Lucene search
K

2251 matches found

CVE
CVE
added 2026/05/21 12:17 p.m.1119 views

CVE-2026-43499

The CVE-2026-43499 issue concerns the Linux kernel rtmutex path where remove_waiter() operated on current during dequeue in rt_mutex_start_proxy_lock() via futex_requeue(). This caused: (1) rbtree dequeue without waiter::task::pi_lock, (2) waiter task pi_blocked_on not cleared (dangling pointer, ...

7.8CVSS5.8AI score0.00125EPSS
CVE
CVE
added 2026/04/22 8:15 a.m.863 views

CVE-2026-31431

CVE-2026-31431 is a local privilege escalation in the Linux kernel’s algif_aead/AF_ALG path. The root cause is an in-place operation bug in the AEAD handling, which can be exercised via AF_ALG sockets with the authencesn algorithm and splice() to corrupt the kernel page cache of readable files wi...

7.8CVSS5.6AI score0.96267EPSS
In wild
CVE
CVE
added 2026/05/30 12:13 p.m.711 views

CVE-2026-46242

Summary (CVE-2026-46242) : The Linux kernel contains a fix for a UAF in eventpoll related to ep_remove. The bug arose when ep_remove_file() cleared file->f_ep under file->f_lock but continued using @file inside the critical section, allowing a concurrent path to reach freed memory via f_op-...

7.8CVSS5.8AI score0.00125EPSS
CVE
CVE
added 2026/06/16 6:26 a.m.511 views

CVE-2026-46331

CVE-2026-46331 affects the Linux kernel’s net/sched packet editing path, specifically the per-key handling in act_pedit where the writable Copy-on-Write (COW) region was calculated before the actual write offset was known. The runtime header offset from typed keys could leave portions of memory u...

7.8CVSS5.4AI score0.00321EPSS
CVE
CVE
added 2026/06/01 4:22 p.m.357 views

CVE-2026-46243

The CVE-2026-46243 entry concerns the Linux kernel CIFS client. It fixes a bug where cifs.spnego key descriptions could be created by userspace (via request_key(2) or add_key(2)) and include fields (pid, uid, creduid, upcall_target) that are treated as kernel-origin inputs. The fix restricts acce...

7.8CVSS5.8AI score0.00353EPSS
CVE
CVE
added 2026/05/23 11:44 a.m.353 views

CVE-2026-43503

The CVE-2026-43503 entry concerns Linux kernel net/skbuff handling: when frags are moved by frag-transfer helpers (notably __pskb_copy_fclone() and skb_shift()), the SKBFL_SHARED_FRAG flag was not propagated to the destination skb, causing destination pages to remain shared while skb_has_shared_f...

8.8CVSS5.8AI score0.00135EPSS
CVE
CVE
added 2026/05/08 7:21 a.m.320 views

CVE-2026-43284

Summary of CVE-2026-43284 (Linux kernel): The issue occurs in ESP decryption for UDP paths when using shared skb frags. Specifically, after MSG_SPLICE_PAGES attaches pages to an skb, and SKBFL_SHARED_FRAG is set, ESP input could decrypt in place on data not privately owned by the skb, if the frag...

8.8CVSS5.8AI score0.93235EPSS
In wild
CVE
CVE
added 2026/01/25 2:36 p.m.316 views

CVE-2026-22998

CVE-2026-22998 affects the Linux kernel’s NVMe over Fabrics NVMe-TCP path. The issue is a NULL pointer dereference in nvmet_tcp_build_pdu_iovec triggered by H2C_DATA PDUs when command data structures are uninitialized or partially initialized. Specifically, nvmet_tcp_handle_h2c_data_pdu() could p...

7.5CVSS5.3AI score0.0071EPSS
CVE
CVE
added 2026/05/23 11:44 a.m.286 views

CVE-2026-46300

The CVE-2026-46300 issue affects the Linux kernel's net: skbuff code: skb_try_coalesce() can transfer paged frags from one skb to another while losing the SKBFL_SHARED_FRAG marker, breaking the invariant relied on by ESP decryption logic. This can allow an in-place decrypt path to operate on page...

7.8CVSS6AI score0.03663EPSS
CVE
CVE
added 2026/06/09 11:52 a.m.270 views

CVE-2026-46316

A vulnerability in Linux kernel KVM for ARM64 (vgic-its) is resolved. The issue stemmed from vgic_its_invalidate_cache() traversing the per-ITS translation cache with xa_for_each() and dropping the cache’s reference on each entry using vgic_put_irq(), but it dropped the reference of the pointer r...

