371 matches found
CVE-2026-53192
CVE-2026-53192 — Linux kernel ALSA timer UAF fix The vulnerability affects the ALSA timer path (snd_timer_user_params) in the Linux kernel. A race can occur during timer object release when a concurrent SNDRV_TIMER_IOCTL_PARAMS ioctl is in flight, potentially leading to a use-after-free if anothe...
CVE-2026-53194
The CVE-2026-53194 entry covers a defect in the Linux kernel USB serial driver kl5kusb105 (klsi_105_prepare_write_buffer). The bug occurs when the generic write path uses the bulk-out buffer (size 64) and copies the payload from the write_fifo without reserving space for the 2-byte header, result...
CVE-2026-53198
The CVE-2026-53198 issue affects ksmbd in the Linux kernel: a deferred byte-range lock (SMB2_LOCK) uses async_work with a cancel_fn (smb2_remove_blocked_lock) and cancel_argv pointing to a file_lock. If a second SMB2_CANCEL arrives before release_async_work(), the cancel callback can run again on...
CVE-2026-53209
The CVE-2026-53209 issue affects the Linux kernel Bluetooth subsystem (hci_sync). When hci_adv_bcast_annoucement() tries to prepend the Broadcast Announcement service data to an already-full extended advertising payload, the combined data could exceed the temporary buffer used to rebuild advertis...
CVE-2026-53214
The CVE-2026-53214 entry concerns the Linux kernel IPv6 code. The vulnerability occurs when addrconf_get_prefix_route() can return the fib6_null_entry sentinel, which has a NULL fib6_table pointer. Before setting a route’s expiration time, the code must verify that it is not operating on the fib6...
CVE-2026-53288
CVE-2026-53288 affects the Linux kernel on arm64. The issue arises in the early kernel mapping where the final part of the data/end segment may overflow into the next page of init_pg_end, requiring an extra page reservation for kernel segments. The advisory explains that 4K-page early mappings ca...
CVE-2026-53296
CVE-2026-53296 is addressed in OSV entries for Root OS products, noting that the vulnerability in the rootio-linux component was patched in Ubuntu 22.04, Ubuntu 24.04, and Debian-based Root builds. Multiple fixed versions are available per the OSV records. The Debian/Ubuntu rootio-linux remediati...
CVE-2026-31713
The CVE concerns the Linux kernel FUSE handling during sync init. When a FUSE server exits unexpectedly while processing FUSE_INIT, the mounting thread keeps the device fd open, preventing an abort and causing filesystem creation to hang. This is a regression relative to the async mount path, whe...
CVE-2026-52916
CVE-2026-52916 affects the Linux kernel’s BATMAN-adv frag handling. A crafted BATADV_UNICAST_FRAG packet can defragment into another BATADV_UNICAST_FRAG, causing unbounded recursion in batadv_batman_skb_recv() and leading to kernel stack exhaustion. The published description specifies that refrag...
CVE-2026-53143
In the Linux kernel DRM/AMD KFD path, CVE-2026-53143 describes a buffer overflow during CRIU checkpoint/restore for SDMA queues on Navi3x. The v11 MQD manager used the larger v11_compute_mqd buffer (2048 bytes) for KFD_MQD_TYPE_SDMA, instead of the smaller v11_sdma_mqd (512 bytes), causing a 1536...
CVE-2026-53179
CVE-2026-53179 affects the Linux kernel, specifically the staging rtl8723bs driver. The vulnerability is a buffer over-read in rtw_update_protection: a pointer inside the ies buffer is used with the full ie_length, allowing reads beyond the intended data. This is a local impact issue with HIGH se...
CVE-2026-53220
CVE-2026-53220 affects the Linux kernel netfilter bridge path. ebt_redirect_tg() dereferences br_port_get_rcu() without a NULL check when a bridge port has been removed between the original hook and an NFQUEUE reinject, potentially causing a local kernel panic. Attack surface includes scenarios w...
