SB20260513116 - Debian update for linux
Published: May 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 399 vulnerabilities.
1) Memory leak (CVE-ID: CVE-2024-14027)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the SYSCALL_DEFINE5(), SYSCALL_DEFINE4(), SYSCALL_DEFINE3() and SYSCALL_DEFINE2() functions in fs/xattr.c. A local user can perform a denial of service (DoS) attack.
2) Use of uninitialized resource (CVE-ID: CVE-2025-21709)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to use of uninitialized resource within the mt_set_in_rcu() function in kernel/fork.c, within the register_for_each_vma() function in kernel/events/uprobes.c. A local user can perform a denial of service (DoS) attack.
3) Improper error handling (CVE-ID: CVE-2025-22116)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the idpf_stop() and idpf_init_task() functions in drivers/net/ethernet/intel/idpf/idpf_lib.c. A local user can perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2025-22117)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the ice_vc_fdir_parse_raw() function in drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c. A local user can perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2025-38426)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the amdgpu_ras_eeprom_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c. A local user can perform a denial of service (DoS) attack.
6) Use-after-free (CVE-ID: CVE-2025-38627)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the lzo_decompress_pages(), lz4_decompress_pages(), zstd_init_decompress_ctx(), zstd_decompress_pages(), f2fs_release_decomp_mem(), f2fs_end_read_compressed_page(), allow_memalloc_for_decomp(), f2fs_prepare_decomp_mem(), f2fs_alloc_dic(), f2fs_free_dic() and f2fs_put_dic() functions in fs/f2fs/compress.c. A local user can escalate privileges on the system.
7) Memory leak (CVE-ID: CVE-2025-39764)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ctnetlink_expect_event(), ctnetlink_exp_dump_table(), ctnetlink_exp_ct_dump_table(), ctnetlink_dump_exp_ct() and ctnetlink_get_expect() functions in net/netfilter/nf_conntrack_netlink.c. A local user can perform a denial of service (DoS) attack.
8) Improper locking (CVE-ID: CVE-2025-40005)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the cqspi_indirect_read_execute(), cqspi_indirect_write_execute(), cqspi_exec_mem_op(), cqspi_probe() and cqspi_remove() functions in drivers/spi/spi-cadence-quadspi.c. A local user can perform a denial of service (DoS) attack.
9) Use-after-free (CVE-ID: CVE-2025-40135)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ip6_autoflowlabel() and ip6_xmit() functions in net/ipv6/ip6_output.c. A local user can escalate privileges on the system.
10) NULL pointer dereference (CVE-ID: CVE-2025-40147)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the block/blk-throttle.h. A local user can perform a denial of service (DoS) attack.
11) Input validation error (CVE-ID: CVE-2025-40150)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the do_garbage_collect() and f2fs_gc_range() functions in fs/f2fs/gc.c. A local user can perform a denial of service (DoS) attack.
12) Improper locking (CVE-ID: CVE-2025-40219)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the sriov_add_vfs() and sriov_del_vfs() functions in drivers/pci/iov.c. A local user can perform a denial of service (DoS) attack.
13) Resource management error (CVE-ID: CVE-2025-68175)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the mxc_isi_video_init_channel(), mxc_isi_vb2_stop_streaming(), mxc_isi_video_s_fmt() and mxc_isi_video_release() functions in drivers/media/platform/nxp/imx8-isi/imx8-isi-video.c. A local user can perform a denial of service (DoS) attack.
14) Resource management error (CVE-ID: CVE-2025-68239)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the bm_register_write() function in fs/binfmt_misc.c. A local user can perform a denial of service (DoS) attack.
15) Resource management error (CVE-ID: CVE-2025-68334)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the drivers/platform/x86/amd/pmc/pmc.h. A local user can perform a denial of service (DoS) attack.
16) Incorrect calculation (CVE-ID: CVE-2025-68736)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation within the is_access_to_paths_allowed(), maybe_remove() and collect_domain_accesses() functions in security/landlock/fs.c. A local user can perform a denial of service (DoS) attack.
17) Improper locking (CVE-ID: CVE-2025-71152)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the dsa_port_parse_of(), dev_find_class(), dsa_switch_release_ports() and dsa_switch_shutdown() functions in net/dsa/dsa.c. A local user can perform a denial of service (DoS) attack.
18) Infinite loop (CVE-ID: CVE-2025-71161)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the function in drivers/md/dm-verity-target.c. A local user can perform a denial of service (DoS) attack.
19) Use-after-free (CVE-ID: CVE-2025-71221)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mmp_pdma_residue() function in drivers/dma/mmp_pdma.c. A local user can escalate privileges on the system.
20) Insufficient logging (CVE-ID: CVE-2025-71239)
The vulnerability allows a local user to bypass audit logging.
The vulnerability exists due to improper audit event classification in the audit subsystem when handling the fchmodat2() system call. A local user can invoke fchmodat2() to change file attributes in a manner similar to chmod() or fchmodat(), which bypasses existing audit rules designed to monitor such operations.
The vulnerability specifically affects audit rules that monitor file attribute changes, allowing unauthorized attribute modifications to go unlogged. Authentication and local access are required to exploit this vulnerability.
21) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71265)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system's attr_load_runs_range function when processing inconsistent metadata. A local attacker can provide a malformed NTFS image to cause a denial of service.
The attacker-controlled NTFS image contains inconsistent metadata where an attribute header indicates an empty run list (evcn=-1 with svcn=0), but directory entries reference it as containing data. After a successful but empty run_unpack() call, the runs_tree remains uninitialized, causing subsequent run_lookup_entry() calls to fail and vcn to increment by zero, resulting in an infinite loop.
22) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71266)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the ntfs3 filesystem when handling a malformed dentry during lookup operations. A local attacker can provide a specially crafted NTFS-3 volume to cause a denial of service.
The attacker manipulates the HAS_SUB_NODE flag and VCN pointer in an INDEX_ENTRY, causing the indx_find() function to enter an infinite loop, repeatedly allocating memory until system resources are exhausted.
23) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71267)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system driver when processing a malformed NTFS image with a zero-sized ATTR_LIST attribute. A local attacker can mount a specially crafted NTFS image to cause a denial of service.
The attacker needs physical or local access to insert or mount the malicious NTFS image; no authentication beyond mounting the filesystem is required. The system becomes unresponsive during mount due to an infinite loop in kernel space.
24) Resource exhaustion (CVE-ID: CVE-2025-71269)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the btrfs filesystem's qgroup data reservation handling when processing file writes that trigger a fallback from inline extent creation. A local user can perform file operations that cause an ENOSPC condition during inline extent creation, leading to incorrect release of qgroup data reservations while still proceeding with the normal COW path, resulting in unbalanced quota accounting and potential denial of service.
The attacker must have the ability to write to a btrfs filesystem and trigger space allocation under conditions of low available space; this typically requires low-privileged local access but does not require administrative privileges beyond standard user write permissions.
25) NULL pointer dereference (CVE-ID: CVE-2026-22981)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the idpf_init_mac_addr(), idpf_vport_dealloc(), idpf_init_task(), idpf_check_reset_complete(), idpf_set_vport_state() and idpf_init_hard_reset() functions in drivers/net/ethernet/intel/idpf/idpf_lib.c. A local user can perform a denial of service (DoS) attack.
26) NULL pointer dereference (CVE-ID: CVE-2026-22985)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the idpf_send_get_stats_msg() and idpf_send_get_set_rss_lut_msg() functions in drivers/net/ethernet/intel/idpf/idpf_virtchnl.c. A local user can perform a denial of service (DoS) attack.
27) Race condition (CVE-ID: CVE-2026-22986)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition within the gpiochip_add_data_with_key() function in drivers/gpio/gpiolib.c. A local user can escalate privileges on the system.
28) NULL pointer dereference (CVE-ID: CVE-2026-22993)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the drivers/net/ethernet/intel/idpf/idpf_txrx.h. A local user can perform a denial of service (DoS) attack.
29) Use-after-free (CVE-ID: CVE-2026-23004)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the rt6_uncached_list_add() function in net/ipv6/route.c. A local user can escalate privileges on the system.
30) Use-after-free (CVE-ID: CVE-2026-23066)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the rxrpc_recvmsg() function in net/rxrpc/recvmsg.c. A local user can escalate privileges on the system.
31) Resource management error (CVE-ID: CVE-2026-23070)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the rvu_sdp_init() function in drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c. A local user can perform a denial of service (DoS) attack.
32) Use-after-free (CVE-ID: CVE-2026-23104)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ice_deinit_features() and ice_remove() functions in drivers/net/ethernet/intel/ice/ice_main.c. A local user can escalate privileges on the system.
33) Infinite loop (CVE-ID: CVE-2026-23138)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the __ftrace_trace_stack() function in kernel/trace/trace.c. A local user can perform a denial of service (DoS) attack.
34) Improper locking (CVE-ID: CVE-2026-23157)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the fs/btrfs/extent_io.h. A local user can perform a denial of service (DoS) attack.
35) NULL pointer dereference (CVE-ID: CVE-2026-23207)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the handle_cpu_based_xfer(), handle_dma_based_xfer() and tegra_qspi_isr_thread() functions in drivers/spi/spi-tegra210-quad.c. A local user can perform a denial of service (DoS) attack.
36) NULL pointer dereference (CVE-ID: CVE-2026-23210)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the drivers/net/ethernet/intel/ice/ice_ptp.h. A local user can perform a denial of service (DoS) attack.
37) Use-after-free (CVE-ID: CVE-2026-23226)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the check_session_id(), ntlm_authenticate() and krb5_authenticate() functions in fs/smb/server/smb2pdu.c. A local user can escalate privileges on the system.
38) Use-after-free (CVE-ID: CVE-2026-23227)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the vidi_store_connection(), vidi_connection_ioctl(), vidi_detect(), vidi_get_modes() and vidi_remove() functions in drivers/gpu/drm/exynos/exynos_drm_vidi.c. A local user can escalate privileges on the system.
39) Use-after-free (CVE-ID: CVE-2026-23231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nf_tables_addchain() function in net/netfilter/nf_tables_api.c. A local user can escalate privileges on the system.
40) Double free (CVE-ID: CVE-2026-23239)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the espintcp_close() function in net/xfrm/espintcp.c. A local user can perform a denial of service (DoS) attack.
41) Double free (CVE-ID: CVE-2026-23240)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the tls_sw_cancel_work_tx() function in net/tls/tls_sw.c. A local user can perform a denial of service (DoS) attack.
42) NULL Pointer Dereference (CVE-ID: CVE-2026-23242)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the RDMA/siw component when processing incoming RDMA packets. A local user can trigger improper error handling to cause a denial of service.
Exploitation requires access to RDMA subsystem and the ability to send crafted packets over TCP. The vulnerability affects the siw (Soft iWarp) driver in the Linux kernel.
43) Out-of-bounds read (CVE-ID: CVE-2026-23243)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
44) Resource exhaustion (CVE-ID: CVE-2026-23244)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the nvme_pr_read_keys() function when processing a user-provided num_keys value. A local user can send a specially crafted request with a large num_keys value to cause excessive memory allocation attempts, leading to a denial of service.
Exploitation requires local system access and the ability to invoke NVMe ioctl commands. No authentication beyond standard system access is required.
45) Buffer over-read (CVE-ID: CVE-2026-23245)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the net/sched: act_gate component when handling action replacement while the hrtimer callback or dump path is walking the schedule list. A local user can trigger a race condition to cause a denial of service.
Exploitation requires access to the network scheduling subsystem and occurs due to lack of proper synchronization during parameter updates.
46) Out-of-bounds write (CVE-ID: CVE-2026-23246)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a boundary error in the wifi: mac80211 component when handling ML Reconfiguration elements. A remote attacker can send a specially crafted wireless packet to execute arbitrary code.
Exploitation involves sending a malicious ML Reconfiguration element with a link_id value of 15, which exceeds the valid index range of the link_removal_timeout array, resulting in a stack-based out-of-bounds write.
47) NULL Pointer Dereference (CVE-ID: CVE-2026-23249)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the XFS filesystem's btree revalidation functionality when handling ioctl requests. A local user can trigger a specially crafted ioctl request to cause a null pointer dereference and crash the system.
The attacker must have privileges to perform XFS filesystem scrub operations, which typically requires administrative privileges.
48) Detection of error condition without action (CVE-ID: CVE-2026-23250)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in the XFS filesystem's xchk_scrub_create_subord function when processing scrub operations. A local user can trigger a memory allocation failure scenario that is not properly checked, leading to undefined behavior and potential system crash.
Exploitation requires local access and the ability to initiate XFS scrub operations. No authentication beyond local user privileges is required. The impact is limited to denial of service via system crash or hang.
49) NULL Pointer Dereference (CVE-ID: CVE-2026-23251)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the XFS filesystem component when handling file operations. A local user can trigger improper pointer management to cause a denial of service.
The vulnerability specifically involves calling destructors on invalid pointers in the xfarray and xfblob structures, which can lead to system instability or crash.
50) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-23252)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in the XFS filesystem debugging component when processing internal file descriptor descriptions. A local user can trigger memory allocation failures during descriptor generation to cause a denial of service.
The issue arises because kasprintf calls within the xchk_xfile_*_descr macros may fail when formatting strings larger than 16 bytes, leading to unhandled allocation failures. This can be triggered during XFS filesystem consistency checks. Administrative privileges are not required, but access to XFS debugging interfaces is necessary.
51) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23253)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the dvb_ringbuffer component when reopening a DVR device. A local user can open a specially crafted DVR device to cause a denial of service.
The issue arises because dvb_dvr_open() reinitializes the shared waitqueue head, which can orphan existing waitqueue entries from io_uring poll or epoll, leading to stale pointers and potential system instability.
52) Out-of-bounds read (CVE-ID: CVE-2026-23255)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the /proc/net/ptype component when handling RCU-protected network device references. A local attacker can exploit a race condition during iteration of packet types to cause a denial of service.
The issue arises from missing RCU protection when accessing pt->dev in ptype_seq_show() and ptype_seq_next(), allowing concurrent modifications to trigger an RCU stall.
53) Use After Free (CVE-ID: CVE-2026-23270)
The vulnerability allows a local user to cause a use-after-free condition.
The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.