9.3CVSS5.4AI score0.00197EPSS
CVE
CVE
added 2026/05/15 12:58 p.m.198 views

CVE-2026-46333

CVE-2026-46333 concerns a logic bug in the Linux kernel’s ptrace access check (__ptrace_may_access). When a thread lacks an MM pointer, ptrace_may_access uses a cached “last dumpable” flag, which can be bypassed by CAP_SYS_PTRACE to override. This can enable local privilege escalation or informat...

7.8CVSS5.8AI score0.0138EPSS
CVE
CVE
added 2026/05/11 6:26 a.m.183 views

CVE-2026-43500

Summary: CVE-2026-43500 affects the Linux kernel RXRPC path for DATA/RESPONSE packets. The issue occurs when skb fragments are externally owned (e.g., via splice() or frag lists) and the code path decrypts in place, binding frag pages into the AEAD/skcipher SGL. The fix extends the gate to unshar...

7.8CVSS5.8AI score0.92766EPSS
In wild
CVE
CVE
added 2026/04/01 8:36 a.m.168 views

CVE-2026-23401

CVE-2026-23401: In the Linux kernel KVM x86/mmu, a race allowed installing an MMIO SPTE without first zapping an existing shadow-present SPTE when guest memory writes occurred outside KVM’s scope. This could enable a guest‑memory–related fault to leave a shadow SPTE intact when an MMIO SPTE is in...

8.1CVSS5.8AI score0.00184EPSS
CVE
CVE
added 2026/02/13 1:29 p.m.167 views

CVE-2026-23111

CVE-2026-23111 (Linux kernel) : A bug in netfilter nf_tables nft_map_catchall_activate() inverted the genmask check, causing catchall elements to be processed incorrectly during abort of a DELSET operation. The function skipped inactive elements and processed active ones, leading to a use-after-f...

7.8CVSS5.3AI score0.00344EPSS
CVE
CVE
added 2026/03/18 5:54 p.m.160 views

CVE-2026-23268

CVE-2026-23268 is a Linux kernel AppArmor issue where an unprivileged local user can load, replace, and remove AppArmor profiles by abusing apparmorfs and passing a file descriptor to a privileged process. This enables a confused deputy attack, potentially letting the unprivileged user execute a ...

7.8CVSS5.7AI score0.00134EPSS
CVE
CVE
added 2026/06/25 8:38 a.m.149 views

CVE-2026-53163

CVE-2026-53163 affects the Linux kernel rtmutex/futex path. The issue arises when task_blocks_on_rt_mutex() fails to arm the waiter on deadlock detection, leaving waiter->task nil, and the code path can reach remove_waiter() via rt_mutex_start_proxy_lock(). The root cause is tied to how the wa...

5.5CVSS5.7AI score0.00128EPSS
CVE
CVE
added 2026/03/18 5:54 p.m.138 views

CVE-2026-23270

CVE-2026-23270 pertains to the Linux kernel net/sched subsystem. The fix restricts the use of TC action act_ct to only bind to clsact/ingress qdiscs and shared blocks, preventing its use on the egress path. The change addresses a scenario where classify could return TC_ACT_CONSUMED while the skb ...

7.8CVSS5.7AI score0.00123EPSS
CVE
CVE
added 2026/04/24 2:45 p.m.134 views

CVE-2026-31671

The CVE-2026-31671 issue is in the Linux kernel xfrm_user component. A struct xfrm_user_report includes a __u8 proto field followed by a struct xfrm_selector, creating three padding bytes that were never zeroed before copying to userspace. The vulnerability is a information leak caused by these u...

5.5CVSS5.3AI score0.00114EPSS
CVE
CVE
added 2026/04/24 2:45 p.m.134 views

CVE-2026-31672

CVE-2026-31672 concerns the Linux kernel rt2x00usb Wi‑Fi USB driver, where resources bound to USB interfaces could leak if the device is unbound without disconnection. The root cause is improper devres/USB anchor lifetime management, leading to potential memory leaks and resource exhaustion. The ...

5.5CVSS5.4AI score0.00114EPSS
CVE
CVE
added 2026/04/24 2:44 p.m.131 views

CVE-2026-31635

CVE-2026-31635 affects the Linux kernel rxrpc component. The vulnerability stems from an inverted length check in rxgk_verify_response(), where oversized RESPONSE authenticators can be accepted and later cause a contradictory length that leads to a BUG_ON(len) in skb_to_sgvec(). This can crash th...

