371 matches found
CVE-2026-46331
CVE-2026-46331 affects the Linux kernel’s net/sched packet editing path, specifically the per-key handling in act_pedit where the writable Copy-on-Write (COW) region was calculated before the actual write offset was known. The runtime header offset from typed keys could leave portions of memory u...
CVE-2026-46243
The CVE-2026-46243 entry concerns the Linux kernel CIFS client. It fixes a bug where cifs.spnego key descriptions could be created by userspace (via request_key(2) or add_key(2)) and include fields (pid, uid, creduid, upcall_target) that are treated as kernel-origin inputs. The fix restricts acce...
CVE-2026-43503
The CVE-2026-43503 entry concerns Linux kernel net/skbuff handling: when frags are moved by frag-transfer helpers (notably __pskb_copy_fclone() and skb_shift()), the SKBFL_SHARED_FRAG flag was not propagated to the destination skb, causing destination pages to remain shared while skb_has_shared_f...
CVE-2026-46300
The CVE-2026-46300 issue affects the Linux kernel's net: skbuff code: skb_try_coalesce() can transfer paged frags from one skb to another while losing the SKBFL_SHARED_FRAG marker, breaking the invariant relied on by ESP decryption logic. This can allow an in-place decrypt path to operate on page...
CVE-2026-46316
A vulnerability in Linux kernel KVM for ARM64 (vgic-its) is resolved. The issue stemmed from vgic_its_invalidate_cache() traversing the per-ITS translation cache with xa_for_each() and dropping the cache’s reference on each entry using vgic_put_irq(), but it dropped the reference of the pointer r...
CVE-2026-46333
CVE-2026-46333 concerns a logic bug in the Linux kernel’s ptrace access check (__ptrace_may_access). When a thread lacks an MM pointer, ptrace_may_access uses a cached “last dumpable” flag, which can be bypassed by CAP_SYS_PTRACE to override. This can enable local privilege escalation or informat...
CVE-2026-43500
Summary: CVE-2026-43500 affects the Linux kernel RXRPC path for DATA/RESPONSE packets. The issue occurs when skb fragments are externally owned (e.g., via splice() or frag lists) and the code path decrypts in place, binding frag pages into the AEAD/skcipher SGL. The fix extends the gate to unshar...
CVE-2026-53163
CVE-2026-53163 affects the Linux kernel rtmutex/futex path. The issue arises when task_blocks_on_rt_mutex() fails to arm the waiter on deadlock detection, leaving waiter->task nil, and the code path can reach remove_waiter() via rt_mutex_start_proxy_lock(). The root cause is tied to how the wa...
CVE-2026-46195
The CVE-2026-46195 entry concerns a Linux kernel SMB client vulnerability. 32-bit servers can supply a crafted dacloffset that wraps a DACL pointer, allowing dereferencing of DACL fields during chmod/chown if validated only after pointer arithmetic. The flaw occurs in parse_sec_desc(), build_sec_...
CVE-2026-46244
The CVE-2026-46244 issue affects the Linux kernel netfilter nft_inner path. In nft_inner_parse_l2l3(), while handling inner IPv6 packets, ipv6_find_hdr() computes the transport header offset correctly across extension headers, but the code later overwrites this value with nhoff + sizeof(_ip6h) (4...
CVE-2026-46135
CVE-2026-46135 affects the Linux kernel nvmet-tcp (NVMe over TCP). A race between ICReq handling and target‑side queue teardown can transition queue state in a non‑serialized way, potentially allowing a second teardown path and a re‑entry after a disconnect, including a possible double free scena...
CVE-2026-46215
The CVE concerns a race condition in the Linux kernel’s DRM change_handle path. A concurrent gem_close could remove one handle while another remained dangling, enabling a use-after-free. The fix uses the same sequence as gem_close: first replace the old handle with NULL via idr_replace, then, if ...
