371 matches found
CVE-2026-31718
The CVE-2026-31718 entries describe a use-after-free in ksmbd (Linux kernel in-kernel SMB3 server) triggered when a durable file handle survives a session disconnect. The root cause is an asymmetric cleanup of lock state: byte-range locks left on a freed conn->lock_list after fp->conn is nu...
CVE-2026-46035
CVE-2026-46035 affects the Linux kernel on UP (non-SMP) configurations and describes a vulnerability in mm/page_alloc. The issue arises because on UP, spin_trylock() is a no-op and may always succeed even if the lock is held, allowing alloc_frozen_pages_nolock() invoked from NMI to re-enter rmque...
CVE-2026-46104
Linux kernel CVE-2026-46104 affects SELinux socket permission helpers. The vulnerability arises because sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly, assuming the SELinux socket blob is at offset zero. In stacked LSM configurations this assumption fa...
CVE-2026-46158
The CVE-2026-46158 issue is in the Linux kernel MPTCP implementation: when ADD_ADDR is retransmitted, the socket reference count may not be released reliably, creating a potential resource leak. The fix adds a proper exit path to call sock_put (__sock_put) at the end of the handling and removes a...
CVE-2026-52932
In CVE-2026-52932, the Linux kernel xfrm IPcomp path contains a fix to ensure that the allocated destination scatter-gather (dst SG) list is freed on error as well as on success, preventing potential resource leaks. The root cause is improper memory deallocation during error handling in the xfrm ...
CVE-2026-53147
The CVE-2026-53147 issue affects the Linux kernel Thunderbolt XDomain handling. tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without confirming that the allocation is large enough for the target type. A peer could send a minimal XDomain packet that passes ...
CVE-2026-53154
The CVE-2026-53154 issue affects the Linux kernel mm/hugetlb path where, on error during copy of huge pages, the per-VMA reservation can leak despite free_huge_folio() restoring the global pool. Concrete details from connected sources show that two code paths allocate a hugetlb folio (alloc_huget...
CVE-2026-53182
CVE-2026-53182 affects the Linux kernel nl80211: rejects oversized EMA RNR lists in nl80211_parse_rnr_elems, using a u8 counter and capping at 255 to align with the underlying data structure. Several advisories (Red Hat, Debian family, Ubuntu OSV entries, and Root) confirm patches are released in...
CVE-2026-53193
CVE-2026-53193 concerns the Linux kernel ALSA timer component. When a snd_timer object is freed via snd_timer_free() while there are still pending snd_timer_instance entries linked to it, slave instances may continue to point at the freed timer, creating a use-after-free condition. The vulnerabil...
CVE-2026-53222
In the Linux kernel, CVE-2026-53222 relates to the ptp: ocp driver. The root cause was use-after-free during driver removal caused by freeing resources in ptp_ocp_detach() before ptp_clock_unregister(), after a change that disables events via ptp_disable_all_events(). The fix changes the free/unr...
CVE-2026-53256
CVE-2026-53256 concerns the Linux kernel Bluetooth RFCOMM implementation. A race in rfcomm_connect_ind() can cause a use-after-free when handling listener sockets: rfcomm_get_sock_by_channel() may drop the list lock without holding a reference, and subsequent operations may free the listener befo...
CVE-2026-31696
Summary (CVE-2026-31696) : In the Linux kernel’s rxrpc code, the non-XDR key parsing path (rxrpc_preparse()) lacked a validation check for ticket length, unlike the XDR path. This allowed an unprivileged user to supply a very large ticket length, causing the computed total token size (toksize) to...
CVE-2026-46154
CVE-2026-46154 affects the Linux kernel sched_ext functionality. Root cause: in cgroup setters, scx_group_set_{weight,idle,bandwidth}() cache the scx_root before acquiring scx_cgroup_ops_rwsem, enabling a window where the pointer can become stale if a scheduler is disabled and freed (via RCU) and...
