372486 matches found
CVE-2026-63795
In the Linux kernel, the following vulnerability has been resolved: 9p: avoid putting oldfid in p9clientwalk error path When p9clientwalk is called with clone set to false, fid aliases oldfid. If the walk subsequently fails after the request has been sent, the error path jumps to clunkfid, which...
CVE-2026-63796
In the Linux kernel, the following vulnerability has been resolved: ocfs2: reject oversized group bitmap descriptors ocfs2validategdparent only bounds bgbits against the parent allocator's chain geometry. A malicious descriptor can still claim a bgsize/bgbits pair that exceeds the bitmap bytes th...
CVE-2026-63794
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Fix page overflow in sevdbgcrypt for ENCRYPT path In sevdbgcrypt, the per-iteration transfer length is bounded by the source page offset PAGESIZE - soff but not by the destination page offset PAGESIZE - doff. When doff...
CVE-2026-53403
In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fbnewmodelist to prevent null-ptr-deref in fbvideomodetovar info-var, a framebuffer's current mode, is expected to have a matching entry in info-modelist. vartodisplay relies on this and treats a failed fbmatchmode as...
CVE-2026-63793
In the Linux kernel, the following vulnerability has been resolved: ntfs: serialize volume label accesses Protect vol-volumelabel with a mutex and snaphost the label before copytouser. This prevent a use-after-free when FSIOCSETFSLABEL replaces the vol-volumelabel and FSIOCGETTSLABEL reads it...
CVE-2026-53402
In the Linux kernel, the following vulnerability has been resolved: fbdev: fbcon: fix out-of-bounds read in errout of fbcondosetfont When fbcondosetfont fails e.g., due to a memory allocation failure inside vcresize under heavy memory pressure, it jumps to the errout label to roll back the consol...
CVE-2026-53401
In the Linux kernel, the following vulnerability has been resolved: fbdev: omap2: fix use-after-free in omapfbmmap omapfbmmap has a race condition with OMAPFBSETUPPLANE ioctl that can lead to use-after-free: The fbmmap entry point holds mmlock but not lock fbinfo-lock, while ioctl handlers like...
CVE-2026-53400
In the Linux kernel, the following vulnerability has been resolved: i2c: core: fix adapter registration race Adapters can be looked up based on their id using i2cgetadapter which takes a reference to the embedded struct device. Make sure that the adapter including its struct device has been...
CVE-2026-53399
In the Linux kernel, the following vulnerability has been resolved: nfsd: release layout stid on setlease failure nfs4allocstid publishes the new stid into cl-clstateids via idralloccyclic under cllock before returning to nfsd4alloclayoutstateid. When nfsd4layoutsetlease then fails, the error pat...
CVE-2026-53398
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix SECINFONONAME decode error cleanup nfsd4decodesecinfononame currently initializes sinexp after decoding sinstyle. If the XDR stream is truncated, the decoder returns nfserrbadxdr before sinexp is initialized. Since comm...
CVE-2026-53397
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix posixacl leak on SETACL decode failure nfsaclsvcdecodesetaclargs and nfs3svcdecodesetaclargs each call nfsstreamdecodeacl twice, first for NFSACL and then for NFSDFACL. Each successful call transfers ownership of a...
CVE-2026-53396
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix posixacl leak and ignored error in nfsd4createfile nfsd4createfile has two bugs in its ACL handling: The return value of nfsd4acltoattr is silently discarded. When the NFSv4-to-POSIX ACL conversion fails e.g., -EINVAL f...
CVE-2026-53395
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix dead ACL conflict guard in nfsd4create nfsd4create steals create-crdpacl/crpacl into the local nfsdattrs via the designated initializer, then immediately sets the source pointers to NULL. The subsequent conflict guard...
CVE-2026-53394
In the Linux kernel, the following vulnerability has been resolved: nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race When findorallocopenstateowner encounters an unconfirmed owner, it calls releaseopenowner and sets oo = NULL. Control then falls through past the if oo guard -...
CVE-2026-53392
In the Linux kernel, the following vulnerability has been resolved: NFSv4/flexfiles: reject zero filehandle version count fflayoutalloclseg decodes the filehandle-version array count from the flexfiles layout body. The value is used as the count for kzallocobjs, and the current code only rejects...
CVE-2026-53393
In the Linux kernel, the following vulnerability has been resolved: nfsd: reset write verifier on deferred writeback errors nfsdvfswrite and nfsdcommit both call filemapcheckwberr to detect deferred writeback errors, but neither rotates the server's write verifier nn-writeverf when this check...
CVE-2026-53391
In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: reject zero-length raddr in nfs4decodempdsaddr nfs4decodempdsaddr decodes the rnetid and raddr opaques of a netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately calls strrchrbuf, '.' to locate the port...
CVE-2026-53389
In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: fix use-after-free of key in delasync path In tcpaodeletekey, the delasync path skips the currentkey and rnextkey validity checks present in the synchronous path, assuming these pointers are always NULL on LISTEN...
CVE-2026-53390
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds read in smbcheckpermdacl The permission-check ACE walk in smbcheckpermdacl validates the ACE header size and caps sid.numsubauth at SIDMAXSUBAUTHORITIES, but it never checks that ace-size is actually larg...
CVE-2026-53388
In the Linux kernel, the following vulnerability has been resolved: fuse: re-lock request before replacing page cache folio fusetrymovefolio unlocks the request on entry but does not re-lock it on the success path. This means fusechanabort can end the request and free the fuseioargs eg...