CVE-2026-46275
CVE-2026-46275 affects the Linux kernel Bluetooth hci_uart subsystem, with Use-After-Free and race conditions in lifecycle teardown (init/close paths) that can trigger UAFs and NPDs when workqueues and protocol paths are torn down. The documented fix involves reordering ttys close handling (clear...
CVE-2026-43494
CVE-2026-43494 affects the Linux kernel’s net/rds zerocopy path. When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), pinned pages are released and rm->data.op_mmp_znotifier is cleared, but rm->data.op_nents may not be reset. This leads to the cleanup loop in rds_message_purge...
CVE-2026-46323
CVE-2026-46323 affects the Linux kernel’s networking GRO path. The issue occurs in skb_gro_receive() where fragments can be copied between the source and GRO skbs without respecting zerocopy status, notably when SKBFL_MANAGED_FRAG_REFS is set. When this flag is present, pages in shinfo->frags ...
CVE-2026-46113
CVE-2026-46113 (Linux kernel KVM x86 shadow paging use-after-free) is a resolved vulnerability in the KVM shadow paging path. The issue arises when the shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index and guest page-table modifications between VM entries can c...
CVE-2026-46099
The CVE-2026-46099 entry describes a use-after-free race in Linux kernel IPv6 handling for seg6 and rpl lightweight tunnels. A NOREF destination cached during ip6_route_input() can be freed by a concurrent FIB lookup on a shared nexthop under PREEMPT_RT, leading to a WARN or potential instability...
CVE-2026-53176
CVE-2026-53176 affects the Linux kernel iSER (IB/isert) login handling in ib_isert.c. A remote iSER initiator could send a login PDU shorter than ISER_HEADERS_LEN (76), causing an integer underflow in isert_login_recv_done() when computing login_req_len, leading to a negative length used in a mem...
CVE-2026-46317
CVE-2026-46317 concerns the Linux kernel KVM on arm64. A traversal of the array kvm->arch.nested_mmus[] occurs under kvm->mmu_lock, while kvm_vcpu_init_nested() reallocates the array and frees the old buffer with only kvm->arch.config_lock held. The fix moves the allocation outside the m...
CVE-2026-46124
CVE-2026-46124 affects the Linux kernel isofs filesystem. The vulnerability arises because isofs_fh_to_dentry/isofs_fh_to_parent pass an attacker-controlled block number from an NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget and sb_bread. A crafted...
CVE-2026-46137
CVE-2026-46137 affects the Linux kernel MPTCP implementation. The mptcp_pm_add_timer() helper runs as a timer callback in softirq context and can race with socket state unless the socket lock is held with bh_lock_sock(). The mitigation is to hold the lock and retry if the socket is in use, mirror...
CVE-2026-46155
CVE-2026-46155 affects the Linux kernel SMB client. The vulnerability is an out-of-bounds read in smb2_compound_op() caused by memcpy reading size[0] (OutputBufferLength) when iov_len is smaller than that length after a truncated server response. This can leak adjacent kernel heap memory. Impact ...
CVE-2026-46181
Summary: CVE-2026-46181 concerns the Linux kernel RDMA/mlx4 component. The root cause is improper use of Read-Copy Update (RCU) in mlx4_srq_event(), which could allow a race where an event is delivered before the srq object is fully initialized, potentially crashing the system. The documented fix...
CVE-2026-46321
Summary. CVE-2026-46321 concerns the Linux kernel tun/tap with vhost-net, where a short-frame rejection path in tun_xdp_one() can leak memory pages. Specifically, when a frame is shorter than ETH_HLEN, tun_xdp_one() returns -EINVAL without freeing the page allocated by vhost_net_build_xdp(). tun_...
CVE-2026-52923
The CVE-2026-52923 issue affects the Linux kernel IPC ID allocation in the checkpoint/restore path. ipc_idr_alloc() forwards the next_id request to idr_alloc() with an open-ended upper bound, so if the valid SysV IPC id tail is full the allocation can spill past ipc_mni. The encoded id may then r...
