SB2026051411 - Debian update for linux
Published: May 14, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 305 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2023-53228)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the amdgpu_cs_submit() function in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c. A local user can perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2023-53510)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the ufshcd_queuecommand(), ufshcd_exec_dev_cmd(), ufshcd_release_scsi_cmd(), ufshcd_issue_devman_upiu_cmd() and ufshcd_advanced_rpmb_req_handler() functions in drivers/ufs/core/ufshcd.c. A local user can perform a denial of service (DoS) attack.
3) Improper locking (CVE-ID: CVE-2023-53545)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the amdgpu_driver_postclose_kms() function in drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c. A local user can perform a denial of service (DoS) attack.
4) Improper locking (CVE-ID: CVE-2024-47736)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the z_erofs_fill_bio_vec(), folio_lock(), folio_put() and z_erofs_submit_queue() functions in fs/erofs/zdata.c. A local user can perform a denial of service (DoS) attack.
5) NULL pointer dereference (CVE-ID: CVE-2024-47809)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the validate_lock_args() function in fs/dlm/lock.c. A local user can perform a denial of service (DoS) attack.
6) NULL pointer dereference (CVE-ID: CVE-2024-49998)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the EXPORT_SYMBOL_GPL() and dsa_switch_shutdown() functions in net/dsa/dsa.c. A local user can perform a denial of service (DoS) attack.
7) NULL pointer dereference (CVE-ID: CVE-2024-50298)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the enetc_sriov_configure(), enetc_pf_probe(), free_netdev() and enetc_pf_remove() functions in drivers/net/ethernet/freescale/enetc/enetc_pf.c. A local user can perform a denial of service (DoS) attack.
8) Use-after-free (CVE-ID: CVE-2024-56719)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the stmmac_tso_xmit() function in drivers/net/ethernet/stmicro/stmmac/stmmac_main.c. A local user can escalate privileges on the system.
9) Use-after-free (CVE-ID: CVE-2025-21676)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the fec_enet_tx() and fec_enet_rx_queue() functions in drivers/net/ethernet/freescale/fec_main.c. A local user can escalate privileges on the system.
10) NULL pointer dereference (CVE-ID: CVE-2025-21682)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the bnxt_xdp_set() function in drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c, within the bnxt_set_ring_params(), bnxt_set_rx_skb_mode() and bnxt_init_one() functions in drivers/net/ethernet/broadcom/bnxt/bnxt.c. A local user can perform a denial of service (DoS) attack.
11) NULL pointer dereference (CVE-ID: CVE-2025-37945)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the phy_link_change() and mdio_bus_phy_suspend() functions in drivers/net/phy/phy_device.c. A local user can perform a denial of service (DoS) attack.
12) Memory leak (CVE-ID: CVE-2025-37980)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the blk_debugfs_remove() function in block/blk-sysfs.c. A local user can perform a denial of service (DoS) attack.
13) Input validation error (CVE-ID: CVE-2025-38105)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the snd_usbmidi_free() and snd_usbmidi_disconnect() functions in sound/usb/midi.c. A local user can perform a denial of service (DoS) attack.
14) Buffer overflow (CVE-ID: CVE-2025-38162)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to memory corruption within the lt_calculate_size(), pipapo_resize(), pipapo_lt_bits_adjust() and pipapo_clone() functions in net/netfilter/nft_set_pipapo.c. A local user can escalate privileges on the system.
15) NULL pointer dereference (CVE-ID: CVE-2025-38192)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the bpf_skb_change_protocol(), bpf_skb_proto_4_to_6(), bpf_skb_proto_6_to_4(), bpf_skb_net_grow() and bpf_skb_net_shrink() functions in net/core/filter.c. A local user can perform a denial of service (DoS) attack.
16) Use-after-free (CVE-ID: CVE-2025-38250)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the DEFINE_IDA(), hci_dev_get(), hci_dev_do_reset(), hci_dev_reset(), hci_alloc_dev_priv() and hci_unregister_dev() functions in net/bluetooth/hci_core.c. A local user can escalate privileges on the system.
17) Input validation error (CVE-ID: CVE-2025-38303)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the hci_set_ext_adv_data_sync() and hci_set_adv_data_sync() functions in net/bluetooth/hci_sync.c, within the eir_create_per_adv_data() and eir_create_adv_data() functions in net/bluetooth/eir.c. A local user can perform a denial of service (DoS) attack.
18) Input validation error (CVE-ID: CVE-2025-38436)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the drm_sched_entity_kill_jobs_work() function in drivers/gpu/drm/scheduler/sched_entity.c. A local user can perform a denial of service (DoS) attack.
19) Improper error handling (CVE-ID: CVE-2025-38626)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the f2fs_map_blocks() function in fs/f2fs/data.c. A local user can perform a denial of service (DoS) attack.
20) Use-after-free (CVE-ID: CVE-2025-38659)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the signal_our_withdraw() function in fs/gfs2/util.c. A local user can escalate privileges on the system.
21) Input validation error (CVE-ID: CVE-2025-38704)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the kernel/rcu/tree_nocb.h. A local user can perform a denial of service (DoS) attack.
22) Resource management error (CVE-ID: CVE-2025-39748)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the regs_refine_cond_op() function in kernel/bpf/verifier.c. A local user can perform a denial of service (DoS) attack.
23) Memory leak (CVE-ID: CVE-2025-39764)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ctnetlink_expect_event(), ctnetlink_exp_dump_table(), ctnetlink_exp_ct_dump_table(), ctnetlink_dump_exp_ct() and ctnetlink_get_expect() functions in net/netfilter/nf_conntrack_netlink.c. A local user can perform a denial of service (DoS) attack.
24) Use-after-free (CVE-ID: CVE-2025-39863)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the brcmf_btcoex_detach() function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c. A local user can escalate privileges on the system.
25) Improper locking (CVE-ID: CVE-2025-40005)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the cqspi_indirect_read_execute(), cqspi_indirect_write_execute(), cqspi_exec_mem_op(), cqspi_probe() and cqspi_remove() functions in drivers/spi/spi-cadence-quadspi.c. A local user can perform a denial of service (DoS) attack.
26) Resource management error (CVE-ID: CVE-2025-40016)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the drivers/media/usb/uvc/uvcvideo.h. A local user can perform a denial of service (DoS) attack.
27) Use-after-free (CVE-ID: CVE-2025-40135)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ip6_autoflowlabel() and ip6_xmit() functions in net/ipv6/ip6_output.c. A local user can escalate privileges on the system.