7.5CVSS5.4AI score0.00817EPSS
CVE
CVE
added 2026/04/24 2:45 p.m.129 views

CVE-2026-31670

Summary: CVE-2026-31670 affects the Linux kernel rfkill subsystem. The vulnerability allows a local attacker to create an unbounded number of rfkill events (without consuming them from the rfkill descriptor), potentially leading to memory exhaustion and DoS. The issue is fixed by bounding the num...

5.5CVSS5.4AI score0.00114EPSS
CVE
CVE
added 2026/04/24 2:45 p.m.126 views

CVE-2026-31664

The CVE-2026-31664 issue resides in the Linux kernel xfrm subsystem: build_polexpire() fails to clear trailing padding in struct xfrm_user_polexpire, leaving uninitialized heap bytes that are sent to userspace via netlink multicast (XFRMNLGRP_EXPIRE). The consequence is potential leakage of kerne...

5.5CVSS5.4AI score0.00114EPSS
CVE
CVE
added 2026/04/25 8:47 a.m.117 views

CVE-2026-31685

The connected Red Hat/SUSE/NVD entries confirm CVE-2026-31685 affects the Linux kernel netfilter component ip6t_eui64. The root cause is that eui64_mt6() derives a modified EUI-64 from the Ethernet source and compares it with the IPv6 low 64 bits, but the existing guard only rejects an invalid MA...

9.4CVSS5.4AI score0.00337EPSS
CVE
CVE
added 2026/05/01 2:15 p.m.113 views

CVE-2026-43037

CVE-2026-43037 affects the Linux kernel; vulnerability arises from ip4ip6_err() using a cloned skb where the IPv6 receive path writes cb[] as inet6_skb_parm, which is then misinterpreted as IPv4 inet_skb_parm by __ip_options_echo(), causing a potential data leak/compromise. The fix includes clear...

9.8CVSS5.8AI score0.00563EPSS
CVE
CVE
added 2026/05/28 9:36 a.m.113 views

CVE-2026-46195

The CVE-2026-46195 entry concerns a Linux kernel SMB client vulnerability. 32-bit servers can supply a crafted dacloffset that wraps a DACL pointer, allowing dereferencing of DACL fields during chmod/chown if validated only after pointer arithmetic. The flaw occurs in parse_sec_desc(), build_sec_...

9.8CVSS5.8AI score0.00675EPSS
CVE
CVE
added 2026/03/20 8:8 a.m.112 views

CVE-2026-23271

CVE-2026-23271 affects the Linux kernel perf subsystem. The vulnerability arises from a race between __perf_event_overflow() and perf_remove_from_context() where __perf_event_overflow() may run with only preemption disabled for some callchains, allowing a race against perf_event_exit_event() and ...

7.8CVSS5.6AI score0.00096EPSS
CVE
CVE
added 2026/06/03 3:48 p.m.111 views

CVE-2026-46244

The CVE-2026-46244 issue affects the Linux kernel netfilter nft_inner path. In nft_inner_parse_l2l3(), while handling inner IPv6 packets, ipv6_find_hdr() computes the transport header offset correctly across extension headers, but the code later overwrites this value with nhoff + sizeof(_ip6h) (4...

9.1CVSS5.8AI score0.00322EPSS
CVE
CVE
added 2026/05/28 9:35 a.m.106 views

CVE-2026-46135

CVE-2026-46135 affects the Linux kernel nvmet-tcp (NVMe over TCP). A race between ICReq handling and target‑side queue teardown can transition queue state in a non‑serialized way, potentially allowing a second teardown path and a re‑entry after a disconnect, including a possible double free scena...

9.8CVSS5.8AI score0.00353EPSS
CVE
CVE
added 2026/03/04 2:36 p.m.103 views

CVE-2025-71238

CVE-2025-71238 is a Linux kernel issue in the qla2xxx SCSI/BSG path where bsg_done() could be called on failure, causing a double free and possible system crash or privilege escalation. The root cause is failure paths calling bsg_done() without proper validation; fixes patch the bsg_done() invoca...

7.8CVSS5.8AI score0.00194EPSS
CVE
CVE
added 2026/04/23 11:12 a.m.100 views

CVE-2026-31532

CVE-2026-31532 affects the Linux kernel’s raw CAN socket implementation. A use-after-free can occur when, during unregistration of CAN receive filters, the kernel defers receiver deletion with RCU and frees per-CPU storage ro->uniq too early in raw_release(). The fix moves free_percpu(ro->u...