The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a race condition in the perf subsystem when handling performance events. A local user can trigger a use-after-free condition during event overflow processing to execute arbitrary code, escalate privileges, and cause a denial of service.
The issue arises from improper synchronization between __perf_event_overflow() and perf_remove_from_context(), where the overflow handler may access memory after it has been freed by context removal routines. The attacker must be able to create and manipulate perf events, which typically requires low-privileged user access to the perf subsystem.
55) Use After Free (CVE-ID: CVE-2026-23273)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
56) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23274)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the netfilter xt_IDLETIMER module when processing timer rules with reused labels. A local user can insert a revision 0 IDLETIMER rule with a label that was previously used by a revision 1 rule with XT_IDLETIMER_ALARM, leading to modification of an uninitialized timer_list object, which can trigger debugobjects warnings and potentially cause a kernel panic when panic_on_warn=1 is enabled.
Exploitation requires the ability to load netfilter rules. The impact is limited to denial of service via system crash under specific kernel configurations.
57) Uncontrolled Recursion (CVE-ID: CVE-2026-23276)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) when handling network packets in a specific tunnel and bonding configuration. A remote attacker can send specially crafted network traffic that triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), leading to kernel stack overflow and system crash.
The issue specifically occurs when a bond device in broadcast mode has GRE tap interfaces as slaves and those GRE tunnels route back through the bond, causing multicast/broadcast traffic to trigger unbounded recursion. The existing XMIT_RECURSION_LIMIT is insufficient because tunnel recursion consumes more stack per level due to route lookups and full IP output processing.
58) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.
Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.
59) Resource exhaustion (CVE-ID: CVE-2026-23278)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the netfilter nf_tables component when processing transaction batches containing multiple catchall elements. A local user can provide a specially crafted batch request to cause a denial of service.
Exploitation requires the ability to inject or modify netfilter rules via the nf_tables interface, which is typically restricted to privileged users. The issue occurs during transaction abort processing, leading to a use-after-free condition that triggers a kernel warning and system instability.
60) NULL Pointer Dereference (CVE-ID: CVE-2026-23279)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the mesh_rx_csa_frame() function in the mac80211 subsystem when handling received CSA action frames. A remote user can send a specially crafted SPECTRUM_MGMT/CHL_SWITCH action frame that omits the Mesh Channel Switch Parameters IE but includes valid Mesh ID and Mesh Configuration IEs to cause a kernel NULL pointer dereference.
Exploitation requires an established mesh peer link (PLINK_ESTAB) and no additional authentication beyond open mesh peering.
61) Use After Free (CVE-ID: CVE-2026-23281)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in lbs_free_adapter() function in the Linux kernel's libertas Wi-Fi driver when handling timer cleanup during device adapter release. A local user can trigger the release of the adapter structure while timer callbacks are still executing, leading to access of freed memory and potential execution of arbitrary code or system crash.
Exploitation requires the ability to trigger device cleanup, which is typically available to users with access to network device interfaces.
62) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23284)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the mtk_eth_soc driver when handling eBPF program setup errors. A local user can trigger the mtk_open routine failure in mtk_xdp_setup() to cause a denial of service.
Successful exploitation may lead to system crash or network interface disruption.
63) NULL Pointer Dereference (CVE-ID: CVE-2026-23285)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the DRBD (Distributed Replicated Block Device) component when handling a local read error. A local user can trigger a specially crafted I/O operation to cause a denial of service.
Exploitation requires access to the DRBD subsystem and the ability to initiate block device I/O operations.
64) NULL Pointer Dereference (CVE-ID: CVE-2026-23286)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the ATM LANE (LAN Emulation) module when handling VCC closure. A local user can trigger the closure of a shared atm_vcc, which is referenced by multiple lec_arp_table entries, causing a null-ptr-deref crash during subsequent cleanup attempts.
The issue arises because the cleanup function lec_arp_clear_vccs() does not verify whether the associated private data (vpriv) has already been released, leading to a crash upon dereferencing a NULL pointer in a later iteration.
65) Resource exhaustion (CVE-ID: CVE-2026-23287)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of interrupt completion in the irqchip/sifive-plic component when changing interrupt affinity settings. A local user can trigger a scenario where interrupt completion is silently ignored, leading to a frozen interrupt state and resulting in a denial of service.
The issue arises specifically when interrupt affinity is modified concurrently with interrupt handling, causing the UART port or other interrupt-driven devices to become unresponsive.
66) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23289)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper resource management in the IB/mthca subsystem when handling system calls. A local user can trigger a failed system call path to disclose sensitive information.
The issue arises from a missing mthca_unmap_user_db() call during error handling in mthca_create_srq(), leading to a resource leak that could expose system memory.
67) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-23290)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the pegasus USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
68) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-23291)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the NFC pn533 USB driver when handling device disconnection. A local user can disconnect a USB NFC device to cause a dangling reference, leading to a denial of service.
The issue arises because the USB interface reference obtained during driver probe is not properly released upon disconnection.
69) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23292)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking mechanism in the SCSI target subsystem when handling configuration file writes. A local user can provide a specially crafted configuration input to cause recursive semaphore locking, leading to a system crash or hang.
Exploitation requires access to the target's configuration filesystem (configfs) and the ability to write to the db_root parameter. No additional privileges beyond standard configfs access are required.
70) NULL Pointer Dereference (CVE-ID: CVE-2026-23293)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the VXLAN network driver when handling packets. A local user can send a specially crafted IPv6 packet into a VXLAN interface when IPv6 is disabled at boot time to trigger a kernel NULL pointer dereference and crash the system.
Exploitation requires the ability to inject packets into the VXLAN interface, which is typically available to local users or processes with network access.
71) Incorrect Control Flow Scoping (CVE-ID: CVE-2026-23296)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the SCSI core subsystem when handling tagset reference counts during SCSI host teardown. A local user can trigger the removal of a SCSI host to cause a denial of service.
Repeated triggering of the issue may lead to system instability or hang due to unbounded reference accumulation.
72) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23297)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfsd component when handling netlink requests. A local user can trigger a memory leak to cause a denial of service.
Memory leak occurs in nfsd_nl_threads_set_doit() due to failure to release a reference to struct cred obtained via get_current_cred().
73) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2026-23298)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an infinite loop in the ucan driver when processing zero-length messages from a ucan device. A local user can connect a specially crafted ucan device to trigger an infinite loop in ucan_read_bulk_callback(), causing the system to hang.
74) NULL Pointer Dereference (CVE-ID: CVE-2026-23300)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the IPv6 routing subsystem when handling a standalone IPv6 nexthop object referencing the loopback device. A local user can create a specially crafted IPv6 nexthop and reference it from an IPv4 route to trigger a NULL pointer dereference in __mkroute_output(), leading to a system crash.
Successful exploitation may result in a kernel panic and denial of service.
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in socket state handling when processing network operations. A local user can trigger concurrent access to socket state variables to cause a denial of service.
The issue arises from improper synchronization of sk->sk_data_ready and sk->sk_write_space pointers during concurrent access by multiple CPUs.
76) Cleartext Storage of Sensitive Information (CVE-ID: CVE-2026-23303)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the cifs_set_cifscreds function when handling debug logging. A local user can enable debug logging to disclose sensitive information.
The exposure of plaintext usernames and passwords occurs when debug logging is enabled, which may be accessible to local users with access to kernel logs.
77) NULL Pointer Dereference (CVE-ID: CVE-2026-23304)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the ipv6 routing subsystem when processing IPv6 packets. A remote attacker can send a specially crafted IPv6 packet to trigger a null pointer dereference in ip6_rt_get_dev_rcu(), leading to a system crash.
Exploitation does not require authentication or user interaction and occurs within the network stack during packet processing.
78) Use After Free (CVE-ID: CVE-2026-23306)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to a use-after-free in the pm8001_queue_command() function in the SCSI subsystem when handling SCSI commands during a phy down or device gone state. A local user can trigger a double free by issuing a command that leads to the erroneous return of -ENODEV after the task has already been freed, resulting in memory corruption that could lead to arbitrary code execution or privilege escalation.
The vulnerability specifically affects the pm8001 SAS controller driver and requires the ability to issue SCSI commands, which is typically available to local users with access to storage devices.
79) Out-of-bounds read (CVE-ID: CVE-2026-23307)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ems_usb_read_bulk_callback() function in the CAN USB driver when handling USB bulk callback data. A local user can provide specially crafted USB input to cause memory access beyond the buffer bounds, leading to a system crash.
The attacker must have local system access and the ability to interact with the CAN USB driver via USB interface.
80) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23308)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of interrupt masking in the pinctrl driver when loading the equilibrium GPIO controller. A local user can trigger the loading of the driver, resulting in repeated kernel warning messages being logged, which may degrade system stability and generate unnecessary log entries.
The issue arises because the function 'eqbr_irq_mask_ack()' indirectly calls 'gpiochip_disable_irq()' through 'eqbr_irq_mask()', leading to spurious warnings during initialization. This behavior does not occur in similar drivers, indicating inconsistent interrupt handling.
81) Improper Access Control (CVE-ID: CVE-2026-23310)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the bonding driver when changing the xmit_hash_policy to vlan+srcmac while an XDP program is loaded on a bond interface in 802.3ad or balance-xor mode. A local user can change the xmit_hash_policy to cause an inconsistent state, leading to failure in uninstalling the XDP program and triggering a kernel warning during bond device destruction.
The attacker must have the ability to configure bonding interface settings, which requires local access and privileges to modify network device parameters.
82) Uncontrolled Recursion (CVE-ID: CVE-2026-23312)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kaweth USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered remote as it targets kernel-level USB subsystem handling.
83) Resource exhaustion (CVE-ID: CVE-2026-23313)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the i40e NAPI poll tracepoint when handling network packets. A local user can trigger the tracepoint to cause a preempt count leak, leading to a denial of service.
The issue arises from using get_cpu() without a corresponding put_cpu() in the tracepoint, which results in an increment of the preempt count that is never decremented.
84) Out-of-bounds write (CVE-ID: CVE-2026-23315)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt76_connac2_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with an undersized payload to trigger an out-of-bounds write access.
Exploitation does not require authentication or user interaction.
85) NULL Pointer Dereference (CVE-ID: CVE-2026-23316)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory access in the net subsystem when handling multipath hash seed operations. A local user can trigger a kernel panic by accessing misaligned memory via atomic operations, leading to a denial of service.
The issue arises on ARM64 systems when the kernel is compiled with Clang and LTO enabled, where READ_ONCE() and WRITE_ONCE() operations on a 4-byte aligned 8-byte structure cause alignment faults or tear-write conditions.
86) NULL Pointer Dereference (CVE-ID: CVE-2026-23317)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper error handling in the vmw_translate_ptr functions in the drm/vmwgfx subsystem when translating pointers. A local user can trigger a use of an uninitialized pointer to cause out-of-bounds memory accesses and execute arbitrary code.
Successful exploitation may lead to privilege escalation and system compromise.
87) Out-of-bounds read (CVE-ID: CVE-2026-23318)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the ALSA usb-audio driver when handling USB audio descriptors from a UAC3 device. An attacker with physical access can connect a malicious USB device presenting a truncated UAC3 header to cause out-of-bounds reads, leading to a denial of service.
Exploitation requires physical access to attach a malicious USB device.
88) Use After Free (CVE-ID: CVE-2026-23319)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the bpf_trampoline_link_cgroup_shim component when handling BPF trampoline link operations. A local user can trigger a race condition to exploit a dangling reference in the cgroup shim trampoline program list and achieve arbitrary code execution or privilege escalation.
The issue arises because the reference count is reduced to zero and the resource is released before all references are fully cleaned up, creating a window where an already-freed resource can be accessed.
89) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23321)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the MPTCP subsystem when handling endpoint removal. A local user can send a specially crafted sequence of netlink commands to trigger a kernel warning and system instability.
The attacker must be able to create and remove MPTCP endpoints with specific flags and manipulate connection states, which requires access to the MPTCP netlink interface.
90) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23324)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the USB CAN driver (etas_es58x) when handling URB (USB Request Block) anchoring in the read bulk callback. A local user can trigger improper submission of an unanchored URB to cause a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger USB read operations.
91) Out-of-bounds write (CVE-ID: CVE-2026-23325)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt7996_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with a short length to trigger an out-of-bounds write access and crash the system.
Exploitation does not require authentication or user interaction.
92) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23330)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the NFC subsystem when closing a device. A local user can trigger a memory leak by closing an NFC device while a data exchange is pending, leading to resource exhaustion over time.
Memory is not properly released when a pending data exchange is left uncompleted during device closure, resulting in a gradual loss of available memory.
93) Improper input validation (CVE-ID: CVE-2026-23334)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the CAN USB driver (f81604) when handling interrupt URB messages. A local user can provide a specially crafted interrupt URB message with incorrect length to cause a denial of service.
94) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-23335)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization of stack memory in the RDMA/irdma subsystem when handling user-space requests. A local user can trigger the creation of an address handle via the irdma_create_user_ah() function to disclose up to 4 bytes of kernel stack memory.
The uninitialized reserved field in the irdma_create_ah_resp structure is copied to user space without being zeroed, leading to a kernel stack information leak.
95) Use After Free (CVE-ID: CVE-2026-23336)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free error in the cfg80211 component when unregistering a wiphy device. A local user can trigger the cancellation of rfkill_block work during wiphy unregistration to execute arbitrary code or cause a denial of service.
The issue arises because the rfkill_block work is not properly cancelled when the wiphy is being unregistered, leading to a use-after-free condition upon subsequent access.
96) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23339)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfc: nci component when handling early error paths in nci_transceive(). A local user can trigger error conditions to cause memory leaks.
Memory leaks occur due to failure to free socket buffer (skb) on early error returns, leading to gradual resource exhaustion.
97) Use After Free (CVE-ID: CVE-2026-23340)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free in the network scheduler (qdisc) component when resetting transmit queues for lockless qdiscs during changes in the number of real transmit queues. A local user can trigger a race condition between qdisc_reset() and the packet dequeue path, leading to use-after-free and potential execution of arbitrary code or system crash.
Exploitation requires the ability to modify network interface queue configurations, which typically requires local user privileges. The issue affects systems using lockless qdiscs such as pfifo_fast, especially under high network load and frequent queue resizing operations.