CVE-2026-43501
CVE-2026-43501 - Linux kernel IPv6 SRH headroom bug : The issue occurs in ipv6_rpl_srh_rcv() when decompressing and recompressing RFC 6554 Source Routing Headers, where the recompressed IPv6 header can grow beyond the received header. The root cause is an unsafe headroom handling in pskb_expand_h...
CVE-2026-53269
The CVE-2026-53269 issue exists in the Linux kernel’s netfilter synproxy path, where concurrent registration of hooks could race, affecting refcount blocks. A mutex was added to serialize access to refcount control blocks in frontends, mitigating the race. Connected OSV entries report patches for...
CVE-2026-46116
CVE-2026-46116 affects the Linux kernel xfrm subsystem (xfrm_state). The root cause is a local-use-after-free in __xfrm_state_delete due to unsafe deletions from byseq/byspi hash chains. The patch changes deletions to hlist_del_init_rcu and uses hlist_unhashed() checks, preventing writes after LI...
CVE-2026-46281
CVE-2026-46281 affects the Linux kernel vmalloc path used by vrealloc when a new allocation is forced (wrong NUMA node or alignment). The code copies old_size bytes into a newly allocated buffer of size bytes during a shrink request, which can cause an out-of-bounds write. The fix bounds the copy...
CVE-2026-46090
CVE-2026-46090 affects the Linux kernel ALSA aloop driver. A use-after-free in loopback_check_format() can occur when playback starts with parameters that no longer match a running capture stream, while a concurrent close may detach or free the runtime. The issue arises after a patch that moved t...
CVE-2026-46324
CVE-2026-46324 concerns the Linux kernel’s nf_tables netlink hook handling. The vuln is fixed by replacing use of list_del_rcu() for nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks to prevent concurrent dumpers from walking the list while it’s modified. A new helper was added...
CVE-2026-46206
The CVE-2026-46206 issue affects the Linux kernel’s batman-adv implementation, where the tp_meter component could start new sender or receiver sessions after mesh_state had exited BATADV_MESH_ACTIVE during teardown. The vulnerability stems from improper state management in batman-adv/tp_meter, po...
CVE-2026-46322
The CVE relates to the Linux kernel tun driver vulnerability CVE-2026-46322. When build_skb() fails inside tun_xdp_one(), the function returns -ENOMEM without freeing the allocated page for the frame, causing a memory leak of one page-frag chunk per failed build_skb() in a batch. The root cause i...
CVE-2026-46173
CVE-2026-46173 concerns the Linux kernel. The issue arises when an already-exiting task oopses and make_task_dead() calls do_task_dead() with preemption enabled, while __schedule() must be called with preemption disabled. If a preempted oopsing task is still in the dead-state, finish_task_switch(...
CVE-2026-46174
In CVE-2026-46174, the Linux kernel vulnerability affects x86/CPU/AMD Zen2 by allowing improper isolation of shared resources in the Zen2 op cache, potentially leading to instruction corruption. The issue has been resolved in the Linux kernel, with Debian and Root packaging advisories noting fixe...
CVE-2026-46177
The CVE-2026-46177 issue affects the Linux kernel IPMI driver. It describes a vulnerability where the driver could continuously fetch events and receive messages from the BMC (or become stuck) due to the BMC not signaling completion or the attn bit getting stuck. The documented fix limits event/m...
CVE-2026-46227
CVE-2026-46227 describes a race in the Linux kernel SCTP SENDALL path. The sctp_sendmsg() loop over ep->asocs caches the next entry in @tmp, then calls sctp_sendmsg_to_asoc() after dropping the socket lock, allowing a second thread to peel off the cached association and migrate it to a new end...
CVE-2026-46274
CVE-2026-46274 (Linux kernel, io_wq) has concrete details: a bug in io_wq_remove_pending() allowed a non-hashed predecessor to be treated as hashed, causing a stale pointer in wq->hash_tail[] to persist and be dereferenced by future hashed bucket-0 enqueues. The root cause is that io_get_work_...