CVE-2026-53232
The CVE-2026-53232 entry concerns the Linux kernel net: phy component. The root cause is that on PHY probing failure, the SFP upstream is not cleaned up, leaving a dangling upstream reference on the SFP bus. Impact is potential system instability or unexpected behavior during SFP events. The issu...
CVE-2026-53252
The CVE-2026-53252 affects the Linux kernel Bluetooth HCI path. Root cause: memory leak of SRCU percpu memory when device init fails before hci_register_dev(), due to not cleaning up the SRCU struct on the unregistered fallback path. Fix: call cleanup_srcu_struct() in bt_host_release() fallback b...
CVE-2026-53278
CVE-2026-53278 affects the Linux kernel arm_mpam component. The vulnerability arises when __destroy_component_cfg() is invoked from mpam_disable() before the configuration array has been allocated, causing a NULL pointer dereference. The function frees the configuration array and mbwu_state; sinc...
CVE-2026-53280
CVE-2026-53280 relates to the Linux kernel IOMMU path. A NULL dereference of group->domain could occur when a default IOMMU domain fails to allocate during the first probe, causing a crash at domain->ops->attach_dev in __iommu_attach_device() invoked by pci_dev_reset_iommu_done(). The co...
CVE-2026-53285
The CVE-2026-53285 issue concerns the Linux kernel drm/amd/display path, where dcn32_enable_phantom_plane() allocates ~335 KiB via kvzalloc() within an FPU-enabled, softirq-disabled region. This vmalloc flow can trigger BUG_ON(in_interrupt()), causing a kernel crash (DoS). The root cause is the l...
CVE-2026-53295
The CVE-2026-53295 entry covers a Linux kernel vulnerability in the mailbox subsystem: a missing sanity check for the mailbox channel array can lead to a dereference and an OOPS if no channel array is attached. The publicly provided connected sources confirm a patch/fix was applied in kernels and...
CVE-2026-43498
CVE-2026-43498 is a Linux kernel issue in the accel/ivpu path. The vulnerability stems from the ability to re-export imported GEM buffers; a fix adds a custom prime_handle_to_fd callback that checks if the GEM object is imported and returns -EOPNOTSUPP in that case. Under re-export scenarios, buf...
CVE-2026-53135
The CVE-2026-53135 issue affects the Linux kernel’s DRM AMD display path, specifically SDP debugfs writes. Root cause: dp_sdp_message_debugfs_write() dereferenced connector->base.state->crtc without NULL checks, potentially crashing when a connected-but-unbound connector exists (e.g., after...
CVE-2026-53142
CVE-2026-53142 concerns the Linux kernel DRM XE driver. The issue arises when display probing state (xe->info.probe_display) is not updated after intel_display_device_info_runtime_init(), allowing xe_display_flush_cleanup_work() to dereference a NULL mode config via for_each_intel_crtc() durin...
CVE-2026-53146
CVE-2026-53146 affects the Linux kernel Thunderbolt XDomain handling. tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size, allowing a short response to read past valid frame data into stale DMA contents. The fixed behavior is to...
CVE-2026-53151
CVE-2026-53151 concerns the Linux kernel AF_RXRPC subsystem, where legacy parsing of the SACK table could trigger an invalid buffer access when processing fragmented UDP packets. The fix updates rxrpc_input_soft_acks() and rxrpc_input_ack() logic so that SACK contents are not copied into a flat b...
CVE-2026-53177
CVE-2026-53177 affects bnxt_en in the Linux kernel. A NULL pointer dereference can occur in bnxt_io_error_detected() when PCIe error recovery runs for a NIC that is closed, due to bp->bnapi being freed on NIC close. The fix is to check bp->bnapi for NULL before disabling and synchronizing I...
CVE-2026-53186
CVE-2026-53186 affects the Linux kernel SRP path in RDMA: the SRP_RSP data length (resp_data_len) is not bounded by the actual received bytes, risking an out-of-bounds read when processing sense data. The copy is capped to 96 bytes, but the source offset can point far past the received data, pote...