98) Integer overflow (CVE-ID: CVE-2026-23343)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service due to memory corruption.
The vulnerability exists due to improper input validation in the XDP (eXpress Data Path) subsystem when handling packet tailroom calculations. A local user can trigger a negative tailroom value that is interpreted as a large unsigned integer, leading to out-of-bounds memory access during XDP frame processing.
The issue arises when Ethernet drivers report fragment sizes smaller than the actual truesize, causing incorrect tailroom computation in functions such as bpf_xdp_frags_increase_tail().
99) Resource exhaustion (CVE-ID: CVE-2026-23347)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the CAN USB driver (f81604) when handling URB (USB Request Block) anchoring in the read bulk callback. A local user can trigger improper submission of an unanchored URB to cause a denial of service.
Exploitation requires local system access and interaction with the affected USB CAN device driver.
100) Use After Free (CVE-ID: CVE-2026-23351)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.
Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.
101) Type conversion (CVE-ID: CVE-2026-23352)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper memory management in the EFI boot services memory release mechanism when processing memory map initialization during system boot. A local attacker can trigger the early release of boot services memory before deferred memory map initialization is complete, leading to unfreed memory pages and a memory leak.
The issue specifically occurs on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, where memblock_free_late() skips uninitialized pages, resulting in a significant memory leak—up to approximately 140MB on constrained systems like EC2 t3a.nano instances with only 512MB RAM.
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper bounds checking in the x86/fred component when handling speculative execution of interrupts. A local user can trigger a use of an out-of-bounds array index during interrupt handling to execute arbitrary code.
The issue arises because the array index is spilled to the stack before use, making it vulnerable to speculative execution attacks.
103) Unchecked Return Value to NULL Pointer Dereference (CVE-ID: CVE-2026-23356)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of reference counting in the DRBD (Distributed Replicated Block Device) subsystem when processing I/O operations that cross activity log extent boundaries. A local user can trigger a sequence of I/O operations that result in an invalid reference count state, leading to a kernel BUG_ON condition and system crash.
The issue arises because the function drbd_al_begin_io_nonblock() may fail to acquire activity log references even when expected to succeed, yet continues execution without returning an error, resulting in inconsistent reference tracking during later I/O completion.
104) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23357)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper sequence of operations in the mcp251x CAN driver when handling error paths during device open. A local user can trigger the mcp251x_open function error path, which calls free_irq() while holding the mpc_lock mutex, leading to a deadlock if an interrupt is pending, resulting in a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger the error path in mcp251x_open.
105) Out-of-bounds write (CVE-ID: CVE-2026-23359)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a boundary error in the BPF devmap component when handling upper device interface indices. A local user can trigger a stack-out-of-bounds write by creating more than MAX_NEST_DEV (8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS and sending a packet to the device, leading to memory corruption.
To exploit this vulnerability, the attacker must have the ability to create macvlan devices and attach XDP programs, which requires local access and privileges to perform network configuration.
106) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23360)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the NVMe subsystem when handling controller resets. A local user can trigger a controller reset to cause a denial of service due to an admin queue leak.
The issue arises when nvme_alloc_admin_tag_set() is called during a controller reset while a previous admin queue still exists, leading to resource exhaustion over time.
107) Improper Synchronization (CVE-ID: CVE-2026-23361)
The vulnerability allows a local user to cause a denial of service, disclose sensitive information, and potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the PCI driver's MSI-X interrupt handling when unmapping the outbound ATU entry. A local user can trigger the dw_pcie_ep_raise_msix_irq() function to raise an MSI-X interrupt via a posted write transaction that may not complete before the associated ATU entry is unmapped, leading to memory corruption or IOMMU faults.
The issue arises because the writel() operation used to generate the PCI posted write transaction can return before the write reaches its destination, creating a race condition with the subsequent unmap operation. This can result in memory corruption on the host system, including potential access to unauthorized memory regions or system instability.
108) Memory corruption (CVE-ID: CVE-2026-23362)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the CAN BCM (Broadcast Manager) subsystem when handling runtime updates of bcm_op structures. A local user can send a specially crafted request to trigger a use of an uninitialized spinlock, leading to a system crash.
The issue specifically occurs in the bcm_rx_setup() function, where the bcm_tx_lock is not initialized when the RX_RTR_FRAME flag is set, which can lead to undefined behavior during lock operations.
109) Out-of-bounds write (CVE-ID: CVE-2026-23363)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt7925_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with a short length to trigger an out-of-bounds access and crash the system.
Exploitation does not require authentication or user interaction.
110) Observable discrepancy (CVE-ID: CVE-2026-23364)
The vulnerability allows a local user to obtain sensitive information.
The vulnerability exists due to improper timing handling in the ksmbd component when comparing message authentication codes (MACs). A local user can leverage timing differences during MAC comparison to infer sensitive information.
Exploitation requires local access and the ability to trigger MAC comparisons through the ksmbd subsystem.
111) Uncontrolled Recursion (CVE-ID: CVE-2026-23365)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
112) Use of Uninitialized Variable (CVE-ID: CVE-2026-23367)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper initialization in the radiotap parser component when processing radiotap headers with undefined fields. A local user can provide a specially crafted radiotap header containing undefined field 18 to trigger uninitialized memory access and potentially execute arbitrary code.
The issue arises because iterator->_next_ns_data is not initialized when handling undefined fields in the standard radiotap namespace, leading to use of uninitialized data during subsequent checks.
113) Incorrect Register Defaults or Module Parameters (CVE-ID: CVE-2026-23368)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
114) NULL Pointer Dereference (CVE-ID: CVE-2026-23369)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the i2c_i801 driver when handling ACPI I/O operations during system boot. A local user can trigger concurrent access to the i801 ACPI I/O handler, leading to a situation where the bus lock mechanism attempts to access a deregistered memory region, resulting in a kernel NULL pointer dereference and system crash.
Exploitation occurs during early boot when multiple udev threads concurrently collect device information, and no additional privileges beyond standard system access are required.
115) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2026-23370)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the dell-wmi-sysman driver when handling password data. A local user can access kernel logs to disclose sensitive information.
The vulnerability specifically involves the logging of plaintext passwords via a hex dump in the set_new_password() function, which could expose current and new passwords.
116) Use After Free (CVE-ID: CVE-2026-23372)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in the NFC raw socket (rawsock) component when handling socket teardown. A local user can trigger a race condition by terminating a process during active NFC transmission, leading to use-after-free or leaked references.
Exploitation requires an active NFC transmission and process interruption via signal such as SIGKILL.
117) Improper Synchronization (CVE-ID: CVE-2026-23373)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper return value handling in the rsi_mac80211_config function within the RSI Wi-Fi driver when configuring 802.11 hardware. A local user can trigger a misconfigured hardware initialization to cause a denial of service.
The issue arises because the driver defaults to returning -EOPNOTSUPP instead of 0 during configuration, which triggers a WARN_ON in ieee80211_hw_conf_init, leading to disruptive behavior.
118) Improper Synchronization (CVE-ID: CVE-2026-23374)
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the blktrace component when handling block I/O tracing operations. A local user can trigger a use of __this_cpu_read/write in a preemptible context to cause a kernel BUG and system crash.
The issue arises in process context where preemption is enabled, violating the requirement for preemption to be disabled when accessing per-CPU variables via __this_cpu_read/write. This can lead to undefined behavior including memory corruption.
119) Out-of-bounds read (CVE-ID: CVE-2026-23375)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the file_thp_enabled() function when handling files on anonymous inodes via processing memory operations. A local user can trigger memory operations such as MADV_COLLAPSE or rely on khugepaged activity to cause a kernel crash or trigger erroneous memory failure reports.
Exploitation does not require elevated privileges but requires the ability to create or access files on anonymous inodes such as guest_memfd or secretmem. The impact includes system crash or spurious memory failure warnings in the kernel log.
120) Out-of-bounds write (CVE-ID: CVE-2026-23378)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper memory access in the net/sched: act_ife component when updating metadata lists during packet processing. A local user can send a specially crafted request to trigger out-of-bounds memory write via the ife_tlv_meta_encode function.
Exploitation requires the ability to configure or trigger traffic control (tc) actions within the kernel, which is typically available to local users with sufficient privileges to manipulate network scheduling policies.
121) Function Call with Incorrectly Specified Arguments (CVE-ID: CVE-2026-23379)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ets_offload_change function when handling traffic control (tc) commands for ETS qdisc offloading. A local user can send a specially crafted request to trigger a divide-by-zero error, leading to a kernel oops and system crash.
The issue arises from unsigned 32-bit integer overflows in 'q_sum' and 'q_psum' variables during WRR weight computation, which can result in division by zero in the offload path.
122) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-23380)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the tracing_buffers_mmap_close function when handling memory mappings after a process forks. A local user can trigger a WARN_ON condition by manipulating VMA flags via madvise(MADV_DOFORK), leading to an invalid decrement of the user_mapped reference count and causing a denial of service.
The issue arises when an application removes the VM_DONTCOPY flag using madvise(MADV_DOFORK), allowing the child process to inherit the parent's VMAs without incrementing the reference count.
123) NULL Pointer Dereference (CVE-ID: CVE-2026-23381)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the bridge component when handling packets. A remote attacker can send a specially crafted ICMPv6 Neighbor Discovery packet to trigger a kernel NULL pointer dereference.
IPv6 must be disabled via the 'ipv6.disable=1' kernel parameter for the vulnerability to be exploitable.
124) NULL Pointer Dereference (CVE-ID: CVE-2026-23382)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper pointer validation in HID subsystem raw_event callbacks when processing input from unclaimed HID devices. A remote attacker can send specially crafted HID reports to trigger a NULL pointer dereference and crash the system.
Exploitation does not require user interaction or prior authentication.
125) Unchecked Error Condition (CVE-ID: CVE-2026-23383)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper memory alignment in the BPF JIT compiler when handling 64-bit atomic operations on arm64. A local user can trigger execution of a specially crafted BPF program to cause a torn read of a 64-bit jump target, leading to control flow hijacking and arbitrary code execution.
Exploitation requires the ability to load and execute BPF programs, which is typically available to unprivileged users in modern Linux distributions with CONFIG_BPF_JIT enabled.
126) Out-of-bounds write (CVE-ID: CVE-2026-23386)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the gve_tx_clean_pending_packets() function in the Google Virtual Ethernet (gve) driver when handling packet transmission cleanup in DQ-QPL mode. A local user can trigger improper buffer cleanup by causing the transmission path to fail, leading to out-of-bounds memory access and system crash.
The issue arises because the function incorrectly uses the RDA buffer cleanup path in QPL mode, resulting in accessing memory beyond the bounds of the dma array, which shares storage with tx_qpl_buf_ids. This can be triggered during normal operation under specific error conditions.
127) Use-after-free (CVE-ID: CVE-2026-23387)
The vulnerability allows a local user to perform a denial of service attack.
The vulnerability exists due to a use-after-free error within the cs42l43_pin_probe() function in drivers/pinctrl/cirrus/pinctrl-cs42l43.c. A local user can trigger a double-put use-after-free error and crash the OS kernel.
128) Out-of-bounds write (CVE-ID: CVE-2026-23388)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an improper input validation in the Squashfs filesystem component when processing a crafted filesystem image. A local user can mount a malicious Squashfs image to cause a general protection fault and crash the system.
Exploitation requires the ability to mount a specially crafted filesystem image, which typically requires user privileges but not root access.
129) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23389)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the ice_set_ringparam() function when processing ring parameter configuration. A local user can trigger improper memory deallocation to cause a denial of service.
Exploitation requires access to the network interface control functionality, which is typically available to local users with network configuration privileges.
130) Resource exhaustion (CVE-ID: CVE-2026-23391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the netfilter xt_CT module when handling packet queueing. A local user can trigger the queuing of packets that reference templates, which, upon removal of the template, are not properly flushed, leading to resource exhaustion and system instability.
Templates such as connection tracking helpers or timeout policies may be removed during module unloading or via nfnetlink_cttimeout, leaving packets enqueued without valid references.
131) Use After Free (CVE-ID: CVE-2026-23392)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the bridge CFM component when handling peer MEP deletion. A local user can trigger the deletion of a peer MEP, leading to a use-after-free condition if a delayed work item is rescheduled after cancellation but before memory is freed, resulting in a system crash.
The race condition occurs because br_cfm_frame_rx() runs in softirq context under RCU read lock and can re-schedule the delayed work between the cancellation and the memory release.
133) Out-of-bounds write (CVE-ID: CVE-2026-23395)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth L2CAP component when handling L2CAP_ECRED_CONN_REQ packets. A remote attacker can send a specially crafted sequence of L2CAP connection requests with the same command identifier to cause an overflow in channel allocation, leading to a denial of service.
Exploitation requires proximity to initiate a Bluetooth connection. The issue arises from failure to check for duplicate command identifiers during Enhanced Credit Control connection setup.
134) NULL pointer dereference (CVE-ID: CVE-2026-23396)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper pointer dereference in the mesh_matches_local() function in the Linux kernel's mac80211 subsystem when handling Wi-Fi mesh action frames. An attacker with physical access can send a specially crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE to cause a kernel NULL pointer dereference, resulting in a system crash.
The vulnerability specifically affects Wi-Fi mesh mode processing and requires the attacker to be within radio range to transmit the malicious frame. No authentication or user interaction is required for exploitation.
135) Out-of-bounds read (CVE-ID: CVE-2026-23397)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the nfnetlink_osf component when handling TCP option fingerprints. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation involves sending malicious TCP packets with zero-length options or MSS options with length less than 4, leading to null pointer dereference and out-of-bounds reads during packet matching.
136) NULL pointer dereference (CVE-ID: CVE-2026-23398)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the icmp_tag_validation function when handling ICMP Fragmentation Needed error messages with a quoted inner IP header containing an unregistered protocol number. A remote attacker can send a specially crafted ICMP packet to cause a kernel panic in softirq context.
Exploitation requires the target system to have ip_no_pmtu_disc set to 3 (hardened PMTU mode).
137) Memory leak (CVE-ID: CVE-2026-23399)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nf_tables subsystem when handling stateful expressions in dynamic sets. A local user can trigger a memory leak by causing a failure during the cloning of stateful expressions, leading to unbounded memory consumption over time.