28) Improper locking (CVE-ID: CVE-2025-40219)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the sriov_add_vfs() and sriov_del_vfs() functions in drivers/pci/iov.c. A local user can perform a denial of service (DoS) attack.
29) Improper locking (CVE-ID: CVE-2025-40242)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the gdlm_put_lock() function in fs/gfs2/lock_dlm.c. A local user can perform a denial of service (DoS) attack.
30) Improper locking (CVE-ID: CVE-2025-40261)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the nvme_fc_delete_ctrl() function in drivers/nvme/host/fc.c. A local user can perform a denial of service (DoS) attack.
31) Out-of-bounds read (CVE-ID: CVE-2025-40358)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the walk_stackframe() function in arch/riscv/kernel/stacktrace.c. A local user can perform a denial of service (DoS) attack.
32) Resource management error (CVE-ID: CVE-2025-68206)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the nft_ct_helper_obj_eval() function in net/netfilter/nft_ct.c. A local user can perform a denial of service (DoS) attack.
33) Resource management error (CVE-ID: CVE-2025-68239)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the bm_register_write() function in fs/binfmt_misc.c. A local user can perform a denial of service (DoS) attack.
34) Use-after-free (CVE-ID: CVE-2025-68265)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nvme_remove_admin_tag_set() and nvme_free_ctrl() functions in drivers/nvme/host/core.c. A local user can escalate privileges on the system.
35) Improper error handling (CVE-ID: CVE-2025-71067)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the ntfs_init_from_boot() function in fs/ntfs3/super.c. A local user can perform a denial of service (DoS) attack.
36) Infinite loop (CVE-ID: CVE-2025-71161)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the function in drivers/md/dm-verity-target.c. A local user can perform a denial of service (DoS) attack.
37) Use-after-free (CVE-ID: CVE-2025-71221)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mmp_pdma_residue() function in drivers/dma/mmp_pdma.c. A local user can escalate privileges on the system.
38) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71265)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system's attr_load_runs_range function when processing inconsistent metadata. A local attacker can provide a malformed NTFS image to cause a denial of service.
The attacker-controlled NTFS image contains inconsistent metadata where an attribute header indicates an empty run list (evcn=-1 with svcn=0), but directory entries reference it as containing data. After a successful but empty run_unpack() call, the runs_tree remains uninitialized, causing subsequent run_lookup_entry() calls to fail and vcn to increment by zero, resulting in an infinite loop.
39) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71266)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the ntfs3 filesystem when handling a malformed dentry during lookup operations. A local attacker can provide a specially crafted NTFS-3 volume to cause a denial of service.
The attacker manipulates the HAS_SUB_NODE flag and VCN pointer in an INDEX_ENTRY, causing the indx_find() function to enter an infinite loop, repeatedly allocating memory until system resources are exhausted.
40) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2025-71267)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an infinite loop in the ntfs3 file system driver when processing a malformed NTFS image with a zero-sized ATTR_LIST attribute. A local attacker can mount a specially crafted NTFS image to cause a denial of service.
The attacker needs physical or local access to insert or mount the malicious NTFS image; no authentication beyond mounting the filesystem is required. The system becomes unresponsive during mount due to an infinite loop in kernel space.
41) Resource exhaustion (CVE-ID: CVE-2025-71269)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the btrfs filesystem's qgroup data reservation handling when processing file writes that trigger a fallback from inline extent creation. A local user can perform file operations that cause an ENOSPC condition during inline extent creation, leading to incorrect release of qgroup data reservations while still proceeding with the normal COW path, resulting in unbalanced quota accounting and potential denial of service.
The attacker must have the ability to write to a btrfs filesystem and trigger space allocation under conditions of low available space; this typically requires low-privileged local access but does not require administrative privileges beyond standard user write permissions.
42) Incorrect calculation (CVE-ID: CVE-2026-23100)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation within the include/linux/hugetlb.h. A local user can perform a denial of service (DoS) attack.
43) Improper locking (CVE-ID: CVE-2026-23113)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the io_worker_handle_work() function in io_uring/io-wq.c. A local user can perform a denial of service (DoS) attack.
44) Input validation error (CVE-ID: CVE-2026-23141)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the range_is_hole_in_parent() function in fs/btrfs/send.c. A local user can perform a denial of service (DoS) attack.
45) Input validation error (CVE-ID: CVE-2026-23154)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the tcp6_gso_segment() function in net/ipv6/tcpv6_offload.c. A local user can perform a denial of service (DoS) attack.
46) Improper locking (CVE-ID: CVE-2026-23157)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the fs/btrfs/extent_io.h. A local user can perform a denial of service (DoS) attack.
47) Out-of-bounds read (CVE-ID: CVE-2026-23204)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the u32_classify() function in net/sched/cls_u32.c. A local user can perform a denial of service (DoS) attack.
48) Use-after-free (CVE-ID: CVE-2026-23227)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the vidi_store_connection(), vidi_connection_ioctl(), vidi_detect(), vidi_get_modes() and vidi_remove() functions in drivers/gpu/drm/exynos/exynos_drm_vidi.c. A local user can escalate privileges on the system.
49) Use-after-free (CVE-ID: CVE-2026-23231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the nf_tables_addchain() function in net/netfilter/nf_tables_api.c. A local user can escalate privileges on the system.
50) NULL Pointer Dereference (CVE-ID: CVE-2026-23242)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the RDMA/siw component when processing incoming RDMA packets. A local user can trigger improper error handling to cause a denial of service.
Exploitation requires access to RDMA subsystem and the ability to send crafted packets over TCP. The vulnerability affects the siw (Soft iWarp) driver in the Linux kernel.
51) Out-of-bounds read (CVE-ID: CVE-2026-23243)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a boundary error in the RDMA/umad component when processing user-controlled MAD headers. A local user can send a specially crafted request with mismatched MAD header size and RMPP header length to cause a denial of service.
Exploitation requires access to the RDMA UMAD interface. The vulnerability can trigger an out-of-bounds write in kernel memory, leading to system instability or crash.
52) Buffer over-read (CVE-ID: CVE-2026-23245)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the net/sched: act_gate component when handling action replacement while the hrtimer callback or dump path is walking the schedule list. A local user can trigger a race condition to cause a denial of service.
Exploitation requires access to the network scheduling subsystem and occurs due to lack of proper synchronization during parameter updates.
53) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23253)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the dvb_ringbuffer component when reopening a DVR device. A local user can open a specially crafted DVR device to cause a denial of service.