CVE-2026-46210
The CVE-2026-46210 issue affects the Linux kernel Iris media driver. A race between per-instance locks (inst->lock) and the core list lock (core->lock) allows a use-after-free during MBPF checks: MBPF iterates the core list and reads fields like fmt_src->width/height while iris_close() m...
CVE-2026-52926
CVE-2026-52926 affects the Linux kernel component used by batman-adv. The root cause is in batman-adv teardown: batman-adv/batadv_gw_node_free() removes entries from the gateway list but does not clear the currently selected gateway. This leaves a stale gateway reference in bat_priv->gw.curr_g...
CVE-2026-53246
CVE-2026-53246 : In the Linux kernel SCTP implementation, a vulnerability exists in how COOKIE_ECHO payloads are processed. The cached peer INIT chunk embedded after the cookie could have its header length inflated without proper validation, allowing the parameter walk (via sctp_walk_params/sctp_...
CVE-2026-53266
The CVE-2026-53266 entry concerns the Linux kernel netfilter bridge path, where ebt_snat ARP sender hardware address rewrite could be performed on non-writable memory. Root cause: ARP SHA is written via skb_store_bits() relative to skb->data, and skb_header_pointer() only safely reads the ARP ...
CVE-2026-53284
CVE-2026-53284 (Linux kernel, btrfs): The issue arises in btrfs_write_and_wait_transaction() where, after an error from btrfs_write_marked_extent(), the code still calls btrfs_extent_io_tree_release() to clear the dirty_pages io tree. This tree may contain records not yet submitted, and subsequen...
CVE-2026-53293
CVE-2026-53293 : In the Linux kernel’s AMDGPU driver, the AMDGPU_INFO_READ_MMR_REG path had multiple issues: an incorrect order between the reset semaphore and the mm_lock (e.g., copy_to_user was called while holding the lock), memory allocation while holding the reset semaphore (risking deadlock...
CVE-2026-53325
CVE-2026-53325 affects the Linux kernel’s AGP AMD64 driver. The root cause is broken error propagation in agp_amd64_probe(): when no AMD northbridges are found, cache_nbs() returns a negative error code (e.g., -ENODEV), but the probe incorrectly checks for exactly -1. This allows initialization t...
CVE-2026-46105
CVE-2026-46105 affects the Linux kernel mpt3sas SCSI driver. The driver allocates a fixed 4K PRP list buffer, which caps the maximum NVMe I/O transfer size at 2 MiB. The HBA firmware reports NVMe MDTS, but the mismatch with the 2 MiB limit can lead to oversized I/O requests and potentially a kern...
CVE-2026-52927
Summary (CVE-2026-52927) Linux kernel: netfilter/ebtables: fix OOB read in compat_mtw_from_user. The issue arises from insufficient validation of user-supplied match_size/target_size when converting 32-bit user structures to kernel-native structures in compat_from_user(). If an extension provides...
CVE-2026-52944
Technical details are not publicly available in the provided documents. The CVE describes a permission bypass in ksmbd/fsctl_set_sparse, but no concrete affected products/versions/fixes are included here. Monitor for updates and vendor advisories.
CVE-2026-53134
A vulnerability in the Linux kernel netfilter NFT_FIB code (CVE-2026-53134) could leak uninitialized kernel stack via the OIFNAME result register on certain lookup-fail paths. The issue stems from NFT_FIB_RESULT_OIFNAME writes only a single byte and leaves the remaining IFNAMSIZ span stale in nft...
CVE-2026-53167
CVE-2026-53167 affects the Linux kernel’s FUSE path: FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios since !uptodate folios may contain uninitialized data. The vulnerability is scoped to systems without automatic page-alloc zero init (CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1). E...
CVE-2026-53255
CVE-2026-53255 (Linux kernel) concerns a Bluetooth MGMT TLV parsing bug: tlv_data_is_valid() may read one byte past the advertising data when a malformed field’s length byte is at the buffer end, due to validating element length before verifying the type byte. This can enable local exploitation w...