The issue occurs in the nft_dynset component when GFP_ATOMIC allocation fails, leaving the first stateful expression unreleased.
138) Improper resource shutdown or release (CVE-ID: CVE-2026-23401)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of SPTE updates in KVM MMU when installing emulated MMIO SPTEs. A local user can trigger a page fault after host userspace modifies guest memory mappings to switch from memslot to emulated MMIO, leading to an attempt to mark an already present SPTE as MMIO, which results in a kernel warning and potential guest crash. A local user can send a specially crafted request to cause a denial of service.
The issue arises when KVM fails to drop the existing shadow-present SPTE before installing an MMIO SPTE, resulting in inconsistent MMU state and triggering a kernel warning that can crash the guest.
139) Use-after-free (CVE-ID: CVE-2026-23412)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in nfnl_hook_dump_one when dumping hooks via nfnetlink_hooks during concurrent access. A local attacker can trigger concurrent hook dump activity to cause a denial of service.
The issue is triggered by a race condition involving concurrent readers and may lead to a kernel crash.
140) Use-after-free (CVE-ID: CVE-2026-23413)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the clsact qdisc when handling init and destroy rollback after a replacement failure. A local attacker can trigger a replacement failure during clsact initialization to cause a denial of service.
The issue occurs because ingress may be initialized before egress initialization fails, after which destroy logic can operate on stale state from the previous clsact instance.
141) Memory leak (CVE-ID: CVE-2026-23414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tls_decrypt_async_wait() and the async_hold queue when processing pending asynchronous TLS decrypt operations. A local user can trigger a partial failure during message hold handling to cause a denial of service.
This issue results in a memory leak because cloned skbs added to the async_hold queue may not be released in some fallback paths after pending AEAD operations are synchronized. No user interaction is required.
142) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-23417)
The vulnerability allows a local user to bypass constant blinding in JIT-compiled BPF code.
The vulnerability exists due to improper handling of BPF_PROBE_MEM32 immediate stores in bpf_jit_blind_insn() when processing BPF programs for JIT compilation. A local user can supply a BPF program with user-controlled 32-bit immediates to bypass constant blinding in JIT-compiled BPF code.
The issue occurs when BPF_ST|BPF_MEM instructions are rewritten to BPF_ST|BPF_PROBE_MEM32 during verification before constant blinding runs, causing the immediate store instruction to fall through unblinded when JIT hardening is enabled.
143) Deadlock (CVE-ID: CVE-2026-23419)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a circular locking dependency in rds_tcp_tune when upgrading network reference counting while holding the socket lock. A local user can trigger the vulnerable code path to cause a denial of service.
The issue is caused by memory allocation occurring under the socket lock, creating a lock dependency with fs_reclaim in the Linux kernel RDS TCP code path.
144) Improper locking (CVE-ID: CVE-2026-23420)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in wlcore when handling wireless operations. A local user can trigger the affected code path to cause a denial of service.
The issue is caused by unlocking wl->mutex without ensuring that it is locked first.
145) Out-of-bounds read (CVE-ID: CVE-2026-23422)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in the dpaa2-switch IRQ handler when handling a bad if_id value. A local attacker can trigger an out-of-bounds if_id condition to cause a denial of service.
If an out-of-bounds if_id is detected, the interrupt status is not cleared, which may result in an interrupt storm.
146) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-23426)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a device node reference leak in logicvc_drm_config_parse() when parsing the "layers" node from the device tree. A local user can trigger the vulnerable code path to cause a denial of service.
The issue results from a missing release of the reference returned by of_get_child_by_name(). No user interaction is required.
147) Use-after-free (CVE-ID: CVE-2026-23427)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in parse_durable_handle_context() when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. A remote attacker can send a specially crafted replay request to cause a denial of service.
The issue occurs during durable v2 replay of active file handles because an active file handle connection pointer can be overwritten and later dereferenced after the overwriting connection is freed.
148) Use-after-free (CVE-ID: CVE-2026-23428)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in smb2_get_ksmbd_tcon compound request handling when processing crafted compound smb requests. A remote attacker can send a compound request that disconnects a tree connection and then triggers subsequent commands to dereference freed share_conf data to cause a denial of service.
The issue occurs because the compound request reuse path reuses work->tcon without validating that t_state remains TREE_CONNECTED after an SMB2_TREE_DISCONNECT operation.
149) Race condition (CVE-ID: CVE-2026-23434)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nand_lock() and nand_unlock() when serializing lock and unlock operations against other NAND operations. A local user can trigger concurrent NAND operations to cause a denial of service.
The issue occurs because chip->ops.lock_area and unlock_area are called without holding the NAND device lock, which can result in cmd_pending conflicts on the NAND controller during concurrent UBI/UBIFS background erase or write operations.
150) NULL pointer dereference (CVE-ID: CVE-2026-23438)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in mvpp2_bm_switch_buffers() when switching between per-cpu and shared buffer pool modes. A local user can trigger a buffer mode switch, such as by changing the MTU across the jumbo frame threshold, to cause a denial of service.
The issue occurs when the CM3 SRAM resource is not present in the device tree, leaving priv->cm3_base NULL while flow control updates are still attempted.
151) NULL pointer dereference (CVE-ID: CVE-2026-23439)
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in udp_sock_create6() and its caller fou_create() when handling netlink requests with CONFIG_IPV6 disabled. A local privileged user can send a specially crafted netlink request to cause a denial of service.
Only privileged users can trigger the issue, and exploitation requires a kernel built with CONFIG_IPV6 disabled.
152) Race condition (CVE-ID: CVE-2026-23440)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the net/mlx5e IPSec ESN update handling path when processing ESN wrap events in IPSec full offload mode. A local user can trigger duplicate ESN update handling to cause a denial of service.
Processing the same event twice can incorrectly increment the ESN high-order bits and program invalid ESN state into hardware, resulting in anti-replay failures and a complete halt of IPSec traffic.
153) Race condition (CVE-ID: CVE-2026-23441)
The vulnerability allows a local user to cause unexpected behavior and incorrect results.
The vulnerability exists due to a race condition in the IPSec ASO context handling in the mlx5e driver when processing concurrent IPSec offload ASO operations. A local user can trigger concurrent query or update operations to cause unexpected behavior and incorrect results.
The issue arises because a shared DMA-mapped context is used for ASO operations and can be overwritten before earlier hardware processing completes.
154) NULL pointer dereference (CVE-ID: CVE-2026-23442)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in seg6_hmac_validate_skb() and ipv6_srh_rcv() when processing SRv6 paths on a device without IPv6 configuration. A remote attacker can send specially crafted IPv6 traffic to cause a denial of service.
The issue occurs when __in6_dev_get() returns NULL, such as on a device with no IPv6 configuration, including after device unregister or when the MTU is below the IPv6 minimum MTU.
155) Memory leak (CVE-ID: CVE-2026-23444)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper memory management in ieee80211_tx_prepare_skb() when processing transmit skbs. A local attacker can trigger an error path that does not free an skb to cause a denial of service.
The issue affects the first error path where ieee80211_tx_prepare() returns TX_DROP, resulting in inconsistent skb handling compared to the other error paths.
156) Use-after-free (CVE-ID: CVE-2026-23445)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the igc driver XDP TX timestamp handling when shutting down an XDP application with TX timestamping while the interface link remains up. A local user can trigger TX ring shutdown and concurrent IRQ handling to cause a denial of service.
The issue occurs because stale xsk_meta pointers remain after TX ring shutdown and are later accessed by the interrupt handler, leading to a kernel page fault. TX timestamps on other queues remain unaffected.
157) Improper locking (CVE-ID: CVE-2026-23446)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper control of interaction with the power management subsystem in aqc111_suspend when handling a suspend callback. A local attacker can trigger a suspend operation to cause a denial of service.
The issue can lead to a hung task in rpm_resume and block another task holding rtnl_lock, which can lock up the networking stack.
158) Out-of-bounds read (CVE-ID: CVE-2026-23447)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp32() when processing a crafted NDP32 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size is validated against the total skb length without accounting for ndpoffset, allowing reads beyond the intended bounds when the NDP32 is placed near the end of the NTB.
159) Out-of-bounds read (CVE-ID: CVE-2026-23448)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp16() and cdc_ncm_rx_fixup() when parsing a crafted NDP16 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size check does not account for ndpoffset, allowing DPE entries near the end of the buffer to extend past the skb data buffer and be read out of bounds.
160) Double free (CVE-ID: CVE-2026-23449)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
161) NULL pointer dereference (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.
The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.
162) Use-after-free (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.
The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.
163) Use-after-free (CVE-ID: CVE-2026-23452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
164) Use-after-free (CVE-ID: CVE-2026-23454)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in mana_hwc_destroy_channel() when tearing down hardware channels while interrupt handlers are still executing. A local attacker can trigger concurrent channel teardown and interrupt handling to cause a denial of service.
The issue is caused by a race condition where caller_ctx may be freed before the completion queue and event queue are destroyed, which can lead to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp().
165) Out-of-bounds read (CVE-ID: CVE-2026-23455)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.
166) Out-of-bounds read (CVE-ID: CVE-2026-23456)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_int() in nf_conntrack_h323 when parsing malformed H.323/RAS packets. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue can result in a 1-4 byte slab out-of-bounds read.
167) Integer overflow (CVE-ID: CVE-2026-23457)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer truncation in nf_conntrack_sip when parsing the SIP Content-Length header in sip_help_tcp() over TCP. A remote attacker can send a specially crafted SIP message with an oversized Content-Length value to cause a denial of service.
On 64-bit systems, a Content-Length value exceeding UINT_MAX can be truncated before the SIP message boundary is computed, causing trailing TCP segment data to be treated as a second SIP message and processed through the SDP parser.
168) Use-after-free (CVE-ID: CVE-2026-23458)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
169) NULL pointer dereference (CVE-ID: CVE-2026-23460)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in rose_transmit_link in the ROSE socket implementation when closing a socket after a second connect() call is issued while the first connection attempt is still in progress. A local user can trigger repeated connect() calls and then close the socket to cause a denial of service.
The issue occurs when the socket is in TCP_SYN_SENT state and the reconnect path leaves rose->state as ROSE_STATE_1 with rose->neighbour set to NULL before the close path reaches rose_transmit_link().
170) Use-after-free (CVE-ID: CVE-2026-23461)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in l2cap_unregister_user when accessing conn->users and conn->hchan concurrently with l2cap_conn_del(). A local attacker can trigger a race condition to cause a denial of service.
The issue is caused by inconsistent locking on the l2cap_conn structure and may also result in list corruption.
171) Use-after-free (CVE-ID: CVE-2026-23462)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the HIDP subsystem when handling a user->remove callback without dropping the l2cap_conn reference. A local user can trigger the affected code path to cause a denial of service.
The issue is in the Linux kernel Bluetooth HIDP code path and is evidenced by a kernel crash trace during connection cleanup.
172) Race condition (CVE-ID: CVE-2026-23463)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in qman_destroy_fq when freeing and reallocating dynamic fqids. A local user can trigger concurrent qman_destroy_fq() and qman_create_fq() operations to cause a denial of service.
The issue occurs when QMAN_FQ_FLAG_DYNAMIC_FQID is set and may trigger a WARN_ON() due to inconsistent fq_table state during fqid reuse.
173) Memory leak (CVE-ID: CVE-2026-23464)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a memory leak in mpfs_sys_controller_probe() when probing the system controller device. A local attacker can trigger an error path that fails to free allocated memory to cause a denial of service.
This issue occurs if of_get_mtd_device_by_node() fails after memory for sys_controller has been allocated.
174) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-23465)
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper handling of directory entry logging in btrfs directory logging when logging the parent directory of a conflicting inode during fsync and log replay conditions. A local user can create and remove directories and files and trigger fsync operations to cause data loss.
After a power failure and log replay, newly created directory entries may be missing because the parent directory can be marked as logged without its new dentries being recorded.
175) Improper access control (CVE-ID: CVE-2026-23466)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in GGTT MMIO access protection when tearing down the xe driver after a failed driver load or asynchronous buffer object cleanup. A local user can trigger access to the GGTT MMIO region after teardown begins to cause a denial of service.
The issue occurs because existing protection based on drm_dev_enter is insufficient if driver load fails, and buffer objects with GGTT mappings may be freed asynchronously by worker threads.
176) Deadlock (CVE-ID: CVE-2026-23470)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in the soft reset sequence in the drm/imagination driver when handling interrupts. A local user can trigger a soft reset to cause a denial of service.
The issue results in a deadlock because the soft reset sequence is executed from the threaded IRQ handler.
177) Out-of-bounds read (CVE-ID: CVE-2026-23474)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the RedBoot partition table parser when parsing a RedBoot partition table. A local attacker can trigger the parser with crafted partition table data to cause a denial of service.
The issue can lead to a kernel warning and boot crash on systems built with CONFIG_FORTIFY_SOURCE enabled and a recent compiler.
178) NULL pointer dereference (CVE-ID: CVE-2026-23475)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL-pointer dereference in the spi controller sysfs attributes when handling sysfs attribute access before controller statistics allocation. A remote attacker can access the affected sysfs attributes during this window to cause a denial of service.
The issue occurs because controller per-cpu statistics are not allocated until after the controller has been registered, creating a race window that can crash the kernel.
179) Use-after-free (CVE-ID: CVE-2026-31389)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the spi controller registration logic when handling controller registration failure. A local attacker can trigger controller registration failure to cause a denial of service.
The issue occurs if per-cpu statistics allocation fails during controller registration, which can lead to use-after-free of driver resources and unclocked register accesses.
180) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the atmel-sha204a crypto driver when memory allocation fails during read handling. A local user can trigger memory allocation failure conditions to cause a denial of service.
The issue can block future reads because tfm_count is not decremented after an out-of-memory condition.
181) Improper access control (CVE-ID: CVE-2026-31392)
The vulnerability allows a local user to gain access to a share using incorrect credentials.
The vulnerability exists due to improper access control in the smb client session matching logic when processing cifs mounts with sec=krb5 and a username mount option. A local user can mount another share with a different username option to gain access to a share using incorrect credentials.
The issue occurs when Kerberos mounts reuse an SMB session from a previous mount even though a different username was specified, which can cause a mount that should fail with -ENOKEY to proceed with the first user's session.