The issue arises because dvb_dvr_open() reinitializes the shared waitqueue head, which can orphan existing waitqueue entries from io_uring poll or epoll, leading to stale pointers and potential system instability.
54) Use After Free (CVE-ID: CVE-2026-23270)
The vulnerability allows a local user to cause a use-after-free condition.
The vulnerability exists due to improper memory management in the act_ct action handling within the net/sched subsystem when processing packets in the egress path. A local user can attach the act_ct action to non-clsact/ingress qdiscs and trigger packet classification that returns TC_ACT_CONSUMED while the socket buffer (skb) is still held by the defragmentation engine, leading to a use-after-free condition.
The vulnerability specifically arises when act_ct is used in contexts not designed to handle TC_ACT_CONSUMED, particularly outside clsact/ingress qdiscs and shared blocks. Exploitation requires the ability to configure traffic control (tc) actions, implying local access and privileges to modify qdisc configurations.
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a race condition in the perf subsystem when handling performance events. A local user can trigger a use-after-free condition during event overflow processing to execute arbitrary code, escalate privileges, and cause a denial of service.
The issue arises from improper synchronization between __perf_event_overflow() and perf_remove_from_context(), where the overflow handler may access memory after it has been freed by context removal routines. The attacker must be able to create and manipulate perf events, which typically requires low-privileged user access to the perf subsystem.
56) Use After Free (CVE-ID: CVE-2026-23273)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
57) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23274)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the netfilter xt_IDLETIMER module when processing timer rules with reused labels. A local user can insert a revision 0 IDLETIMER rule with a label that was previously used by a revision 1 rule with XT_IDLETIMER_ALARM, leading to modification of an uninitialized timer_list object, which can trigger debugobjects warnings and potentially cause a kernel panic when panic_on_warn=1 is enabled.
Exploitation requires the ability to load netfilter rules. The impact is limited to denial of service via system crash under specific kernel configurations.
58) NULL Pointer Dereference (CVE-ID: CVE-2026-23277)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the teql network scheduler component when handling packet transmission through a gretap tunnel configured as a TEQL slave. A remote attacker can send a specially crafted network request to trigger a NULL pointer dereference in iptunnel_xmit, leading to a kernel page fault and system crash.
Exploitation does not require authentication or elevated privileges. The issue arises because the skb->dev field is not updated to the slave device before transmission, causing iptunnel_xmit_stats to access uninitialized tstats via a NULL pointer.
59) NULL Pointer Dereference (CVE-ID: CVE-2026-23279)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the mesh_rx_csa_frame() function in the mac80211 subsystem when handling received CSA action frames. A remote user can send a specially crafted SPECTRUM_MGMT/CHL_SWITCH action frame that omits the Mesh Channel Switch Parameters IE but includes valid Mesh ID and Mesh Configuration IEs to cause a kernel NULL pointer dereference.
Exploitation requires an established mesh peer link (PLINK_ESTAB) and no additional authentication beyond open mesh peering.
60) Use After Free (CVE-ID: CVE-2026-23281)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in lbs_free_adapter() function in the Linux kernel's libertas Wi-Fi driver when handling timer cleanup during device adapter release. A local user can trigger the release of the adapter structure while timer callbacks are still executing, leading to access of freed memory and potential execution of arbitrary code or system crash.
Exploitation requires the ability to trigger device cleanup, which is typically available to users with access to network device interfaces.
61) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23284)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the mtk_eth_soc driver when handling eBPF program setup errors. A local user can trigger the mtk_open routine failure in mtk_xdp_setup() to cause a denial of service.
Successful exploitation may lead to system crash or network interface disruption.
62) NULL Pointer Dereference (CVE-ID: CVE-2026-23286)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the ATM LANE (LAN Emulation) module when handling VCC closure. A local user can trigger the closure of a shared atm_vcc, which is referenced by multiple lec_arp_table entries, causing a null-ptr-deref crash during subsequent cleanup attempts.
The issue arises because the cleanup function lec_arp_clear_vccs() does not verify whether the associated private data (vpriv) has already been released, leading to a crash upon dereferencing a NULL pointer in a later iteration.
63) Resource exhaustion (CVE-ID: CVE-2026-23287)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of interrupt completion in the irqchip/sifive-plic component when changing interrupt affinity settings. A local user can trigger a scenario where interrupt completion is silently ignored, leading to a frozen interrupt state and resulting in a denial of service.
The issue arises specifically when interrupt affinity is modified concurrently with interrupt handling, causing the UART port or other interrupt-driven devices to become unresponsive.
64) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23289)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper resource management in the IB/mthca subsystem when handling system calls. A local user can trigger a failed system call path to disclose sensitive information.
The issue arises from a missing mthca_unmap_user_db() call during error handling in mthca_create_srq(), leading to a resource leak that could expose system memory.
65) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-23290)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the pegasus USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
66) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-23291)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the NFC pn533 USB driver when handling device disconnection. A local user can disconnect a USB NFC device to cause a dangling reference, leading to a denial of service.
The issue arises because the USB interface reference obtained during driver probe is not properly released upon disconnection.
67) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23292)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking mechanism in the SCSI target subsystem when handling configuration file writes. A local user can provide a specially crafted configuration input to cause recursive semaphore locking, leading to a system crash or hang.
Exploitation requires access to the target's configuration filesystem (configfs) and the ability to write to the db_root parameter. No additional privileges beyond standard configfs access are required.
68) NULL Pointer Dereference (CVE-ID: CVE-2026-23293)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the VXLAN network driver when handling packets. A local user can send a specially crafted IPv6 packet into a VXLAN interface when IPv6 is disabled at boot time to trigger a kernel NULL pointer dereference and crash the system.
Exploitation requires the ability to inject packets into the VXLAN interface, which is typically available to local users or processes with network access.
69) Incorrect Control Flow Scoping (CVE-ID: CVE-2026-23296)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the SCSI core subsystem when handling tagset reference counts during SCSI host teardown. A local user can trigger the removal of a SCSI host to cause a denial of service.
Repeated triggering of the issue may lead to system instability or hang due to unbounded reference accumulation.
70) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2026-23298)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an infinite loop in the ucan driver when processing zero-length messages from a ucan device. A local user can connect a specially crafted ucan device to trigger an infinite loop in ucan_read_bulk_callback(), causing the system to hang.
71) NULL Pointer Dereference (CVE-ID: CVE-2026-23300)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the IPv6 routing subsystem when handling a standalone IPv6 nexthop object referencing the loopback device. A local user can create a specially crafted IPv6 nexthop and reference it from an IPv4 route to trigger a NULL pointer dereference in __mkroute_output(), leading to a system crash.