CVE-2026-53276
The CVE-2026-53276 entry concerns the Linux kernel Bluetooth ISO stack. A use-after-free occurs in iso_sock_rebind_bc where the bis pointer is cached and the socket lock is released before traversals, allowing a concurrent close() to free the hci_conn and its bis structure. The code then accesses...
CVE-2026-53150
CVE-2026-53150 affects the Linux kernel Thunderbolt validator. The bug arises when tb_property_entry_valid() accepts zero-length TEXT entries for DIRECTORY/DATA/TEXT, enabling a null-termination underflow (writes at property->value.text[length*4 - 1] with length 0). A fix rejects zero-length e...
CVE-2026-53236
CVE-2026-53236 affects the Linux kernel where a patch restricts SO_ATTACH_FILTER (cBPF) usage on TCP sockets to CAP_NET_ADMIN, mitigating a potential side-channel leaking TCP sequence/ACK data. Debian/Ubuntu entries show patches across newer kernel builds (e.g., Linux 6.1 series with 6.1.176-1~de...
CVE-2026-52931
CVE-2026-52931 — Linux kernel (batman-adv tp_meter): The vulnerability arises when batadv_tp_recv_ack() or batadv_tp_stop() are invoked with a tp_vars in the BATADV_TP_RECEIVER role. In that case, code paths access sender-only members that were never initialized, causing undefined behavior. The f...
CVE-2026-53161
The CVE-2026-53161 entry concerns a use-after-free in the Linux kernel fastrpc subsystem. A race between fastrpc_device_release() (on file close) and the workqueue processing DSP responses can free the fastrpc_user while an in-flight DSP invocation is completing, leading to dereferencing freed co...
CVE-2026-53181
CVE-2026-53181 affects the Linux kernel vsock/vmci stack. On failing handshake, vmci_transport_recv_listen() could leave sk_ack_backlog incremented (due to missing sk_acceptq_removed() call), allowing backlog growth toward sk_max_ack_backlog and a possible listener denial of new connections (-ECO...
CVE-2026-53195
The CVE-2026-53195 issue affects the Linux kernel USB: serial: io_ti driver. build_i2c_fw_hdr() allocates a fixed buffer and copies img_header->Length (up to 65535) without validating it against remaining space, enabling a potential heap overflow. The root cause is that check_fw_sanity() valid...
CVE-2026-53211
CVE-2026-53211 (Linux kernel netfilter nft_meta_bridge) : The NFT_META_BRI_IIFHWADDR destination register is declared as 6 bytes but tracked as two 32-bit registers (8 bytes). In nft_meta_bridge_get_eval(), a memcpy writes 6 bytes of br_dev->dev_addr, leaving the upper 2 bytes of the second re...
CVE-2026-53212
The CVE-2026-53212 issue affects the Linux kernel nft_tunnel implementation within netfilter, where nft_tunnel_obj_destroy() used metadata_dst_free() to free a metadata_dst, bypassing dst_entry refcount accounting. This could leave in-flight packets that hold references (via dst_hold()) dangling,...
CVE-2026-53216
The CVE-2026-53216 issue affects the Linux kernel mvpp2 XDP path. Short pool buffers can be smaller than PAGE_SIZE, yet XDP initially sets every xdp_buff frame size to PAGE_SIZE. The XDP helpers then use frame_sz to validate tail growth, which, with an oversized frame, can allow bpf_xdp_adjust_ta...
CVE-2026-53239
The CVE-2026-53239 issue is a Linux kernel use-after-free in the xfrm policy path, specifically in xfrm_policy_bysel_ctx(). A race between CPU0 deleting a policy and CPU1 rebuilding inexact policy bins can lead to UAF of the inexact bin, causing potential system instability or DoS. The fix prunes...
CVE-2026-53250
CVE-2026-53250 : In the Linux kernel, the xsk_skb_metadata() path is vulnerable to a TOCTOU race in which csum_start and csum_offset are read from shared UMEM and then read again for skb assignment. A malicious userspace process can overwrite values between reads, bypassing bounds checks and caus...