182) Out-of-bounds read (CVE-ID: CVE-2026-31393)
The vulnerability allows a remote attacker to disclose adjacent memory contents.
The vulnerability exists due to an out-of-bounds read in l2cap_information_rsp() when processing a truncated L2CAP_INFO_RSP packet with a successful result. A remote attacker can send a specially crafted Bluetooth L2CAP response to disclose adjacent memory contents.
The issue occurs because the code reads response payload data beyond the validated fixed header length for L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN cases.
183) NULL pointer dereference (CVE-ID: CVE-2026-31394)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in ieee80211_chan_bw_change for AP_VLAN stations when processing channel bandwidth changes during CSA. A local attacker can trigger the vulnerable code path to cause a denial of service.
The issue affects stations on AP_VLAN interfaces such as 4addr WDS clients, where link reservation data can remain zero-initialized with a NULL channel pointer.
184) Use-after-free (CVE-ID: CVE-2026-31396)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the macb PTP clock handling code when handling ethtool get_ts_info requests while the network interface is present but the PTP clock has been destroyed. A local user can issue a crafted ioctl request to trigger a use-after-free access and cause a denial of service.
The issue is reachable through the get_ts_info ethtool call and affects the Linux kernel macb network driver PTP clock lifecycle.
185) Use-after-free (CVE-ID: CVE-2026-31399)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in nd_async_device_register() when handling asynchronous device initialization after device_add() failure. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs because the parent pointer may be accessed after the device reference count drops to zero. No user interaction is required.
186) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31400)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in cache_release when closing a reader file descriptor during a partial read of a cache_request. A local user can close a file descriptor in that state to cause a denial of service.
The issue occurs because the request readers count is decremented without freeing the cache_request when the count reaches zero and CACHE_PENDING is clear, which can result in a memory leak.
187) Stack-based buffer overflow (CVE-ID: CVE-2026-31401)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in hid_hw_request when processing an arbitrary return value from HID-BPF raw requests. A local user can supply a crafted return value through HID-BPF struct_ops to cause a denial of service.
The issue occurs because the returned value from dispatch_hid_bpf_raw_requests() is not guaranteed to be valid and can be arbitrarily large when using HID-BPF.
188) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)
The vulnerability allows a remote attacker to corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.
The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.
189) Use-after-free (CVE-ID: CVE-2026-31403)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the /proc/fs/nfs/exports proc entry handling when reading from a still-open file descriptor after the associated network namespace is torn down. A local user can keep the file descriptor open across namespace teardown and perform subsequent reads to cause a denial of service.
The issue occurs because the open file captures the current network namespace and stores its export cache without holding a reference to the namespace for the lifetime of the file descriptor.
190) Out-of-bounds read (CVE-ID: CVE-2026-31405)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.
The out-of-bounds value may be dereferenced and called as a function pointer.
191) Race condition (CVE-ID: CVE-2026-31406)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in xfrm_nat_keepalive_net_fini() and nat_keepalive_work when cleaning up network namespaces. A local user can trigger network namespace cleanup to cause a denial of service.
The issue occurs because delayed work may be re-scheduled after cancellation and then execute on a freed net structure.
192) Improper input validation (CVE-ID: CVE-2026-31407)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the sctp netlink attribute handling when processing crafted netlink attributes. A remote attacker can supply an invalid CTA_PROTOINFO_SCTP_STATE value to cause a denial of service.
193) Out-of-bounds read (CVE-ID: CVE-2026-31407)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sctp and ctnetlink netlink attribute handling when processing crafted netlink attributes. A remote attacker can send specially crafted netlink messages to disclose sensitive information.
The issue is caused by missing validation of user-supplied netlink attribute values before they are used by the kernel.
194) Use-after-free (CVE-ID: CVE-2026-31408)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.
The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.
195) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31409)
The vulnerability allows a remote user to bypass session isolation.
The vulnerability exists due to improper state management in the ksmbd connection binding state when processing a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING that fails. A remote user can send a failed binding request to bypass session isolation.
The issue occurs because subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table after the connection remains in a binding state.
196) Information disclosure (CVE-ID: CVE-2026-31410)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to an error within the smb2_get_info_filesystem() function in fs/smb/server/smb2pdu.c when working with volume identifiers. A remote user can force the ksmbd to return information related to a wrong volume.
197) Improper input validation (CVE-ID: CVE-2026-31411)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in sigd_send() when handling sendmsg() input containing a forged vcc pointer. A local user can send a specially crafted message to cause a denial of service.
Exploitation requires control of the ATM signaling daemon role via the ATMSIGD_CTRL ioctl.
198) Integer overflow (CVE-ID: CVE-2026-31412)
The vulnerability allows a remote attacker to cause memory corruption or out-of-bounds access.
The vulnerability exists due to integer overflow in check_command_size_in_blocks() when processing crafted SCSI READ or WRITE commands from a USB host. A remote attacker can send a specially crafted command requesting a large amount of data to cause memory corruption or out-of-bounds access.
The issue occurs because a left shift of the command-derived data size by the logical block size can wrap around and truncate the resulting byte count.
199) Use-after-free (CVE-ID: CVE-2026-31414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.
The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.
200) Integer overflow (CVE-ID: CVE-2026-31415)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in ip6_datagram_send_ctl() when processing repeated IPV6_DSTOPTS control messages. A local user can send specially crafted ancillary data to cause a denial of service.
Exploitation can trigger a kernel panic through skb_under_panic(), and unprivileged exploitation is possible in environments where unprivileged user namespaces are enabled and the attacker can obtain namespaced CAP_NET_RAW.
201) Incorrect calculation (CVE-ID: CVE-2026-31416)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper calculation of netlink header size in nfnetlink_log when processing netlink messages. A local user can send a specially crafted netlink message to cause a denial of service.
The issue results in a kernel warning and the affected netlink message being dropped, with no other explicitly stated effects.
202) Integer overflow (CVE-ID: CVE-2026-31417)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in the x25 packet reassembly logic when accumulating fragmented packets. A local user can send specially crafted packets to cause a denial of service.
203) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.
204) NULL pointer dereference (CVE-ID: CVE-2026-31421)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fw_classify() in the cls_fw packet classifier when classifying a packet after attaching an empty cls_fw filter to a shared block using the old method without TCA_OPTIONS. A local user can attach such a filter and trigger packet classification with a nonzero major skb mark to cause a denial of service.
The issue occurs because shared blocks leave block->q NULL in the old-method path.
205) NULL pointer dereference (CVE-ID: CVE-2026-31422)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in flow_change() in the cls_flow classifier when creating a flow filter without a fully qualified baseclass on a shared block. A local user can create such a flow filter to cause a denial of service.
206) Division by zero (CVE-ID: CVE-2026-31423)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide-by-zero error in rtsc_min() in the HFSC scheduler when processing crafted traffic control parameters. A local user can supply values that make the truncated divisor become zero to cause a denial of service.
The issue is triggered in the concave-curve intersection path.
207) Improper access control (CVE-ID: CVE-2026-31424)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in xt_check_match/xt_check_target extension validation in x_tables when processing ARP chains through nft_compat. A local user can load a match or target with incompatible hook assumptions to cause a denial of service.
The issue can result in a NULL pointer dereference and kernel panic when extensions registered with NFPROTO_UNSPEC are used on ARP hooks with different semantics.
208) NULL pointer dereference (CVE-ID: CVE-2026-31425)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in rds_ib_get_mr() when processing sendmsg() requests with the RDS_CMSG_RDMA_MAP control message on a connection before IB connection establishment. A local user can send a specially crafted sendmsg request to cause a denial of service.
The issue occurs on a fresh outgoing connection before the rdma_cm_id and queue pair have been created.
209) Use-after-free (CVE-ID: CVE-2026-31426)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in acpi_ec_space_handler() when handling AML evaluation that accesses an EC OpRegion field after probe deferral leaves a stale handler context. A local user can trigger a sysfs read that causes AML to touch an EC OpRegion to cause a denial of service.
The issue occurs on reduced-hardware EC platforms when the GPIO IRQ provider defers probing.
210) Use of Uninitialized Variable (CVE-ID: CVE-2026-31427)
The vulnerability allows a remote attacker to cause incorrect SDP address rewriting.
The vulnerability exists due to use of uninitialized memory in process_sdp in nf_conntrack_sip when processing SDP bodies. A remote attacker can send a specially crafted SDP message to cause incorrect SDP address rewriting.
When stack auto-initialization is enabled, the rewritten session-level addresses may become 0.0.0.0; otherwise, stale stack data may be used.
211) Use of Uninitialized Variable (CVE-ID: CVE-2026-31428)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized padding in the NFULA_PAYLOAD netlink attribute in nfnetlink_log when constructing packet messages for the NFLOG netlink socket. A local user can read the leaked padding bytes to disclose sensitive information.
The issue leaks stale heap contents to userspace when the payload length is not 4-byte aligned.
212) Double free (CVE-ID: CVE-2026-31429)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a cross-cache free in skb_kfree_head() when freeing KFENCE-allocated skb head data. A local user can trigger allocation and freeing of a specially sized skb head object to cause a denial of service.
Exploitation requires KFENCE to be enabled.
213) Out-of-bounds read (CVE-ID: CVE-2026-31430)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the X.509 extension parser when parsing a certificate with an empty Basic Constraints or Key Usage extension. A local user can submit a specially crafted certificate through the keyrings(7) API to cause a denial of service.
214) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31431)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper memory handling within the authencesn cryptographic template in algif_aead when processing AEAD operations. A local user can trigger the vulnerable code path to execute arbitrary code on the system.
Note, this vulnerability was dubbed "Copy Fail".
215) Out-of-bounds write (CVE-ID: CVE-2026-31432)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in smb2_get_info_sec() and build_sec_desc() when processing compound requests that include QUERY_INFO for security descriptors. A remote user can send a specially crafted compound request to cause a denial of service.
The issue is triggered when an earlier command in the same compound request consumes most of the response buffer, such as a READ request preceding QUERY_INFO(Security).
216) Out-of-bounds write (CVE-ID: CVE-2026-31433)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in get_file_all_info() when processing a compound QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) request. A remote user can send a specially crafted compound request to cause a denial of service.
The issue is triggered when the first command in the compound request consumes nearly the entire maximum transaction size.
217) Memory leak (CVE-ID: CVE-2026-31434)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in create_space_info_sub_group() and check_removing_space_info() when removing sub-group space_info sysfs objects. A local user can trigger creation and removal of these elements to cause a denial of service.
The issue can be reproduced with the blktests zbd/009 test case on systems built with CONFIG_DEBUG_KMEMLEAK.
218) Double free (CVE-ID: CVE-2026-31436)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
219) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31438)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of unsupported iterator types in netfs_limit_iter() when writing a core dump to a 9P filesystem. A local user can crash a process to trigger kernel handling of an ITER_KVEC iterator and cause a denial of service.
220) Improper handling of exceptional conditions (CVE-ID: CVE-2026-31439)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper exception handling in the xdma driver regmap initialization logic when initializing mmio regmap access. A local user can trigger the vulnerable initialization path to cause a denial of service.
221) Improper resource shutdown or release (CVE-ID: CVE-2026-31440)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the idxd dmaengine driver when removing a device after a reset. A local user can trigger device removal to cause a denial of service.
The issue occurs because the reset clears configuration registers before event log memory deallocation is checked.
222) Improper resource shutdown or release (CVE-ID: CVE-2026-31441)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in idxd workqueue reset handling when resetting a workqueue. A local user can trigger a workqueue reset to cause a denial of service.
223) Use-after-free (CVE-ID: CVE-2026-31446)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ext4 update_super_work when racing with filesystem unmount. A local user can trigger error notification activity during unmount to cause a denial of service.
The issue occurs because sysfs notification may access a freed kernfs_node after sysfs teardown during the race.
224) Improper input validation (CVE-ID: CVE-2026-31447)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ext4 mount handling when mounting a crafted ext4 filesystem with bigalloc enabled and s_first_data_block set to a non-zero value. A local user can mount a specially crafted filesystem image to cause a denial of service.
225) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31448)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_ext_map_blocks() and ext4_xattr_block_set() when handling mkdir or mknod operations after a failed extent insertion. A local user can trigger filesystem operations that leave residual extent metadata to cause a denial of service.
The issue can result in an infinite loop and prolonged blocking while the inode lock is not released.
226) Out-of-bounds read (CVE-ID: CVE-2026-31449)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ext4_ext_correct_indexes when processing a corrupted or crafted on-disk extent header. A local user can supply a crafted filesystem image to disclose sensitive information.
227) Race condition (CVE-ID: CVE-2026-31450)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
228) Reachable assertion (CVE-ID: CVE-2026-31451)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of oversized inline data in ext4_read_inline_folio when reading inline data from a crafted ext4 filesystem. A local user can trigger processing of inline data whose size exceeds PAGE_SIZE to cause a denial of service.
229) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.
The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.
230) Use-after-free (CVE-ID: CVE-2026-31453)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.
231) Use-after-free (CVE-ID: CVE-2026-31454)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in xfs_inode_item_push() and xfs_qm_dquot_logitem_push() when performing buffer I/O after dropping the AIL lock in push callbacks. A local user can trigger log item reclaim and subsequent dereference of a freed li_ailp pointer to cause a denial of service.
232) Race condition (CVE-ID: CVE-2026-31455)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in xfs_unmount_flush_inodes() when unmounting an XFS filesystem while background reclaim and inodegc are still running. A local user can trigger filesystem unmount operations to cause a denial of service.
The issue occurs because inodegc can dirty and insert inodes into the AIL during the flush, while background reclaim can race to abort and free dirty inodes.
233) Improper input validation (CVE-ID: CVE-2026-31458)
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to improper input validation in damon_sysfs_handle_cmd() when handling sysfs commands after nr_contexts is set to 0. A local privileged user can write crafted values to sysfs control files to cause a denial of service.
The issue is triggered while DAMON is running, and commands other than OFF can dereference contexts_arr[0] after the contexts directory is made empty.
234) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31462)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the amdgpu PASID allocation logic when reusing a PASID immediately after process exit. A local user can trigger immediate PASID reuse to cause a denial of service.