Successful exploitation may result in a kernel panic and denial of service.
72) Cleartext Storage of Sensitive Information (CVE-ID: CVE-2026-23303)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the cifs_set_cifscreds function when handling debug logging. A local user can enable debug logging to disclose sensitive information.
The exposure of plaintext usernames and passwords occurs when debug logging is enabled, which may be accessible to local users with access to kernel logs.
73) NULL Pointer Dereference (CVE-ID: CVE-2026-23304)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the ipv6 routing subsystem when processing IPv6 packets. A remote attacker can send a specially crafted IPv6 packet to trigger a null pointer dereference in ip6_rt_get_dev_rcu(), leading to a system crash.
Exploitation does not require authentication or user interaction and occurs within the network stack during packet processing.
74) Use After Free (CVE-ID: CVE-2026-23306)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to a use-after-free in the pm8001_queue_command() function in the SCSI subsystem when handling SCSI commands during a phy down or device gone state. A local user can trigger a double free by issuing a command that leads to the erroneous return of -ENODEV after the task has already been freed, resulting in memory corruption that could lead to arbitrary code execution or privilege escalation.
The vulnerability specifically affects the pm8001 SAS controller driver and requires the ability to issue SCSI commands, which is typically available to local users with access to storage devices.
75) Out-of-bounds read (CVE-ID: CVE-2026-23307)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ems_usb_read_bulk_callback() function in the CAN USB driver when handling USB bulk callback data. A local user can provide specially crafted USB input to cause memory access beyond the buffer bounds, leading to a system crash.
The attacker must have local system access and the ability to interact with the CAN USB driver via USB interface.
76) Uncontrolled Recursion (CVE-ID: CVE-2026-23312)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kaweth USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered remote as it targets kernel-level USB subsystem handling.
77) Out-of-bounds write (CVE-ID: CVE-2026-23315)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt76_connac2_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with an undersized payload to trigger an out-of-bounds write access.
Exploitation does not require authentication or user interaction.
78) NULL Pointer Dereference (CVE-ID: CVE-2026-23317)
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper error handling in the vmw_translate_ptr functions in the drm/vmwgfx subsystem when translating pointers. A local user can trigger a use of an uninitialized pointer to cause out-of-bounds memory accesses and execute arbitrary code.
Successful exploitation may lead to privilege escalation and system compromise.
79) Out-of-bounds read (CVE-ID: CVE-2026-23318)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the ALSA usb-audio driver when handling USB audio descriptors from a UAC3 device. An attacker with physical access can connect a malicious USB device presenting a truncated UAC3 header to cause out-of-bounds reads, leading to a denial of service.
Exploitation requires physical access to attach a malicious USB device.
80) Use After Free (CVE-ID: CVE-2026-23319)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the bpf_trampoline_link_cgroup_shim component when handling BPF trampoline link operations. A local user can trigger a race condition to exploit a dangling reference in the cgroup shim trampoline program list and achieve arbitrary code execution or privilege escalation.
The issue arises because the reference count is reduced to zero and the resource is released before all references are fully cleaned up, creating a window where an already-freed resource can be accessed.
81) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23321)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the MPTCP subsystem when handling endpoint removal. A local user can send a specially crafted sequence of netlink commands to trigger a kernel warning and system instability.
The attacker must be able to create and remove MPTCP endpoints with specific flags and manipulate connection states, which requires access to the MPTCP netlink interface.
82) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23324)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the USB CAN driver (etas_es58x) when handling URB (USB Request Block) anchoring in the read bulk callback. A local user can trigger improper submission of an unanchored URB to cause a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger USB read operations.
83) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-23335)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization of stack memory in the RDMA/irdma subsystem when handling user-space requests. A local user can trigger the creation of an address handle via the irdma_create_user_ah() function to disclose up to 4 bytes of kernel stack memory.
The uninitialized reserved field in the irdma_create_ah_resp structure is copied to user space without being zeroed, leading to a kernel stack information leak.
84) Use After Free (CVE-ID: CVE-2026-23336)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free error in the cfg80211 component when unregistering a wiphy device. A local user can trigger the cancellation of rfkill_block work during wiphy unregistration to execute arbitrary code or cause a denial of service.
The issue arises because the rfkill_block work is not properly cancelled when the wiphy is being unregistered, leading to a use-after-free condition upon subsequent access.
85) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23339)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfc: nci component when handling early error paths in nci_transceive(). A local user can trigger error conditions to cause memory leaks.
Memory leaks occur due to failure to free socket buffer (skb) on early error returns, leading to gradual resource exhaustion.
86) Use After Free (CVE-ID: CVE-2026-23340)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free in the network scheduler (qdisc) component when resetting transmit queues for lockless qdiscs during changes in the number of real transmit queues. A local user can trigger a race condition between qdisc_reset() and the packet dequeue path, leading to use-after-free and potential execution of arbitrary code or system crash.
Exploitation requires the ability to modify network interface queue configurations, which typically requires local user privileges. The issue affects systems using lockless qdiscs such as pfifo_fast, especially under high network load and frequent queue resizing operations.
87) Integer overflow (CVE-ID: CVE-2026-23343)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service due to memory corruption.
The vulnerability exists due to improper input validation in the XDP (eXpress Data Path) subsystem when handling packet tailroom calculations. A local user can trigger a negative tailroom value that is interpreted as a large unsigned integer, leading to out-of-bounds memory access during XDP frame processing.
The issue arises when Ethernet drivers report fragment sizes smaller than the actual truesize, causing incorrect tailroom computation in functions such as bpf_xdp_frags_increase_tail().
88) Use After Free (CVE-ID: CVE-2026-23351)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.
Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.
89) Type conversion (CVE-ID: CVE-2026-23352)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper memory management in the EFI boot services memory release mechanism when processing memory map initialization during system boot. A local attacker can trigger the early release of boot services memory before deferred memory map initialization is complete, leading to unfreed memory pages and a memory leak.
The issue specifically occurs on systems with CONFIG_DEFERRED_STRUCT_PAGE_INIT enabled, where memblock_free_late() skips uninitialized pages, resulting in a significant memory leak—up to approximately 140MB on constrained systems like EC2 t3a.nano instances with only 512MB RAM.
90) Unchecked Return Value to NULL Pointer Dereference (CVE-ID: CVE-2026-23356)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of reference counting in the DRBD (Distributed Replicated Block Device) subsystem when processing I/O operations that cross activity log extent boundaries. A local user can trigger a sequence of I/O operations that result in an invalid reference count state, leading to a kernel BUG_ON condition and system crash.