CVE-2026-53263
CVE-2026-53263 is reported in OSV entries as affecting the rootio-linux package in Ubuntu/Debian environments, with patches available in multiple fixed versions (e.g., Root:Ubuntu:22.04 and Root:Ubuntu:24.04; Debian 11/12 tracks). The Debian/Ubuntu Nessus OSV entries note patches for these distri...
CVE-2026-53264
CVE-2026-53264 concerns the Linux kernel’s networking scheduler (net/sched) where a race between simultaneous NEWTFILTER and DELFILTER operations can lead to a use-after-free of an action. The provided description and patches state that final freeing of the action was incorrectly performed withou...
CVE-2026-53267
The CVE-2026-53267 entry concerns a Linux kernel netfilter nft_ct use-after-free style issue where a per-CPU template conntrack entry can be treated as a real ct, causing a 16-byte memcpy path to overflow the kernel stack when using NFT_REG32_15. The root cause is that a template ct is not reject...
CVE-2026-53287
CVE-2026-53287 affects the Linux kernel audit CAPSET path. A copy-paste bug in __audit_log_capset() writes cap_pi (inheritable) with cap_effective, corrupting inheritable audit data and enabling privilege-escalation prep in the audit trail. The issue is fixed in the Linux kernel; patches exist in...
CVE-2026-53290
CVE-2026-53290 relates to the Linux kernel DRM subsystem (xe/stall path). The issue occurs in xe_eu_stall_stream_close() where drm_dev_put() is invoked before the stream is disabled and its resources freed. If this drops the last reference, device structures may be freed while subsequent cleanup ...
CVE-2026-31697
The CVE-2026-31697 entry concerns the Linux kernel crypto: ccp driver. The issue arises when retrieving the CPU ID: if the firmware command fails (notably with an invalid length), copying the firmware ID to userspace can overflow a kernel buffer and leak data to userspace. Public reports describe...
CVE-2026-52912
The CVE-2026-52912 affects the Linux kernel netfilter nf_queue handling of bridge LOCAL_IN traffic. br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing, allowing a queued bridge packet to retain a freed bridge master in skb->dev. On reinjection, b...
CVE-2026-52922
CVE-2026-52922 affects batman-adv in the Linux kernel. The root cause is that batadv_dat_forward_data() duplicates an skb via pskb_copy_for_clone() but does not verify the allocation result before passing the skb to batadv_send_skb_prepare_unicast_4addr(), which can dereference a NULL skb and tri...
CVE-2026-52930
CVE-2026-52930 (Linux kernel) : The issue is in ipc/shm: orphan cleanup cleanup of shm segments. shm_nattch was updated while holding shm_perm.lock, but shm_destroy_orphaned() traversed shm_ids(ns).rwsem, leading to a race where an orphaned segment could be considered removable before the destina...
CVE-2026-53153
CVE-2026-53153 affects the Linux kernel memcg list_lru path. A race during memcg_reparent_list_lrus() clears the dying memcg’s xarray entry before reparenting per-node lists, letting concurrent list_lru_del/walk operate on the parent and corrupt next/prev pointers. The fix reverses the order: rep...
CVE-2026-53168
The CVE-2026-53168 issue affects the Linux kernel FUSE implementation. It concerns fuse_notify() pagecache operations on directories, where FUSE_NOTIFY_STORE/RETRIEVE could allow the FUSE daemon to access pagecache contents in kernel-internal storage for directories using FOPEN_CACHE_DIR. The fix...
CVE-2026-53191
CVE-2026-53191 affects the Linux kernel io_uring/net path. In bundle recv retries (with incremental mode and provided buffer rings IOU_PBUF_RING_INC), a memory handling bug caused IORING_CQE_F_BUF_MORE to be dropped during flag merge, allowing the kernel to leave a stale BUF_MORE in carried flags...