Pending page faults may still remain in the IH ring buffer from the previous process when the PASID is reused.
235) Out-of-bounds read (CVE-ID: CVE-2026-31464)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ibmvfc_alloc_targets() when processing a discover targets MAD response from a VIO server. A remote attacker can return a crafted num_written value exceeding max_targets to disclose sensitive information.
The out-of-bounds data is embedded in Implicit Logout and PLOGI MADs sent back to the VIO server.
236) Race condition (CVE-ID: CVE-2026-31466)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.
The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().
237) Resource exhaustion (CVE-ID: CVE-2026-31467)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the erofs bio completion path when processing decompression in process context. A local user can trigger memory pressure during this operation to cause a denial of service.
The issue can lead to a deadlock when memory reclaim causes swap I/O through submit_bio_wait.
238) Use-after-free (CVE-ID: CVE-2026-31469)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the virtio_net driver transmit path when transmitting packets after the network namespace is destroyed while previously queued skbs are still pending. A local user can trigger packet transmission and network namespace teardown to cause a denial of service.
The issue occurs when the virtio_net driver is configured with napi_tx disabled and the device's IFF_XMIT_DST_RELEASE flag is cleared.
239) Out-of-bounds read (CVE-ID: CVE-2026-31470)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the tdx guest quote handling logic when copying a host-controlled quote buffer to guest userspace. A local user can trigger quote retrieval to disclose sensitive information.
The leak may cross container protection boundaries in deployments exposing per-container configs-tsm-report interfaces.
240) Use-after-free (CVE-ID: CVE-2026-31473)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the media request and videobuf queue handling code when reinitializing media requests concurrently with queue teardown. A local user can trigger concurrent MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) operations to cause a denial of service.
Only request-capable devices are affected.
241) Use-after-free (CVE-ID: CVE-2026-31474)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in isotp_sendmsg() when closing an ISO-TP socket while a transmission is still in progress and the close wait is interrupted by a signal. A local user can trigger a race condition to cause a denial of service.
242) Improper access control (CVE-ID: CVE-2026-31476)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in ksmbd session binding handling when processing a multichannel session binding request failure. A remote attacker can send a binding request with a wrong password to cause a denial of service.
The issue occurs because the target session looked up during binding can belong to another connection's user.
243) Memory leak (CVE-ID: CVE-2026-31477)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in smb2_lock() when handling error paths after list_del() detaches smb_lock from lock_list. A local user can trigger unexpected error conditions in lock and unlock processing to cause a denial of service.
The issue affects both the non-UNLOCK path on unexpected vfs_lock_file() errors and the UNLOCK path when vfs_lock_file() returns -ENOENT.
244) NULL pointer dereference (CVE-ID: CVE-2026-31477)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smb2_lock() when processing SMB lock rollback operations after allocation failure. A local user can trigger allocation failure during lock rollback to cause a denial of service.
245) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-31478)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper buffer size calculation in smb2_calc_max_out_buf_len() when handling SMB2 compound read responses. A remote user can send a specially crafted SMB request to cause a denial of service.
246) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31479)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the xe virtual memory bind/unwind handling in drm/xe when processing crafted VM bind and rebind operations during 3D workloads. A local user can trigger bind operations that cause overlapping VMA re-insertion and leave the VM in a bad state to cause a denial of service.
The issue can be triggered on the unwind path, including with a vector of binds, when a rebind occurs in the middle of a VMA and compatible mapped ends are skipped.
247) Deadlock (CVE-ID: CVE-2026-31480)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the osnoise cpu hotplug handling logic when processing cpu hotplug events while osnoise sleep paths contend for interface_lock. A local user can trigger cpu hotplug activity to cause a denial of service.
248) Sensitive Information in Resource Not Removed Before Reuse (CVE-ID: CVE-2026-31482)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper clearing of sensitive information in s390 kernel entry handlers when handling kernel entry. A local user can observe residual register contents to disclose sensitive information.
The issue affects the r12 register on s390 systems.
249) Observable discrepancy (CVE-ID: CVE-2026-31483)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper restriction of speculative execution in syscall dispatch table handling when processing a user-controlled syscall number. A local user can supply a crafted syscall number to disclose sensitive information.
250) Use-after-free (CVE-ID: CVE-2026-31485)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the spi-fsl-lpspi driver when tearing down DMA channels during controller removal while a SPI transfer is running. A local user can trigger a concurrent SPI transfer to cause a denial of service.
251) Use-after-free (CVE-ID: CVE-2026-31487)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the SPI driver_override handling when matching drivers during device probing. A local user can trigger driver probing to cause a denial of service.
252) Use-after-free (CVE-ID: CVE-2026-31488)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the amdgpu display manager stream handling logic when processing KMS commits involving DSC validation and unrelated mode changes. A local user can trigger a crafted display configuration change to cause a denial of service.
The issue can occur when MST/DSC configuration changes happen in the same commit as a separate mode change, leading to incorrect stream lifetime handling when the stream is later disabled.
253) Double free (CVE-ID: CVE-2026-31489)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in meson_spicc_remove() when removing the SPI controller. A local user can trigger the removal path to cause a denial of service.
254) Improper Initialization (CVE-ID: CVE-2026-31492)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in irdma_create_qp and irdma_destroy_qp when handling a failure from ib_copy_to_udata during queue pair creation. A local user can trigger an error during queue pair creation to cause a denial of service.
255) Out-of-bounds write (CVE-ID: CVE-2026-31494)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in gem_get_ethtool_stats when handling ethtool statistics requests for devices with fewer active queues than the maximum supported queues. A local user can send a crafted ioctl request to cause a denial of service.
256) Improper input validation (CVE-ID: CVE-2026-31495)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ctnetlink when handling netlink attribute values. A local user can send a specially crafted netlink message to cause a denial of service.
The issue involves invalid TCP state, window scale, and flag values accepted through ctnetlink attributes.
257) Improper access control (CVE-ID: CVE-2026-31496)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in nf_conntrack_expect proc handling when reading proc entries. A local user can read expectation entries from other network namespaces to disclose sensitive information.
258) Out-of-bounds read (CVE-ID: CVE-2026-31497)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the btusb driver SCO alternate setting lookup in btusb_work() when processing transparent voice settings with more than three active SCO links. A local user can trigger Bluetooth connection states that cause the driver to index past the end of the alts[] table to cause a denial of service.
259) Resource exhaustion (CVE-ID: CVE-2026-31498)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in the Bluetooth L2CAP ERTM implementation when processing configuration requests and segmenting user-supplied protocol data. A remote attacker can send specially crafted L2CAP configuration data to cause a denial of service.
The issue can be triggered during channel reconfiguration in the connected state, and a zero remote_mps value can lead to an infinite loop that exhausts available memory.
260) Use-after-free (CVE-ID: CVE-2026-31500)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in btintel_hw_error() when handling a hardware error concurrently with device close operations. A local user can trigger a race condition to cause a denial of service.
The issue occurs because synchronous HCI command paths manipulate shared request state concurrently.
261) Type Confusion (CVE-ID: CVE-2026-31502)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to type confusion in team header_ops handling when processing header operations on non-Ethernet ports. A local user can trigger crafted network device interactions to cause a denial of service.
The issue can be triggered in stacked non-Ethernet topologies where inherited header callbacks are invoked with the wrong net_device context.
262) Improper access control (CVE-ID: CVE-2026-31503)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the UDP socket bind conflict check when binding a wildcard address after multiple sockets are already bound to the same local port. A local user can bind sockets to multiple specific local addresses on the same port and then bind a wildcard address to bypass conflict detection and cause a denial of service.
The issue affects IPv6 wildcard, IPv4 wildcard, and IPv4-mapped wildcard addresses when the bind bucket count exceeds 10.
263) Use-after-free (CVE-ID: CVE-2026-31504)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
264) Out-of-bounds write (CVE-ID: CVE-2026-31505)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in iavf_get_ethtool_stats() when handling concurrent ethtool channel and statistics operations. A local user can issue crafted ethtool requests to cause a denial of service.
The issue can be triggered when "ethtool -L" and "ethtool -S" are executed simultaneously during queue reconfiguration.
265) Double free (CVE-ID: CVE-2026-31506)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in the WoL irq handling in the bcmasp network driver when freeing interrupt resources. A local user can trigger the vulnerable code path to cause a denial of service.
266) Double free (CVE-ID: CVE-2026-31507)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in smc_rx_pipe_buf_release() and SMC splice pipe buffer handling when duplicating splice pipe buffers with tee(2) or splice_pipe_to_pipe(). A local user can duplicate an SMC splice buffer to cause a denial of service.
The issue can trigger a slab-use-after-free that leads to a NULL-pointer dereference and kernel panic.
267) Race condition (CVE-ID: CVE-2026-31508)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch port teardown code when unregistering a netdevice. A local user can trigger netdevice unregistration to cause a denial of service.
The issue can occur on PREEMPT_RT kernels if the device is freed before unregistration completes.
268) Improper locking (CVE-ID: CVE-2026-31509)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an improper lock handling issue in nci_close_device when flushing rx_wq and tx_wq while holding req_lock. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can result in a circular locking dependency and has been observed during execution of the nci selftest on debug kernels.
269) NULL pointer dereference (CVE-ID: CVE-2026-31510)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in l2cap_sock_ready_cb when handling L2CAP connection state changes. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can lead to a kernel panic.
270) Use-after-free (CVE-ID: CVE-2026-31511)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in mgmt_add_adv_patterns_monitor_complete when handling Bluetooth management operations. A local user can trigger a crafted sequence of management operations to cause a denial of service.
The issue can be triggered by subsequent list traversal that dereferences freed memory.
271) Out-of-bounds read (CVE-ID: CVE-2026-31512)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in l2cap_ecred_data_rcv() when processing a crafted L2CAP Enhanced Credit Based Flow Control data packet with less than 2 bytes of data. A remote attacker can send a specially crafted Bluetooth packet to disclose sensitive information.
272) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
273) Use-after-free (CVE-ID: CVE-2026-31516)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfrm_hash_rebuild() when processing an XFRM_MSG_NEWSPDINFO request that queues policy_hthresh.work during net namespace teardown. A local user can send a specially crafted XFRM_MSG_NEWSPDINFO request to cause a denial of service.
274) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31518)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in esp_output_tail_tcp when handling a full espintcp TX queue with asynchronous crypto. A local user can trigger packet processing errors to cause a denial of service.
The issue occurs when asynchronous crypto is used instead of synchronous crypto.
275) Race condition (CVE-ID: CVE-2026-31519)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in btrfs subvolume lookup and orphan cleanup handling when looking up a subvolume after dentry cache eviction with concurrent delayed iputs and unlink activity. A local user can trigger concurrent filesystem operations to cause a denial of service.
The issue can result in a negative dentry being created for a valid subvolume, causing filesystem operations on that subvolume to fail and potentially abort the filesystem.
276) Memory leak (CVE-ID: CVE-2026-31520)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in apple_report_fixup() in the HID apple driver when processing crafted HID report descriptors. A local user can connect or emulate a crafted HID device to cause a denial of service.
277) Out-of-bounds read (CVE-ID: CVE-2026-31521)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in simplify_symbols() when parsing a crafted module ELF file with an invalid section index. A local user can load a specially crafted module to cause a denial of service.
This can be triggered when the module ELF legitimately uses SHN_XINDEX or when the file is corrupted.
278) Memory leak (CVE-ID: CVE-2026-31522)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in magicmouse_report_fixup() when processing HID report descriptors. A local user can trigger the vulnerable code path to cause a denial of service.
279) Race condition (CVE-ID: CVE-2026-31523)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nvme-pci polled queue handling when polling a queue during a reset while queue mappings are being updated. A local user can change the polled queue count at run time to trigger double completions and cause a denial of service.
The issue occurs during a brief window before the block layer has updated the queue maps.
280) Out-of-bounds read (CVE-ID: CVE-2026-31524)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in asus_report_fixup() when copying the HID report descriptor. A local user can attach or interact with a crafted device descriptor to cause a denial of service.
281) Integer overflow (CVE-ID: CVE-2026-31525)
The vulnerability allows a local user to access out-of-bounds map values.
The vulnerability exists due to improper handling of signed integer minimum values in the BPF interpreter's signed 32-bit division and modulo handlers when processing crafted BPF operations that use INT_MIN. A local user can load a crafted BPF program to access out-of-bounds map values.
The issue is caused by a verifier and interpreter mismatch in range tracking for signed 32-bit division and modulo operations.
282) Use-after-free (CVE-ID: CVE-2026-31527)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the platform driver core driver_override handling when probing a driver through __driver_attach__(). A local user can trigger concurrent access to the driver_override field to cause a denial of service.
283) Out-of-bounds read (CVE-ID: CVE-2026-31528)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds memory access in x86_pmu_del() when rolling back a failed group_sched_in() operation for a group whose leader is a software event. A local user can trigger a failed group scheduling operation to cause a denial of service.
The issue occurs because inherited events may use the wrong PMU context for grouped events.
284) Use-after-free (CVE-ID: CVE-2026-31530)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in cxl_detach_ep() when handling concurrent endpoint detach operations and switch port removal. A local user can trigger concurrent device detach and port unregistration to cause a denial of service.
This issue is reproducible when reloading cxl_acpi in QEMU with CXL devices present.
285) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31531)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory allocation in rtm_get_nexthop() when handling RTM_GETNEXTHOP requests for large nexthop groups. A local user can send a specially crafted netlink request to cause a denial of service.
This issue can be triggered when querying large Equal-Cost Multi-Path nexthop groups such as groups containing hundreds of nexthops.
286) Use-after-free (CVE-ID: CVE-2026-31532)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in raw_rcv() when processing CAN frames after a raw CAN socket is released. A local user can trigger concurrent socket release and packet reception to cause a denial of service.
The issue involves the percpu uniq storage referenced through RCU-delayed receiver deletion.
287) Use-after-free (CVE-ID: CVE-2026-31533)
The vulnerability allows a local user to cause a use-after-free.
The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.
The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.
288) NULL pointer dereference (CVE-ID: CVE-2026-31540)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the i915 driver suspend handling path when suspending a system without i915 driver firmware binaries present. A local user can trigger a suspend operation to cause a denial of service.