The issue arises because the function drbd_al_begin_io_nonblock() may fail to acquire activity log references even when expected to succeed, yet continues execution without returning an error, resulting in inconsistent reference tracking during later I/O completion.
91) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23357)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper sequence of operations in the mcp251x CAN driver when handling error paths during device open. A local user can trigger the mcp251x_open function error path, which calls free_irq() while holding the mpc_lock mutex, leading to a deadlock if an interrupt is pending, resulting in a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger the error path in mcp251x_open.
92) Out-of-bounds write (CVE-ID: CVE-2026-23359)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a boundary error in the BPF devmap component when handling upper device interface indices. A local user can trigger a stack-out-of-bounds write by creating more than MAX_NEST_DEV (8) macvlans on a device with an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS and sending a packet to the device, leading to memory corruption.
To exploit this vulnerability, the attacker must have the ability to create macvlan devices and attach XDP programs, which requires local access and privileges to perform network configuration.
93) Memory corruption (CVE-ID: CVE-2026-23362)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the CAN BCM (Broadcast Manager) subsystem when handling runtime updates of bcm_op structures. A local user can send a specially crafted request to trigger a use of an uninitialized spinlock, leading to a system crash.
The issue specifically occurs in the bcm_rx_setup() function, where the bcm_tx_lock is not initialized when the RX_RTR_FRAME flag is set, which can lead to undefined behavior during lock operations.
94) Observable discrepancy (CVE-ID: CVE-2026-23364)
The vulnerability allows a local user to obtain sensitive information.
The vulnerability exists due to improper timing handling in the ksmbd component when comparing message authentication codes (MACs). A local user can leverage timing differences during MAC comparison to infer sensitive information.
Exploitation requires local access and the ability to trigger MAC comparisons through the ksmbd subsystem.
95) Uncontrolled Recursion (CVE-ID: CVE-2026-23365)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
96) Use of Uninitialized Variable (CVE-ID: CVE-2026-23367)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper initialization in the radiotap parser component when processing radiotap headers with undefined fields. A local user can provide a specially crafted radiotap header containing undefined field 18 to trigger uninitialized memory access and potentially execute arbitrary code.
The issue arises because iterator->_next_ns_data is not initialized when handling undefined fields in the standard radiotap namespace, leading to use of uninitialized data during subsequent checks.
97) Incorrect Register Defaults or Module Parameters (CVE-ID: CVE-2026-23368)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
98) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2026-23370)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the dell-wmi-sysman driver when handling password data. A local user can access kernel logs to disclose sensitive information.
The vulnerability specifically involves the logging of plaintext passwords via a hex dump in the set_new_password() function, which could expose current and new passwords.
99) Use After Free (CVE-ID: CVE-2026-23372)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in the NFC raw socket (rawsock) component when handling socket teardown. A local user can trigger a race condition by terminating a process during active NFC transmission, leading to use-after-free or leaked references.
Exploitation requires an active NFC transmission and process interruption via signal such as SIGKILL.
100) Out-of-bounds write (CVE-ID: CVE-2026-23378)
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper memory access in the net/sched: act_ife component when updating metadata lists during packet processing. A local user can send a specially crafted request to trigger out-of-bounds memory write via the ife_tlv_meta_encode function.
Exploitation requires the ability to configure or trigger traffic control (tc) actions within the kernel, which is typically available to local users with sufficient privileges to manipulate network scheduling policies.
101) Function Call with Incorrectly Specified Arguments (CVE-ID: CVE-2026-23379)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ets_offload_change function when handling traffic control (tc) commands for ETS qdisc offloading. A local user can send a specially crafted request to trigger a divide-by-zero error, leading to a kernel oops and system crash.
The issue arises from unsigned 32-bit integer overflows in 'q_sum' and 'q_psum' variables during WRR weight computation, which can result in division by zero in the offload path.
102) NULL Pointer Dereference (CVE-ID: CVE-2026-23381)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the bridge component when handling packets. A remote attacker can send a specially crafted ICMPv6 Neighbor Discovery packet to trigger a kernel NULL pointer dereference.
IPv6 must be disabled via the 'ipv6.disable=1' kernel parameter for the vulnerability to be exploitable.
103) NULL Pointer Dereference (CVE-ID: CVE-2026-23382)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper pointer validation in HID subsystem raw_event callbacks when processing input from unclaimed HID devices. A remote attacker can send specially crafted HID reports to trigger a NULL pointer dereference and crash the system.
Exploitation does not require user interaction or prior authentication.
104) Out-of-bounds write (CVE-ID: CVE-2026-23388)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an improper input validation in the Squashfs filesystem component when processing a crafted filesystem image. A local user can mount a malicious Squashfs image to cause a general protection fault and crash the system.
Exploitation requires the ability to mount a specially crafted filesystem image, which typically requires user privileges but not root access.
105) Resource exhaustion (CVE-ID: CVE-2026-23391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the netfilter xt_CT module when handling packet queueing. A local user can trigger the queuing of packets that reference templates, which, upon removal of the template, are not properly flushed, leading to resource exhaustion and system instability.
Templates such as connection tracking helpers or timeout policies may be removed during module unloading or via nfnetlink_cttimeout, leaving packets enqueued without valid references.
106) Use After Free (CVE-ID: CVE-2026-23392)
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
107) Out-of-bounds write (CVE-ID: CVE-2026-23395)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth L2CAP component when handling L2CAP_ECRED_CONN_REQ packets. A remote attacker can send a specially crafted sequence of L2CAP connection requests with the same command identifier to cause an overflow in channel allocation, leading to a denial of service.
Exploitation requires proximity to initiate a Bluetooth connection. The issue arises from failure to check for duplicate command identifiers during Enhanced Credit Control connection setup.
108) NULL pointer dereference (CVE-ID: CVE-2026-23396)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper pointer dereference in the mesh_matches_local() function in the Linux kernel's mac80211 subsystem when handling Wi-Fi mesh action frames. An attacker with physical access can send a specially crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE to cause a kernel NULL pointer dereference, resulting in a system crash.
The vulnerability specifically affects Wi-Fi mesh mode processing and requires the attacker to be within radio range to transmit the malicious frame. No authentication or user interaction is required for exploitation.
109) Out-of-bounds read (CVE-ID: CVE-2026-23397)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the nfnetlink_osf component when handling TCP option fingerprints. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation involves sending malicious TCP packets with zero-length options or MSS options with length less than 4, leading to null pointer dereference and out-of-bounds reads during packet matching.