7.8CVSS5.7AI score0.00124EPSS
CVE
CVE
added 2026/05/01 2:15 p.m.100 views

CVE-2026-43038

CVE-2026-43038 affects the Linux kernel IPv6 ICMP error path. A forged IPv4 ICMP error with CIPSO options could cause ip6_err_gen_icmpv6_unreach() to misinterpret an inner IPv4 inet_skb_parm as an IPv6 parameter, allowing an offset misreference (dsthao) that could enable out-of-bounds or memory a...

9.8CVSS5.8AI score0.00255EPSS
CVE
CVE
added 2026/05/28 9:40 a.m.96 views

CVE-2026-46215

The CVE concerns a race condition in the Linux kernel’s DRM change_handle path. A concurrent gem_close could remove one handle while another remained dangling, enabling a use-after-free. The fix uses the same sequence as gem_close: first replace the old handle with NULL via idr_replace, then, if ...

7.8CVSS5.8AI score0.00134EPSS
CVE
CVE
added 2026/04/03 3:16 p.m.90 views

CVE-2026-31402

CVE-2026-31402 affects the Linux kernel NFSv4.0 server (nfsd) via the LOCK replay cache. A large lock owner in a denied LOCK can cause a slab-out-of-bounds write into the 112-byte replay buffer, corrupting adjacent heap memory. The issue can be triggered remotely by two cooperating NFSv4.0 client...

9.8CVSS5.8AI score0.0049EPSS
CVE
CVE
added 2026/04/23 3:11 p.m.89 views

CVE-2026-31533

The CVE-2026-31533 entry concerns a Linux kernel net/tls use-after-free in tls_do_encryption() when crypto_aead_encrypt() returns -EBUSY. The underlying issue is double cleanup of encrypt_pending and the scatterlist entry due to distinct cleanup paths (async callback tls_encrypt_done() vs synchro...

9.8CVSS5.7AI score0.00263EPSS
CVE
CVE
added 2026/06/08 2:30 p.m.87 views

CVE-2026-46275

CVE-2026-46275 affects the Linux kernel Bluetooth hci_uart subsystem, with Use-After-Free and race conditions in lifecycle teardown (init/close paths) that can trigger UAFs and NPDs when workqueues and protocol paths are torn down. The documented fix involves reordering ttys close handling (clear...

7.8CVSS5.5AI score0.00185EPSS
Web
CVE
CVE
added 2026/05/21 10:49 a.m.83 views

CVE-2026-43494

CVE-2026-43494 affects the Linux kernel’s net/rds zerocopy path. When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), pinned pages are released and rm->data.op_mmp_znotifier is cleared, but rm->data.op_nents may not be reset. This leads to the cleanup loop in rds_message_purge...

7.8CVSS5.7AI score0.00269EPSS
CVE
CVE
added 2026/06/09 12:11 p.m.81 views

CVE-2026-46323

CVE-2026-46323 affects the Linux kernel’s networking GRO path. The issue occurs in skb_gro_receive() where fragments can be copied between the source and GRO skbs without respecting zerocopy status, notably when SKBFL_MANAGED_FRAG_REFS is set. When this flag is present, pages in shinfo->frags ...

7.8CVSS5.4AI score0.00137EPSS
CVE
CVE
added 2026/02/04 4:8 p.m.80 views

CVE-2026-23092

CVE-2026-23092 relates to a Linux kernel fix in iio: dac: ad3552r-hs_write_data_source where out-of-bounds writes could occur. The issue stemmed from using the write-return count as the index for null termination instead of the actual number of bytes copied by simple_write_to_buffer(). If count e...

7.8CVSS5.5AI score0.00186EPSS
CVE
CVE
added 2026/06/09 12:11 p.m.79 views

CVE-2026-46319

The CVE-2026-46319 entry describes a race in the Linux kernel net/sched act_ct where rcu_read_lock is exited before refcount_inc_not_zero on ct_ft, allowing a UAF when ct_ft is freed during cleanup. This creates a local privilege-escalation risk as an attacker could observe or trigger the race wi...

7.8CVSS5.4AI score0.00125EPSS
CVE
CVE
added 2026/04/24 2:42 p.m.77 views

CVE-2026-31607

CVE-2026-31607 (Linux kernel USB/IP) : A RET_SUBMIT response can cause an out-of-bounds write when usbip_pack_ret_submit() overwrites urb->number_of_packets without validation. The loop bound in usbip_recv_iso()/usbip_pad_iso() then writes beyond urb->iso_frame_desc[], triggering a heap OOB...