The issue occurs because the set_default_submission function pointer may be unset and still dereferenced during suspend.
289) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31542)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of deconfigured sockets in UV hub info structure allocation when allocating UV hub info structures for a socket mapped to SOCK_EMPTY. A local user can trigger allocation in this state to cause a denial of service.
290) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31545)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource handling in the nxp-nci driver GPIO handling logic when operating GPIOs connected to I2C GPIO expanders. A local user can trigger the vulnerable code path to cause a denial of service.
The issue results in a kernel WARN_ON condition.
291) NULL pointer dereference (CVE-ID: CVE-2026-31546)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in bond_debug_rlb_hash_show when reading debugfs entries for RLB hash-table entries with no assigned slave. A local user can read the affected debugfs entry to cause a denial of service.
The issue occurs when an entry remains on the rx_hashtbl_used_head list with its slave pointer set to NULL.
292) Race condition (CVE-ID: CVE-2026-31548)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in cfg80211 PMSR handling when closing the nl80211 socket that originated a PMSR request while the interface is concurrently being torn down. A local user can trigger concurrent abort processing and interface teardown to cause a denial of service.
The issue can result in the driver's abort_pmsr callback operating on a torn-down interface.
293) NULL pointer dereference (CVE-ID: CVE-2026-31549)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the cp2615 driver probe routine when probing a malicious USB device that lacks a serial string. An attacker with physical access can connect a specially crafted device to trigger a NULL pointer dereference and cause a denial of service.
294) Resource exhaustion (CVE-ID: CVE-2026-31550)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper timeout handling in bcm2835_asb_control() when handling runtime power management suspend operations for V3D. A local user can trigger intensive workloads to cause a denial of service.
The issue can leave V3D in a broken state, leading to bus faults or system hangs on later accesses.
295) Race condition (CVE-ID: CVE-2026-31551)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in aql_enable_write in the mac80211 debugfs interface when handling concurrent write operations to debugfs. A local user can perform concurrent writes to the aql control file to cause a denial of service.
296) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31552)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in wlcore_tx_work_locked() when processing transmit frames after memory allocation for skb headroom fails. A local user can trigger memory allocation failure during packet transmission to cause a denial of service.
The issue can lead to an infinite retry loop and a CPU soft lockup.
297) Use-after-free (CVE-ID: CVE-2026-31554)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in sys_futex_requeue() when using different flags in a requeue operation. A local user can invoke the affected futex requeue operation with mismatched flags to cause a denial of service.
298) Use-after-free (CVE-ID: CVE-2026-31555)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.
299) Improper locking (CVE-ID: CVE-2026-31556)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock release in xchk_quota_item when handling quota scrub error processing. A local user can trigger an early return that leaves dq->q_qlock held to cause a denial of service.
300) Race condition (CVE-ID: CVE-2026-31557)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in async event work handling on the nvmet workqueue when freeing an NVMe target controller during queue disconnect processing. A local user can trigger queue disconnect and controller cleanup to cause a denial of service.
The issue arises from recursive locking when async event work is flushed from the same worker processing nvmet-wq.
301) Out-of-bounds read (CVE-ID: CVE-2026-31558)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in kvm_get_vcpu_by_cpuid() when handling a negative cpuid value. A local user can supply a negative cpuid value to cause a denial of service.
302) NULL pointer dereference (CVE-ID: CVE-2026-31559)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper handling of a NULL pointer in cpu model parsing from device tree when memory allocation fails during early boot. A local attacker can trigger memory allocation failure during device tree parsing to cause a denial of service.
The issue can lead to a kernel oops during early boot.
303) Improper access control (CVE-ID: CVE-2026-31561)
The vulnerability allows a local privileged user to disable security protections.
The vulnerability exists due to improper access control in CR4 pinning logic when modifying CR4 during early boot on application processors that are not online yet. A local privileged user can modify the online bit in writable memory and disable CR4 pinning to disable SMAP/SMEP and disable security protections.
The issue is particularly relevant in SEV-ES, SEV-SNP, or TDX guest environments during a short early-boot window.
304) Improper resource shutdown or release (CVE-ID: CVE-2026-31563)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the macb TX SKB freeing logic when freeing transmitted socket buffers in an IRQ-disabled context. A local user can trigger network traffic processing to cause a denial of service.
305) Deadlock (CVE-ID: CVE-2026-31565)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the irdma RDMA subsystem when executing a netdev reset while RDMA applications have active connections. A local user can trigger a netdev reset during active RDMA connections to cause a denial of service.
The issue occurs during device removal in iWARP mode when client cleanup creates a circular dependency involving QP reference counting.
306) Use-after-free (CVE-ID: CVE-2026-31566)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in amdgpu_amdkfd_submit_ib() when waiting for GPU job completion after submitting a GPU job. A local user can trigger the vulnerable code path to cause a denial of service.
307) Out-of-bounds write (CVE-ID: CVE-2026-31570)
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
308) Race condition (CVE-ID: CVE-2026-31575)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in mfill_atomic_hugetlb() when handling userfaultfd hugetlb faults. A local user can trigger faults on different addresses within the same huge page to cause a denial of service.
The issue can corrupt the reservation map and trigger the BUG_ON in resv_map_release().
309) Use-after-free (CVE-ID: CVE-2026-31576)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the hackrf driver when handling ioctl and release operations on an already-open device file after device unregistration. A local user can keep a device file descriptor open and trigger ioctl or close operations to cause a denial of service.
New open() calls are blocked after device unregistration, but already-open file descriptors and in-flight I/O remain valid until the final reference is released.
310) NULL pointer dereference (CVE-ID: CVE-2026-31577)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in nilfs_mdt_save_to_shadow_map() when handling NILFS_IOCTL_CLEAN_SEGMENTS immediately after mount before any btree operation has occurred on the DAT inode. A local user can invoke the ioctl in that state to cause a denial of service.
The issue occurs because the DAT inode's i_assoc_inode may remain uninitialized until a btree operation is performed.
311) Use-after-free (CVE-ID: CVE-2026-31578)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the as102_usb driver release path when handling a previously opened device file during device deregistration or disconnect. A local user can open the device node before deregistration and later close the file descriptor to cause a denial of service.
The issue can also result in a double free when the final open file descriptor is released after the device structure was already freed on the probe error path.
312) Use-after-free (CVE-ID: CVE-2026-31580)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in cached_dev.sb_bio when handling superblock write completion while the device is being stopped. A local user can stop the device during a superblock write to cause a denial of service.
313) Use-after-free (CVE-ID: CVE-2026-31581)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in usb6fire_chip_abort() in the ALSA 6fire USB driver when handling device disconnect. A local user can trigger a device disconnect to cause a denial of service.
The issue occurs because the card private data may be freed synchronously when no file handles are open, after which the code accesses the freed chip structure.
314) Use-after-free (CVE-ID: CVE-2026-31582)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the powerz hwmon driver when handling a USB device disconnect followed by a read operation. A local user can disconnect the device and trigger a subsequent read to cause a denial of service.
The issue occurs after the freed URB pointer is dereferenced during device access after disconnection.
315) Use-after-free (CVE-ID: CVE-2026-31583)
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a use-after-free in em28xx_v4l2_open() when opening a V4L2 device while racing with initialization error handling or device teardown. A local user can trigger concurrent operations to cause a denial of service or execute arbitrary code.
The race condition can also lead to a NULL pointer dereference.
316) Use-after-free (CVE-ID: CVE-2026-31584)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in fops_vcodec_release() and the mtk_venc_worker workqueue handler when releasing an encoder context while queued or running encode work is still active. A local user can trigger the encoder release path during encode operations to cause a denial of service.
The issue is caused by a race condition between the release path and the workqueue lifecycle after the multimedia job is considered complete.
317) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31585)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in vidtv_start_feed() when handling a start_streaming failure. A local user can trigger a start_streaming failure to cause a denial of service.
The issue can corrupt the nfeeds counter and may leave partially allocated mux and channel resources uncleared when the stop path returns early.
318) Use-after-free (CVE-ID: CVE-2026-31586)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.
The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().
319) Use-after-free (CVE-ID: CVE-2026-31587)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the q6apm ASoC component registration logic when unregistering dynamically registered dais from ASoC topology. A local user can trigger device unbind or removal conditions to cause a denial of service.
320) Use-after-free (CVE-ID: CVE-2026-31588)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in complete_emulated_mmio() when servicing an emulated MMIO write that splits a page boundary across MMIO pages. A local user can trigger crafted KVM_RUN operations to cause a denial of service.
The issue occurs for write payloads of 8 bytes or less and is most visible when the second KVM_RUN is performed by a separate task.
321) Integer overflow (CVE-ID: CVE-2026-31590)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of an integer overflow condition in sev_pin_memory() when processing a KVM_MEMORY_ENCRYPT_REG_REGION ioctl request with a crafted size value. A local user can submit a specially crafted ioctl request to cause a kernel warning.
The issue is reachable from userspace through the KVM SEV memory encryption region registration interface.
322) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-31593)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in the KVM SEV VMSA synchronization logic when synchronizing vCPU state to an already-launched and encrypted vCPU. A local user can issue a crafted ioctl sequence to cause a denial of service.
On hosts with SNP enabled, accessing guest-private memory triggers an RMP page fault that panics the host. In SEV-ES environments without SNP, the issue may clobber guest state instead of panicking the host.
323) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31594)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the pci-epf-vntb endpoint function driver when handling endpoint link setup or teardown failures. A local user can trigger link operations that cause duplicate resource teardown to cause a denial of service.
The issue can result in a kernel oops when .allow_link fails or when .drop_link is performed.
324) Race condition (CVE-ID: CVE-2026-31595)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the epf_ntb_cmd_handler work handler in pci-epf-vntb when cleaning up endpoint controller resources. A local user can trigger the vulnerable cleanup path to cause a denial of service.
325) Improper input validation (CVE-ID: CVE-2026-31596)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ocfs2_group_extend when handling a crafted filesystem through the resize ioctl. A local user can trigger the resize operation on a crafted filesystem image to cause a denial of service.
The issue occurs because an invalid global bitmap inode can reach the JBD2-managed buffer path and lead to a kernel BUG instead of a clean failure.
326) Use-after-free (CVE-ID: CVE-2026-31597)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ocfs2_fault() when handling a page fault that returns VM_FAULT_RETRY. A local user can trigger a concurrent munmap() during fault handling to cause a denial of service.
327) Deadlock (CVE-ID: CVE-2026-31598)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an inconsistent lock ordering that can lead to deadlock in ocfs2 unlink and direct I/O write completion handling when concurrent unlink and dio_end_io_write operations are performed. A local user can trigger concurrent file operations to cause a denial of service.
328) NULL pointer dereference (CVE-ID: CVE-2026-31599)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in vidtv_channel_pmt_match_sections when handling a memory allocation failure from vidtv_psi_pmt_stream_init. A local user can trigger the vulnerable code path to cause a denial of service.
329) Out-of-bounds write (CVE-ID: CVE-2026-31602)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.
The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.
330) Division by zero (CVE-ID: CVE-2026-31603)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to division by zero in ps_to_hz() when handling a FBIOPUT_VSCREENINFO request with a zero pixclock value. A local user can supply crafted screen information to trigger a division by zero and cause a denial of service.
331) Memory leak (CVE-ID: CVE-2026-31604)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in the rtw88 USB driver probe path when handling device initialization failures. A local user can trigger a probe failure to cause a denial of service.
332) Division by zero (CVE-ID: CVE-2026-31605)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to divide-by-zero in the udlfb driver when handling FBIOPUT_VSCREENINFO ioctl requests. A local user can submit crafted screen information values to trigger a kernel crash and cause a denial of service.
333) Use-after-free (CVE-ID: CVE-2026-31606)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the f_hid hid gadget character device handling when unbinding and binding the gadget while the /dev/hidg* device remains open. A local user can keep the device open and trigger unbind and bind operations to cause a denial of service.
334) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
335) Memory leak (CVE-ID: CVE-2026-31610)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a memory leak in smb2_sess_setup() SPNEGO negotiation handling when processing a malformed SPNEGO negotiation token. A remote attacker can send a specially crafted negotiation blob to cause a denial of service.
The issue is reachable pre-authentication, and malformed later elements in the same token can leave an allocated mechToken uncleared after both SPNEGO grammars fail.
336) Out-of-bounds read (CVE-ID: CVE-2026-31611)
The vulnerability allows a remote attacker to modify file permissions.
The vulnerability exists due to an out-of-bounds read in parse_dacl() when processing a crafted security descriptor containing an ACE SID with only two sub-authorities that matches the sid_unix_NFS_mode prefix. A remote attacker can send a specially crafted security descriptor to modify file permissions.
The issue occurs when the crafted ACE is placed at the end of the security descriptor, causing 4 bytes past the end of the ACL to be read and masked into the low 9 bits as the file's POSIX mode.
337) Out-of-bounds read (CVE-ID: CVE-2026-31612)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in smb2_get_ea() when handling crafted SMB2 extended attribute requests. A remote attacker can send a specially crafted request to disclose sensitive information.
Uninitialized heap values may be leaked to the client.
338) Out-of-bounds read (CVE-ID: CVE-2026-31614)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in check_wsl_eas() when processing extended attribute data from an SMB server response. A remote attacker can send a specially crafted server response to disclose sensitive information.
The issue can leak up to 8 bytes of kernel heap memory and can influence which WSL xattr the data is interpreted as.
339) Improper input validation (CVE-ID: CVE-2026-31615)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in standard request handlers in the renesas_usb3 USB gadget driver when processing host-supplied standard USB requests. A remote attacker can send a specially crafted request with an invalid endpoint index to cause a denial of service.
340) Out-of-bounds write (CVE-ID: CVE-2026-31616)
The vulnerability allows a remote attacker to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in pn_rx_complete() when processing an unbounded sequence of full-page USB OUT transfers. A remote attacker can send a crafted sequence of full-page USB OUT transfers to cause memory corruption.
The issue affects a Linux gadget exposing a Phonet function and occurs when each transfer is exactly PAGE_SIZE bytes, preventing the skb from being reset.
341) Integer underflow (CVE-ID: CVE-2026-31617)
The vulnerability allows an attacker with physical access to disclose sensitive information.