CVE-2026-53257
The CVE-2026-53257 entry concerns the Linux kernel wifi subsystem (cfg80211/mac80211). The issue arises when HE (High Efficiency) and EHT elements are inconsistent between capabilities and operations, which could trigger a crash if eht_cap is set but eht_oper isn’t. The vulnerability is addressed...
CVE-2026-53258
CVE-2026-53258 affects the Linux kernel WiFi stack: when a 6 GHz split scan fails, rdev->int_scan_req is leaked because cfg80211_scan() fails before ___cfg80211_scan_done() releases it. The leak is observed in kernel mode tracing (kmemleak) and is associated with a wpa_supplicant process in th...
CVE-2026-53279
CVE-2026-53279 affects the Linux kernel driver path drm/gma500/oaktrail_lvds. The issue occurs during LVDS initialization where the code looks up an I2C adapter (via i2c_get_adapter) and may read EDID, then either uses the adapter or falls back to allocating/registering its own adapter. On late i...
CVE-2026-53282
The CVE-2026-53282 issue affects the Linux kernel’s x86/kexec purgatory code used by kexec-tools. The root cause was the purgatory path looking above the top of the stack to locate a return address for a kjump even in non-kjump kexec, which could trigger a fault/crash. A commit fixed the actual k...
CVE-2026-53294
Technical details for CVE-2026-53294 are not publicly available in the provided documents. Monitor for updates from Debian/Ubuntu OSV entries and kernel advisories for affected components, versions, and fixes.
CVE-2026-52915
CVE-2026-52915 concerns the Linux kernel netfilter ip6t_hbh module, where ip6t_opts may store at most IP6T_OPTS_OPTSNR (16) option descriptors but hbh_mt6_check() did not reject larger optsnr values from userspace. This allowed a potential out-of-bounds condition (UBSAN: array-index-out-of-bounds...
CVE-2026-52929
The CVE affects the Linux kernel SCTP stream handling. When ADD_OUT_STREAMS is denied, the rollback only shrinks queued chunks and lowers outcnt, leaving removed stream metadata behind. A subsequent re-add can reuse a stale ext and trigger a null-pointer dereference in the scheduler get path, pot...
CVE-2026-52942
The CVE corresponds to a Linux kernel netfilter nf_log issue where the fallback dump_mac_header() could read past the buffer if the MAC header was not set. The root cause was testing mac_header against network_header without verifying skb_mac_header_was_set(), causing skb_mac_header to point far ...
CVE-2026-53137
CVE-2026-53137 concerns the Linux kernel drm/amd display path where, during HDCP2.x repeater authentication over HDMI, the driver reads the sink RxStatus and uses a 10-bit message size field (max 1023) to set the read length for the ReceiverID list. The length was not clamped to the destination b...
CVE-2026-53138
The CVE-2026-53138 issue affects the Linux kernel’s drm/amd/display driver. A malformed VBIOS image can cause unbounded record-chain walk loops in bios_parser.c and bios_parser2.c due to for(;;) loops that terminate only on a 0xFF sentinel or zero record_size. This can lead to a large number of i...
CVE-2026-53155
In Linux kernels, CVE-2026-53155 relates to mm/huge_memory and device-private PMD entries. A commit (65edfda6f3f2) updated set_pmd_migration_entry() to use pmdp_huge_get_and_clear() in the softleaf case but did not adjust the function fully, causing incorrect use of pmd_write(), pmd_soft_dirty(),...
CVE-2026-53196
In the Linux kernel USB: serial: io_ti driver, CVE-2026-53196 describes a heap overflow in get_manuf_info() caused by reading rom_desc->Size bytes from an I2C EEPROM into a 10-byte buffer (kmalloc_obj()). Size is only checked against TI_MAX_I2C_SIZE (16384), allowing a malicious device to set ...
CVE-2026-53197
CVE-2026-53197 affects the Linux kernel xfrm/iptfs path. The bug is an ABBA deadlock: iptfs_destroy_state() cancels an hrtimer while holding a spinlock that the timer callback also tries to acquire. The output timer (iptfs_timer) path holds x->lock before cancel, while the timer callback (iptf...