110) NULL pointer dereference (CVE-ID: CVE-2026-23398)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the icmp_tag_validation function when handling ICMP Fragmentation Needed error messages with a quoted inner IP header containing an unregistered protocol number. A remote attacker can send a specially crafted ICMP packet to cause a kernel panic in softirq context.
Exploitation requires the target system to have ip_no_pmtu_disc set to 3 (hardened PMTU mode).
111) Improper resource shutdown or release (CVE-ID: CVE-2026-23401)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of SPTE updates in KVM MMU when installing emulated MMIO SPTEs. A local user can trigger a page fault after host userspace modifies guest memory mappings to switch from memslot to emulated MMIO, leading to an attempt to mark an already present SPTE as MMIO, which results in a kernel warning and potential guest crash. A local user can send a specially crafted request to cause a denial of service.
The issue arises when KVM fails to drop the existing shadow-present SPTE before installing an MMIO SPTE, resulting in inconsistent MMU state and triggering a kernel warning that can crash the guest.
112) Memory leak (CVE-ID: CVE-2026-23414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tls_decrypt_async_wait() and the async_hold queue when processing pending asynchronous TLS decrypt operations. A local user can trigger a partial failure during message hold handling to cause a denial of service.
This issue results in a memory leak because cloned skbs added to the async_hold queue may not be released in some fallback paths after pending AEAD operations are synchronized. No user interaction is required.
113) Improper locking (CVE-ID: CVE-2026-23420)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in wlcore when handling wireless operations. A local user can trigger the affected code path to cause a denial of service.
The issue is caused by unlocking wl->mutex without ensuring that it is locked first.
114) Out-of-bounds read (CVE-ID: CVE-2026-23422)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in the dpaa2-switch IRQ handler when handling a bad if_id value. A local attacker can trigger an out-of-bounds if_id condition to cause a denial of service.
If an out-of-bounds if_id is detected, the interrupt status is not cleared, which may result in an interrupt storm.
115) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-23426)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a device node reference leak in logicvc_drm_config_parse() when parsing the "layers" node from the device tree. A local user can trigger the vulnerable code path to cause a denial of service.
The issue results from a missing release of the reference returned by of_get_child_by_name(). No user interaction is required.
116) Use-after-free (CVE-ID: CVE-2026-23428)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in smb2_get_ksmbd_tcon compound request handling when processing crafted compound smb requests. A remote attacker can send a compound request that disconnects a tree connection and then triggers subsequent commands to dereference freed share_conf data to cause a denial of service.
The issue occurs because the compound request reuse path reuses work->tcon without validating that t_state remains TREE_CONNECTED after an SMB2_TREE_DISCONNECT operation.
117) Race condition (CVE-ID: CVE-2026-23434)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nand_lock() and nand_unlock() when serializing lock and unlock operations against other NAND operations. A local user can trigger concurrent NAND operations to cause a denial of service.
The issue occurs because chip->ops.lock_area and unlock_area are called without holding the NAND device lock, which can result in cmd_pending conflicts on the NAND controller during concurrent UBI/UBIFS background erase or write operations.
118) NULL pointer dereference (CVE-ID: CVE-2026-23438)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in mvpp2_bm_switch_buffers() when switching between per-cpu and shared buffer pool modes. A local user can trigger a buffer mode switch, such as by changing the MTU across the jumbo frame threshold, to cause a denial of service.
The issue occurs when the CM3 SRAM resource is not present in the device tree, leaving priv->cm3_base NULL while flow control updates are still attempted.
119) NULL pointer dereference (CVE-ID: CVE-2026-23439)
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in udp_sock_create6() and its caller fou_create() when handling netlink requests with CONFIG_IPV6 disabled. A local privileged user can send a specially crafted netlink request to cause a denial of service.
Only privileged users can trigger the issue, and exploitation requires a kernel built with CONFIG_IPV6 disabled.
120) Improper locking (CVE-ID: CVE-2026-23446)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper control of interaction with the power management subsystem in aqc111_suspend when handling a suspend callback. A local attacker can trigger a suspend operation to cause a denial of service.
The issue can lead to a hung task in rpm_resume and block another task holding rtnl_lock, which can lock up the networking stack.
121) Double free (CVE-ID: CVE-2026-23449)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
122) NULL pointer dereference (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.
The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.
123) Use-after-free (CVE-ID: CVE-2026-23450)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.
The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.
124) Use-after-free (CVE-ID: CVE-2026-23452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
125) Use-after-free (CVE-ID: CVE-2026-23454)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in mana_hwc_destroy_channel() when tearing down hardware channels while interrupt handlers are still executing. A local attacker can trigger concurrent channel teardown and interrupt handling to cause a denial of service.
The issue is caused by a race condition where caller_ctx may be freed before the completion queue and event queue are destroyed, which can lead to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp().
126) Out-of-bounds read (CVE-ID: CVE-2026-23455)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.
127) Out-of-bounds read (CVE-ID: CVE-2026-23456)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_int() in nf_conntrack_h323 when parsing malformed H.323/RAS packets. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue can result in a 1-4 byte slab out-of-bounds read.
128) Integer overflow (CVE-ID: CVE-2026-23457)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer truncation in nf_conntrack_sip when parsing the SIP Content-Length header in sip_help_tcp() over TCP. A remote attacker can send a specially crafted SIP message with an oversized Content-Length value to cause a denial of service.
On 64-bit systems, a Content-Length value exceeding UINT_MAX can be truncated before the SIP message boundary is computed, causing trailing TCP segment data to be treated as a second SIP message and processed through the SDP parser.
129) Use-after-free (CVE-ID: CVE-2026-23458)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
130) NULL pointer dereference (CVE-ID: CVE-2026-23460)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in rose_transmit_link in the ROSE socket implementation when closing a socket after a second connect() call is issued while the first connection attempt is still in progress. A local user can trigger repeated connect() calls and then close the socket to cause a denial of service.
The issue occurs when the socket is in TCP_SYN_SENT state and the reconnect path leaves rose->state as ROSE_STATE_1 with rose->neighbour set to NULL before the close path reaches rose_transmit_link().
131) Use-after-free (CVE-ID: CVE-2026-23462)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the HIDP subsystem when handling a user->remove callback without dropping the l2cap_conn reference. A local user can trigger the affected code path to cause a denial of service.
The issue is in the Linux kernel Bluetooth HIDP code path and is evidenced by a kernel crash trace during connection cleanup.