The vulnerability exists due to an integer underflow in ncm_unwrap_ntb() in the f_ncm USB gadget component when processing a host-supplied NTB header. An attacker with physical access can provide a crafted NTB header with a too-small block length and out-of-bounds indexes to disclose sensitive information.
The issue can cause adjacent kernel memory to be copied into a network skb.
342) Division by zero (CVE-ID: CVE-2026-31618)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to divide-by-zero in the tdfxfb driver when handling FBIOPUT_VSCREENINFO requests. A local user can submit crafted screen information to trigger a kernel crash and cause a denial of service.
343) Out-of-bounds read (CVE-ID: CVE-2026-31619)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the efr_status_names[] string array lookup in the ALSA fireworks driver when processing a device-supplied EFW response status value. A local user can supply a crafted status value from a firewire device to cause a denial of service.
344) Heap-based buffer overflow (CVE-ID: CVE-2026-31622)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in digital_in_recv_sdd_res() when processing crafted NFC-A SDD and SEL responses from a peer device. A remote attacker can send crafted responses to cause a denial of service.
The issue occurs because the peer device can control the number of NFC-A anti-collision cascade rounds and the amount of data appended to target->nfcid1 on each round.
345) Out-of-bounds write (CVE-ID: CVE-2026-31623)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in rx_complete() in the cdc-phonet driver when processing bulk transfers from a malicious USB device claiming to be a CDC Phonet modem. An attacker with physical access can send an unbounded sequence of full-page bulk transfers to cause a denial of service.
346) Integer overflow (CVE-ID: CVE-2026-31624)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an undefined shift caused by improper input validation in s32ton() when processing a malicious HID report descriptor during output report construction. A local attacker can supply a broken HID device with an oversized report_size field to cause a denial of service.
The issue is triggered when an output report is built via hid_output_field() or hid_set_field().
347) NULL pointer dereference (CVE-ID: CVE-2026-31625)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in alps_raw_event() when processing raw HID events. A local user can trigger the vulnerable code path to cause a denial of service.
348) Use of Uninitialized Variable (CVE-ID: CVE-2026-31626)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use of uninitialized memory in rtw_BIP_verify() when processing BIP data. A local user can trigger the function with crafted input to cause a denial of service.
349) Improper input validation (CVE-ID: CVE-2026-31627)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the s3c24xx i2c driver when processing SMBUS messages. A local user can provide a specially crafted SMBUS message with an invalid size field to cause a denial of service.
350) Information disclosure (CVE-ID: CVE-2026-31628)
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to improper isolation of partial divider results in x86 CPU handling when executing division operations on Zen1 processors. A local attacker can run a thread that observes residual partial results from previous operations to disclose sensitive information.
Exploitation requires another thread to access leaked partial results left by a previous operation under certain circumstances.
351) Use-after-free (CVE-ID: CVE-2026-31629)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc() when handling sockets in the LLCP_CLOSED state. A local user can trigger the affected code path to cause a denial of service.
352) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31634)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a reference count leak in rxrpc_server_keyring() when handling RxRPC server keyring setup. A local user can trigger the vulnerable code path to cause a denial of service.
353) Improper input validation (CVE-ID: CVE-2026-31637)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in rxkad_decrypt_ticket() when processing a malformed RXKAD RESPONSE ticket with a non-block-aligned length. A remote attacker can send a specially crafted response ticket to cause a denial of service.
354) NULL pointer dereference (CVE-ID: CVE-2026-31638)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of a NULL pointer reference in rxrpc_input_packet_on_conn() when processing a to-client packet after the current client call on the channel has already been torn down. A remote attacker can send a crafted packet to cause a denial of service.
The issue occurs on the client-side implicit-end error path when chan->call is NULL and no call reference was acquired.
355) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31639)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a reference count leak in rxrpc_alloc_client_call() and rxrpc_destroy_call() when creating and destroying a client call. A local user can trigger client call creation to cause a denial of service.
356) Race condition (CVE-ID: CVE-2026-31642)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in rxrpc call removal from the rxnet->calls list when reading /proc/net/rxrpc/calls. A local user can trigger access to the procfs entry during concurrent call deletion to cause a denial of service.
357) Use-after-free (CVE-ID: CVE-2026-31644)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in lan966x_fdma_reload() when handling a failure to allocate new RX buffers during DMA reload. A local user can trigger the allocation failure and restart DMA with old descriptors whose pages were already freed to cause a denial of service.
The issue occurs on the restore path, where hardware may DMA into memory that has been returned to the buddy allocator and reused by other kernel subsystems.
358) Improper resource shutdown or release (CVE-ID: CVE-2026-31645)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in lan966x_fdma_rx_alloc() and lan966x_fdma_init() when handling error paths after page pool creation. A local user can trigger allocation failures to cause a denial of service.
359) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31646)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of an error pointer in lan966x_fdma_rx_alloc_page_pool() when creating a page pool. A local user can trigger page_pool_create() failure to cause a denial of service.
The issue can lead to a kernel oops when the error pointer is dereferenced through xdp_rxq_info_reg_mem_model() and page_pool_use_xdp_mem().
360) Improper locking (CVE-ID: CVE-2026-31647)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock handling in the idpf async virtual channel handling logic when processing asynchronous virtual channel messages. A local user can trigger the vulnerable code path to cause a denial of service.
The issue is manifested as an invalid wait context in PREEMPT_RT environments.
361) Integer overflow (CVE-ID: CVE-2026-31648)
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an integer overflow in filemap_map_pages() when mapping file-backed folios during a race with file size truncation. A local user can trigger the race to cause memory corruption.
The issue can cause mappings to extend beyond the large folio size and corrupt fields of pages that do not belong to that folio.
362) Integer underflow (CVE-ID: CVE-2026-31649)
The vulnerability allows a local user to disclose sensitive information and cause memory corruption.
The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.
On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.
363) NULL pointer dereference (CVE-ID: CVE-2026-31651)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the vub300 mmc driver disconnect handler when disconnecting the device. A local user can trigger a device disconnect to cause a denial of service.
The issue may also lead to a use-after-free condition.
364) Improper resource shutdown or release (CVE-ID: CVE-2026-31655)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper power management in imx8mp-blk-ctrl when handling the NoC ADB400 port power down handshake. A local user can trigger the affected power management path to cause a denial of service.
365) Use-after-free (CVE-ID: CVE-2026-31656)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in intel_engine_park_heartbeat when racing the heartbeat worker and request retirement paths while releasing engine->heartbeat.systole. A local user can trigger concurrent request retirement and heartbeat handling to cause a denial of service.
The issue arises because the same systole request can be released twice after a stale non-NULL pointer is observed in a non-atomic read-and-clear sequence.
366) Use-after-free (CVE-ID: CVE-2026-31657)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the batman-adv BLA claim handling code when processing netlink claim dump operations or checking claims. A local user can trigger concurrent claim updates and reader access to dereference a freed backbone gateway pointer to cause a denial of service.
367) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31658)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tse_start_xmit() when handling DMA mapping failures. A local user can trigger DMA mapping failures to cause a denial of service.
368) Heap-based buffer overflow (CVE-ID: CVE-2026-31659)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in batadv_tt_prepare_tvlv_global_data() when processing an oversized global TT response from a remote originator. A remote attacker can advertise a large global TT to trigger a wrapped allocation and write past the end of the heap object to cause a denial of service or execute arbitrary code.
369) NULL pointer dereference (CVE-ID: CVE-2026-31660)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in pn532_receive_buf() when processing received bytes. A local user can trigger an allocation failure during frame reception to cause a denial of service.
370) Improper resource shutdown or release (CVE-ID: CVE-2026-31661)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the brcmsmac driver when freeing DMA-coherent memory. A local user can trigger the vulnerable code path to cause a denial of service.
371) Integer underflow (CVE-ID: CVE-2026-31662)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in tipc_group_proto_rcv() when handling duplicate or stale GRP_ACK_MSG messages. A remote attacker can send duplicate group acknowledgment messages to cause a denial of service.
After the counter wraps, group broadcasts on the affected socket remain blocked until the group is recreated.
372) Use of uninitialized resource (CVE-ID: CVE-2026-31664)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.
The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.
373) Use-after-free (CVE-ID: CVE-2026-31665)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nft_ct_timeout_obj_destroy() when destroying timeout objects during concurrent packet processing. A local user can trigger concurrent packet processing and object destruction to cause a denial of service.
The issue arises because other CPUs may still hold RCU-protected references to the timeout object.
374) Return of Wrong Status Code (CVE-ID: CVE-2026-31666)
The vulnerability allows a local user to cause extent tree corruption.
The vulnerability exists due to incorrect return value handling in lookup_extent_data_ref() when processing extent data reference lookups across leaf boundaries. A local user can trigger the function to return success for a non-matching key to cause extent tree corruption.
375) Improper locking (CVE-ID: CVE-2026-31667)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the uinput force-feedback handling path when processing force-feedback operations and device lifecycle events. A local user can trigger a circular locking dependency to cause a denial of service.
The issue can be triggered when using a force-feedback gamepad with uinput.
376) Improper access control (CVE-ID: CVE-2026-31668)
The vulnerability allows a local user to bypass routing policy restrictions.
The vulnerability exists due to improper access control in the seg6 lwtunnel dst_cache handling when processing input and output paths in different routing contexts. A local user can trigger packet processing through one path so that the other path reuses an incorrect cached destination to bypass routing policy restrictions.
The issue occurs because a single destination cache is shared between seg6_input_core() and seg6_output_core(), even though these paths may perform SID lookup under different routing contexts such as ingress-interface-based rules or VRF table separation.
377) Use-after-free (CVE-ID: CVE-2026-31669)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.
The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.
378) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31670)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the rfkill event handling logic when userspace creates rfkill events without consuming them from the rfkill file descriptor. A local user can create an unlimited number of pending rfkill events to cause a denial of service.
The issue can lead to an out-of-memory condition on systems configured to allow userspace to create such events.
379) Improper Initialization (CVE-ID: CVE-2026-31671)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_report() when copying a xfrm_user_report structure to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by uninitialized padding bytes in the structure being exposed to userspace.
380) Improper resource shutdown or release (CVE-ID: CVE-2026-31672)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the rt2x00usb USB driver when unbinding the driver from a USB interface without physically disconnecting the device. A local user can trigger driver unbind conditions to cause a denial of service.
This can occur during probe deferral or configuration changes.
381) Use-after-free (CVE-ID: CVE-2026-31673)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in UNIX_DIAG_VFS handling in af_unix when processing UNIX diagnostic lookups. A local user can trigger a race condition to cause a denial of service.
382) Out-of-bounds read (CVE-ID: CVE-2026-31674)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.
383) Out-of-bounds read (CVE-ID: CVE-2026-31675)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in netem_enqueue() when processing fully non-linear packets sent over an IPIP tunnel through an AF_PACKET TX_RING. A local user can send a specially crafted packet to cause a denial of service.
384) Race condition (CVE-ID: CVE-2026-31676)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper state management in the RxRPC service connection challenge handling when processing RESPONSE packets during service challenge. A remote attacker can send duplicate or late RESPONSE packets to cause a denial of service.
385) Resource exhaustion (CVE-ID: CVE-2026-31677)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in af_alg_get_rsgl() when processing recvmsg calls with data extraction into the RX scatterlist. A local user can send a specially crafted recvmsg request to cause a denial of service.
386) Race condition (CVE-ID: CVE-2026-31678)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch tunnel device destruction path when destroying a tunnel vport after device unregistration. A local user can trigger concurrent access to a detached device reference to cause a denial of service.
387) Improper input validation (CVE-ID: CVE-2026-31679)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in openvswitch SET/SET_MASKED action handling for OVS_KEY_ATTR_MPLS when processing crafted MPLS action payload lengths. A local user can send a specially crafted request to cause a denial of service.
388) Use-after-free (CVE-ID: CVE-2026-31680)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.
The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.
389) Out-of-bounds read (CVE-ID: CVE-2026-31681)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ports_match_v1() in the xt_multiport netfilter module when processing malformed multiport v1 rules. A local user can supply a crafted rule with invalid range encoding to cause a denial of service.
390) Out-of-bounds read (CVE-ID: CVE-2026-31682)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
391) Heap-based buffer overflow (CVE-ID: CVE-2026-31683)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in batman-adv OGM aggregation handling when aggregating forwarded packets after OGM aggregation state is toggled at runtime. A local user can trigger aggregation with insufficient skb tailroom to cause a denial of service.
392) Out-of-bounds read (CVE-ID: CVE-2026-31684)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in tcf_csum_act() when processing packets with nested in-payload VLAN headers. A remote attacker can send a specially crafted packet to cause a denial of service.
393) Improper input validation (CVE-ID: CVE-2026-31685)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.
394) Double free (CVE-ID: CVE-2026-31686)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in kasan_free_pxd() when freeing kasan page table entries during memory unmapping. A local user can trigger the vulnerable code path to cause a denial of service.
The issue was observed on powerpc systems with 64K page size where PUD tables can be allocated from the pgtable-2^9 slab cache.
395) Improper Initialization (CVE-ID: CVE-2026-31689)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in edac_mc_alloc() when handling a failed mci->pvt_info allocation. A local user can trigger the vulnerable error path to cause a denial of service.
The issue occurs because put_device() may invoke the device release function before device initialization has completed.
396) Improper Initialization (CVE-ID: CVE-2026-31693)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in cifs replay handling when replaying requests. A local user can trigger request replay to cause a denial of service.
397) Out-of-bounds read (CVE-ID: CVE-2026-31786)
The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.
The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.
In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.
398) Double free (CVE-ID: CVE-2026-31787)
The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.
The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.
Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.
399) Improper Privilege Management (CVE-ID: CVE-2026-31788)
The vulnerability allows a local user to escalate privileges and modify kernel memory contents, breaking secure boot protections.
The vulnerability exists due to improper access control in the Xen privcmd driver when handling hypercalls from user space processes in an unprivileged domU running with secure boot enabled. A local user can exploit this by issuing arbitrary hypercalls to escalate privileges and modify kernel memory, compromising the integrity of the secure boot environment.
Exploitation requires the user to have root privileges within the unprivileged domU guest. The impact is particularly severe when secure boot is enabled, as it allows bypassing memory integrity protections.
Remediation
Install update from vendor's website.