozen_pages_nolock() invoked from NMI to re-enter rmque...
CVE-2026-46104
Linux kernel CVE-2026-46104 affects SELinux socket permission helpers. The vulnerability arises because sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly, assuming the SELinux socket blob is at offset zero. In stacked LSM configurations this assumption fa...