CVE-2026-31700
Summary (CVE-2026-31700): In the Linux kernel, a TOCTOU race in tpacket_snd() when PACKET_VNET_HDR is enabled allows a user-space race on vnet_hdr fields between validation and use, bypassing safety checks. The vulnerability affects the mmap’d TX ring buffer where vnet_hdr points into user-contro...
CVE-2026-46132
CVE-2026-46132 - Linux kernel on multiple distros : The flaw is a stack information leak in net/rtnetlink when reporting VF info via IFLA_VF_BROADCAST. A local unprivileged process can trigger RTM_GETLINK and copy a partially uninitialized 32-byte field (vf_broadcast) from the stack, leaking up t...
CVE-2026-46145
The CVE-2026-46145 vulnerability affects the Linux kernel, specifically the RDMA/mana component. A user-supplied rx_hash_key_len value supplied via a uAPI structure is blindly passed to memcpy, enabling localized kernel memory corruption if bounds checks are not enforced. Reports from multiple so...
CVE-2026-52908
CVE-2026-52908 affects the Linux kernel RDMA path: during rereg_mr, changing IB_MR_REREG_ACCESS from RO to RW requires re-evaluating the umem to ensure proper RW pinning. The fix introduces an ib_umem_check_rereg() hook that each driver must call before processing IB_MR_REREG_ACCESS; mlx4 retains...
CVE-2026-31787
CVE-2026-31787 affects the Linux kernel, specifically the xen/privcmd mapping flow. The root cause is a double-free in the VMA splitting path when userspace performs partial munmap() on a privcmd mapping. Because privcmd_vm_ops defines .close but not .may_split or .open, the kernel may_split() pe...
CVE-2026-43490
The CVE-2026-43490 entry concerns the Linux kernel ksmbd SMB server. The flaw arises in smb_inherit_dacl() where the code validates a fixed SID header but not the variable-length SID described by sid.num_subauth, allowing a malformed inheritable ACE to advertise more subauthorities than present. ...
CVE-2026-46117
CVE-2026-46117 affects the Linux kernel RDMA/mana component. The issue arises when a user can configure Work Queues to share the same Completion Queue via the uAPI, which triggers a user-writable WARN_ON() and can lead to kernel corruption. The vulnerability has been resolved by removing the trig...
CVE-2026-46238
CVE-2026-46238 affects the Linux kernel’s BAT IV implementation via the batman-adv subsystem. The issue stems from caching an auxiliary originator pointer derived from a temporary lookup in neigh_node state, where the pointer can be freed or become stale after purge handling. The documented fix i...
CVE-2026-31694
Summary: CVE-2026-31694 fixes a Linux kernel FUSE directory-entry handling flaw. A malicious FUSE server could cause a 24-byte overflow by returning a dirent whose serialized size (based on namelen) exceeds a single PAGE_SIZE. The bug arises in fuse_add_dirent_to_cache(), which previously only ch...
CVE-2026-31716
The CVE-2026-31716 entry covers a Linux kernel NTFS3 flaw in journal replay. Description from multiple sources states that check_file_record() validates rec->total against the record size but not rec->used. The journal-replay handlers read rec->used from disk and use it to compute memmov...
CVE-2026-31717
In the Linux kernel ksmbd, a vulnerability allows an authenticated user to hijack an orphaned durable handle by reconnecting with a different security context. The issue stems from ksmbd not verifying that the requester’s SecurityContext matches the original opener when a durable handle is reconn...
CVE-2026-31786
The CVE-2026-31786 issue affects the Linux kernel in drivers/xen/sys-hypervisor.c, where HYPERVISOR_xen_version(XENVER_build_id) returned a build_id that is not NUL-terminated, causing a buffer overflow via sprintf in buildid_show. The root cause is that the build_id was not treated as a proper s...