CVE-2026-53199
CVE-2026-53199 pertains to the Linux kernel hv_netvsc path, where netvsc_copy_to_send_buf previously used phys_to_virt() on page buffer PFNs and could fault when fragments referenced high mem/user pages on 32-bit x86 with HIGHMEM. The fix maps pages with kmap_local_page() and reconstructs native ...
CVE-2026-53213
In the Linux kernel drm/vc4 component, CVE-2026-53213 is a memory-leak fix related to krealloc(): if krealloc() returns NULL, the original pointer may be overwritten, leaking memory. The recommended pattern is to assign krealloc() to a temporary variable, check for NULL, then update the original ...
CVE-2026-53219
The CVE-2026-53219 issue affects the Linux kernel netfilter x_tables path. The root cause is that native/compat get-entries copied the fixed rule entry header to userspace before sanitizing and overwriting the counter fields, exposing the percpu allocation address (pcnt) in SMP environments. The ...
CVE-2026-53226
The CVE-2026-53226 issue affects the Linux kernel GPIO Rockchip driver: generic IRQ chips allocated via irq_alloc_domain_generic_chips() are not freed on driver removal, leaving domain generic chips and the global gc_list leaked and potentially visited later by suspend/resume/shutdown callbacks, ...
CVE-2026-53227
CVE-2026-53227 affects the Linux kernel net/openvswitch path. The issue arises when allocating the reply skb after taking ovs_mutex, where an error path can leave the skb with an ERR_PTR and later free it during cleanup, leading to a possible invalid free. The fix sets the pointer to NULL after s...
CVE-2026-53229
The CVE-2026-53229 issue concerns the Linux kernel mlx5e driver: on XDP_TX transmit failure, DMA mappings are not properly unmapped and XDP frames are not freed, causing a potential DMA/resource leak. The description specifies that in mlx5e_xmit_xdp_buff(), when sq->xmit_xdp_frame() returns fa...
CVE-2026-53242
CVE-2026-53242 affects the Linux kernel ALSA PCM path (snd_pcm_drain) on linked streams. The bug arises from wait queue handling: init_waitqueue_entry does not clear prev/next and add_wait_queue/remove_wait_queue sequencing can leave an orphaned wait entry on an old sleep queue after UNLINK, caus...
CVE-2026-53247
CVE-2026-53247: Linux kernel MTK ethernet driver (mtk_eth_soc) fix for use-after-free in metadata_dst teardown. mtk_free_dev() previously called metadata_dst_free() (kfree’d immediately, bypassing RCU). In RX, skb_dst_set_noref() kept non-refcounted pointers to metadata_dst; freed memory could ra...
CVE-2026-53249
CVE-2026-53249 is a Linux kernel vulnerability where the IPOPT_SSRR and IPOPT_LSRR IPv4 options are restricted to CAP_NET_RAW, preventing unprivileged processes from steering packets through attacker-controlled nodes to leak information (e.g., TCP ISN). The issue is patched in multiple OS context...
CVE-2026-53251
CVE-2026-53251: Linux kernel Bluetooth ISO path vulnerability where hci_get_route() leaks a reference-counted hci_dev pointer (via hci_dev_hold()) on exit, without releasing it. Documented as a resource leak that can contribute to a Denial of Service. Several advisories indicate patches exist (e....
CVE-2026-53254
The CVE-2026-53254 issue affects the Linux kernel Bluetooth RFCOMM MCC handlers, which cast skb data to protocol-specific structs without validating skb->len. A malicious remote device could send truncated MCC frames, causing out-of-bounds reads. The fix is to validate and access required data...
CVE-2026-53260
Summary: CVE-2026-53260 relates to the Linux kernel tcp request-socket (reqsk) handling. The issue stems from a potential refcount underflow in __inet_csk_reqsk_queue_drop(), triggered when a reqsk is preempted between mod_timer() and refcount_set() during the queue/hash insertion path, causing t...