9.8CVSS5.6AI score0.00311EPSS
CVE
CVE
added 2026/05/27 12:57 p.m.77 views

CVE-2026-46054

CVE-2026-46054 affects the Linux kernel SELinux overlayfs access checks for mmap() and mprotect(). The issue arises from insufficient enforcement of backing-file access between the user file and backing file, potentially bypassing policies. A patch introduces security_mmap_backing_file() to enfor...

7.1CVSS5.8AI score0.00118EPSS
CVE
CVE
added 2026/03/18 10:5 a.m.76 views

CVE-2026-23243

CVE-2026-23243 is a Linux kernel vulnerability involving RDMA/umad_write, where user-controlled MAD header size mismatch could yield a negative data_len, leading to an out-of-bounds memset in alloc_send_rmpp_list. The issue has a concrete upstream fix that rejects negative data_len before creatin...

7.8CVSS5.7AI score0.00125EPSS
CVE
CVE
added 2026/05/28 9:35 a.m.76 views

CVE-2026-46113

CVE-2026-46113 (Linux kernel KVM x86 shadow paging use-after-free) is a resolved vulnerability in the KVM shadow paging path. The issue arises when the shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index and guest page-table modifications between VM entries can c...

8.8CVSS5.7AI score0.00126EPSS
CVE
CVE
added 2026/04/13 1:40 p.m.73 views

CVE-2026-31419

Summary of CVE-2026-31419 : A use-after-free in the Linux kernel bonding driver is caused by a race in bond_xmit_broadcast() where the last slave determination can change during RCUs, leading to double-free of the original skb and a potential crash. The fix replaces the racy bond_is_last_slave() ...

7.8CVSS5.7AI score0.00124EPSS
CVE
CVE
added 2026/01/23 3:24 p.m.72 views

CVE-2026-22990

CVE-2026-22990 affects the Linux kernel libceph component, where an overzealous BUG_ON in osdmap_apply_incremental() could misreact to a maliciously corrupted incremental osdmap epoch. The mitigation is to treat such an incongruent incremental osdmap as invalid rather than triggering a BUG. Conne...

7.5CVSS5.2AI score0.00341EPSS
CVE
CVE
added 2026/03/25 10:27 a.m.71 views

CVE-2026-23334

The CVE-2026-23334 issue affects the Linux kernel in the can: usb: f81604 path, where interrupt URBs of incorrect length could be misinterpreted as valid data. The vulnerability is addressed by upstream kernel fixes, and Mageia advisories reference kernel version 6.6.130 as the fixing baseline, w...

5.5CVSS5.7AI score0.00122EPSS
CVE
CVE
added 2026/05/27 12:59 p.m.69 views

CVE-2026-46099

The CVE-2026-46099 entry describes a use-after-free race in Linux kernel IPv6 handling for seg6 and rpl lightweight tunnels. A NOREF destination cached during ip6_route_input() can be freed by a concurrent FIB lookup on a shared nexthop under PREEMPT_RT, leading to a WARN or potential instability...

8.1CVSS5.8AI score0.00321EPSS
CVE
CVE
added 2026/06/03 3:49 p.m.69 views

CVE-2026-46259

In the Linux kernel procfs path do_task_stat() reading /proc/[pid]/stat, task->real_parent is accessed without proper RCU protection, enabling a potential Use-After-Free when another task is released. The fix switches from task_tgid_nr_ns() to task_ppid_nr_ns() to add proper RCU protection for...

7.8CVSS5.8AI score0.0012EPSS
CVE
CVE
added 2026/06/25 8:38 a.m.68 views

CVE-2026-53176

CVE-2026-53176 affects the Linux kernel iSER (IB/isert) login handling in ib_isert.c. A remote iSER initiator could send a login PDU shorter than ISER_HEADERS_LEN (76), causing an integer underflow in isert_login_recv_done() when computing login_req_len, leading to a negative length used in a mem...

9.8CVSS6AI score0.00742EPSS
CVE
CVE
added 2026/05/28 9:41 a.m.65 views

CVE-2026-46241

CVE-2026-46241 concerns the SPI driver for the MPC52xx in the Linux kernel, where a use-after-free can occur if controller registration fails because interrupts are not properly disabled and freed. The issue is resolved by a fix that ensures interrupts are disabled and resources freed on registra...

7.8CVSS5.8AI score0.00125EPSS
Total number of security vulnerabilities2251