132) Race condition (CVE-ID: CVE-2026-23463)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in qman_destroy_fq when freeing and reallocating dynamic fqids. A local user can trigger concurrent qman_destroy_fq() and qman_create_fq() operations to cause a denial of service.
The issue occurs when QMAN_FQ_FLAG_DYNAMIC_FQID is set and may trigger a WARN_ON() due to inconsistent fq_table state during fqid reuse.
133) Out-of-bounds read (CVE-ID: CVE-2026-23474)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the RedBoot partition table parser when parsing a RedBoot partition table. A local attacker can trigger the parser with crafted partition table data to cause a denial of service.
The issue can lead to a kernel warning and boot crash on systems built with CONFIG_FORTIFY_SOURCE enabled and a recent compiler.
134) NULL pointer dereference (CVE-ID: CVE-2026-23475)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL-pointer dereference in the spi controller sysfs attributes when handling sysfs attribute access before controller statistics allocation. A remote attacker can access the affected sysfs attributes during this window to cause a denial of service.
The issue occurs because controller per-cpu statistics are not allocated until after the controller has been registered, creating a race window that can crash the kernel.
135) Use-after-free (CVE-ID: CVE-2026-31389)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the spi controller registration logic when handling controller registration failure. A local attacker can trigger controller registration failure to cause a denial of service.
The issue occurs if per-cpu statistics allocation fails during controller registration, which can lead to use-after-free of driver resources and unclocked register accesses.
136) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31391)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the atmel-sha204a crypto driver when memory allocation fails during read handling. A local user can trigger memory allocation failure conditions to cause a denial of service.
The issue can block future reads because tfm_count is not decremented after an out-of-memory condition.
137) Improper access control (CVE-ID: CVE-2026-31392)
The vulnerability allows a local user to gain access to a share using incorrect credentials.
The vulnerability exists due to improper access control in the smb client session matching logic when processing cifs mounts with sec=krb5 and a username mount option. A local user can mount another share with a different username option to gain access to a share using incorrect credentials.
The issue occurs when Kerberos mounts reuse an SMB session from a previous mount even though a different username was specified, which can cause a mount that should fail with -ENOKEY to proceed with the first user's session.
138) Out-of-bounds read (CVE-ID: CVE-2026-31393)
The vulnerability allows a remote attacker to disclose adjacent memory contents.
The vulnerability exists due to an out-of-bounds read in l2cap_information_rsp() when processing a truncated L2CAP_INFO_RSP packet with a successful result. A remote attacker can send a specially crafted Bluetooth L2CAP response to disclose adjacent memory contents.
The issue occurs because the code reads response payload data beyond the validated fixed header length for L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN cases.
139) Use-after-free (CVE-ID: CVE-2026-31396)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the macb PTP clock handling code when handling ethtool get_ts_info requests while the network interface is present but the PTP clock has been destroyed. A local user can issue a crafted ioctl request to trigger a use-after-free access and cause a denial of service.
The issue is reachable through the get_ts_info ethtool call and affects the Linux kernel macb network driver PTP clock lifecycle.
140) Use-after-free (CVE-ID: CVE-2026-31399)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in nd_async_device_register() when handling asynchronous device initialization after device_add() failure. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs because the parent pointer may be accessed after the device reference count drops to zero. No user interaction is required.
141) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31400)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in cache_release when closing a reader file descriptor during a partial read of a cache_request. A local user can close a file descriptor in that state to cause a denial of service.
The issue occurs because the request readers count is decremented without freeing the cache_request when the count reaches zero and CACHE_PENDING is clear, which can result in a memory leak.
142) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)
The vulnerability allows a remote attacker to corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.
The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.
143) Use-after-free (CVE-ID: CVE-2026-31403)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the /proc/fs/nfs/exports proc entry handling when reading from a still-open file descriptor after the associated network namespace is torn down. A local user can keep the file descriptor open across namespace teardown and perform subsequent reads to cause a denial of service.
The issue occurs because the open file captures the current network namespace and stores its export cache without holding a reference to the namespace for the lifetime of the file descriptor.
144) Out-of-bounds read (CVE-ID: CVE-2026-31405)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.
The out-of-bounds value may be dereferenced and called as a function pointer.
145) Use-after-free (CVE-ID: CVE-2026-31408)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.
The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.
146) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31409)
The vulnerability allows a remote user to bypass session isolation.
The vulnerability exists due to improper state management in the ksmbd connection binding state when processing a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING that fails. A remote user can send a failed binding request to bypass session isolation.
The issue occurs because subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table after the connection remains in a binding state.
147) Improper input validation (CVE-ID: CVE-2026-31411)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in sigd_send() when handling sendmsg() input containing a forged vcc pointer. A local user can send a specially crafted message to cause a denial of service.
Exploitation requires control of the ATM signaling daemon role via the ATMSIGD_CTRL ioctl.
148) Integer overflow (CVE-ID: CVE-2026-31412)
The vulnerability allows a remote attacker to cause memory corruption or out-of-bounds access.
The vulnerability exists due to integer overflow in check_command_size_in_blocks() when processing crafted SCSI READ or WRITE commands from a USB host. A remote attacker can send a specially crafted command requesting a large amount of data to cause memory corruption or out-of-bounds access.
The issue occurs because a left shift of the command-derived data size by the logical block size can wrap around and truncate the resulting byte count.
149) Use-after-free (CVE-ID: CVE-2026-31414)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_expect when dumping the helper name via ctnetlink or /proc. A local user can trigger access to freed conntrack helper state to cause a denial of service.
The issue involves unsafe use of nfct_help() without holding a reference to the master conntrack.
150) Integer overflow (CVE-ID: CVE-2026-31415)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in ip6_datagram_send_ctl() when processing repeated IPV6_DSTOPTS control messages. A local user can send specially crafted ancillary data to cause a denial of service.
Exploitation can trigger a kernel panic through skb_under_panic(), and unprivileged exploitation is possible in environments where unprivileged user namespaces are enabled and the attacker can obtain namespaced CAP_NET_RAW.
151) Incorrect calculation (CVE-ID: CVE-2026-31416)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper calculation of netlink header size in nfnetlink_log when processing netlink messages. A local user can send a specially crafted netlink message to cause a denial of service.
The issue results in a kernel warning and the affected netlink message being dropped, with no other explicitly stated effects.
152) Integer overflow (CVE-ID: CVE-2026-31417)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in the x25 packet reassembly logic when accumulating fragmented packets. A local user can send specially crafted packets to cause a denial of service.
153) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31418)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in mtype_del in the ipset netfilter subsystem when deleting entries from buckets containing only deleted slots below the current position. A local user can trigger bucket deletion handling with crafted set operations to cause a denial of service.
154) NULL pointer dereference (CVE-ID: CVE-2026-31421)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fw_classify() in the cls_fw packet classifier when classifying a packet after attaching an empty cls_fw filter to a shared block using the old method without TCA_OPTIONS. A local user can attach such a filter and trigger packet classification with a nonzero major skb mark to cause a denial of service.
The issue occurs because shared blocks leave block->q NULL in the old-method path.
155) NULL pointer dereference (CVE-ID: CVE-2026-31422)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in flow_change() in the cls_flow classifier when creating a flow filter without a fully qualified baseclass on a shared block. A local user can create such a flow filter to cause a denial of service.
156) Division by zero (CVE-ID: CVE-2026-31423)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide-by-zero error in rtsc_min() in the HFSC scheduler when processing crafted traffic control parameters. A local user can supply values that make the truncated divisor become zero to cause a denial of service.
The issue is triggered in the concave-curve intersection path.
157) Improper access control (CVE-ID: CVE-2026-31424)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in xt_check_match/xt_check_target extension validation in x_tables when processing ARP chains through nft_compat. A local user can load a match or target with incompatible hook assumptions to cause a denial of service.
The issue can result in a NULL pointer dereference and kernel panic when extensions registered with NFPROTO_UNSPEC are used on ARP hooks with different semantics.
158) NULL pointer dereference (CVE-ID: CVE-2026-31425)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in rds_ib_get_mr() when processing sendmsg() requests with the RDS_CMSG_RDMA_MAP control message on a connection before IB connection establishment. A local user can send a specially crafted sendmsg request to cause a denial of service.
The issue occurs on a fresh outgoing connection before the rdma_cm_id and queue pair have been created.
159) Use-after-free (CVE-ID: CVE-2026-31426)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in acpi_ec_space_handler() when handling AML evaluation that accesses an EC OpRegion field after probe deferral leaves a stale handler context. A local user can trigger a sysfs read that causes AML to touch an EC OpRegion to cause a denial of service.
The issue occurs on reduced-hardware EC platforms when the GPIO IRQ provider defers probing.
160) Use of Uninitialized Variable (CVE-ID: CVE-2026-31427)
The vulnerability allows a remote attacker to cause incorrect SDP address rewriting.
The vulnerability exists due to use of uninitialized memory in process_sdp in nf_conntrack_sip when processing SDP bodies. A remote attacker can send a specially crafted SDP message to cause incorrect SDP address rewriting.
When stack auto-initialization is enabled, the rewritten session-level addresses may become 0.0.0.0; otherwise, stale stack data may be used.
161) Use of Uninitialized Variable (CVE-ID: CVE-2026-31428)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized padding in the NFULA_PAYLOAD netlink attribute in nfnetlink_log when constructing packet messages for the NFLOG netlink socket. A local user can read the leaked padding bytes to disclose sensitive information.
The issue leaks stale heap contents to userspace when the payload length is not 4-byte aligned.
162) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31431)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper memory handling within the authencesn cryptographic template in algif_aead when processing AEAD operations. A local user can trigger the vulnerable code path to execute arbitrary code on the system.
Note, this vulnerability was dubbed "Copy Fail".
163) Out-of-bounds write (CVE-ID: CVE-2026-31433)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in get_file_all_info() when processing a compound QUERY_DIRECTORY + QUERY_INFO (FILE_ALL_INFORMATION) request. A remote user can send a specially crafted compound request to cause a denial of service.
The issue is triggered when the first command in the compound request consumes nearly the entire maximum transaction size.
164) Memory leak (CVE-ID: CVE-2026-31434)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in create_space_info_sub_group() and check_removing_space_info() when removing sub-group space_info sysfs objects. A local user can trigger creation and removal of these elements to cause a denial of service.
The issue can be reproduced with the blktests zbd/009 test case on systems built with CONFIG_DEBUG_KMEMLEAK.
165) Improper resource shutdown or release (CVE-ID: CVE-2026-31441)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in idxd workqueue reset handling when resetting a workqueue. A local user can trigger a workqueue reset to cause a denial of service.
166) Use-after-free (CVE-ID: CVE-2026-31446)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ext4 update_super_work when racing with filesystem unmount. A local user can trigger error notification activity during unmount to cause a denial of service.
The issue occurs because sysfs notification may access a freed kernfs_node after sysfs teardown during the race.
167) Improper input validation (CVE-ID: CVE-2026-31447)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ext4 mount handling when mounting a crafted ext4 filesystem with bigalloc enabled and s_first_data_block set to a non-zero value. A local user can mount a specially crafted filesystem image to cause a denial of service.
168) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31448)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_ext_map_blocks() and ext4_xattr_block_set() when handling mkdir or mknod operations after a failed extent insertion. A local user can trigger filesystem operations that leave residual extent metadata to cause a denial of service.
The issue can result in an infinite loop and prolonged blocking while the inode lock is not released.
169) Race condition (CVE-ID: CVE-2026-31450)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
170) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31452)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.
The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.
171) Use-after-free (CVE-ID: CVE-2026-31453)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in xfsaild_push_item tracepoint handling when processing log item push callbacks after the AIL lock is dropped. A local user can trigger background inode reclaim or dquot shrinker activity to cause a denial of service.
172) Use-after-free (CVE-ID: CVE-2026-31454)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in xfs_inode_item_push() and xfs_qm_dquot_logitem_push() when performing buffer I/O after dropping the AIL lock in push callbacks. A local user can trigger log item reclaim and subsequent dereference of a freed li_ailp pointer to cause a denial of service.
173) Race condition (CVE-ID: CVE-2026-31455)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in xfs_unmount_flush_inodes() when unmounting an XFS filesystem while background reclaim and inodegc are still running. A local user can trigger filesystem unmount operations to cause a denial of service.
The issue occurs because inodegc can dirty and insert inodes into the AIL during the flush, while background reclaim can race to abort and free dirty inodes.
174) Out-of-bounds read (CVE-ID: CVE-2026-31464)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ibmvfc_alloc_targets() when processing a discover targets MAD response from a VIO server. A remote attacker can return a crafted num_written value exceeding max_targets to disclose sensitive information.
The out-of-bounds data is embedded in Implicit Logout and PLOGI MADs sent back to the VIO server.
175) Race condition (CVE-ID: CVE-2026-31466)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in softleaf_to_folio() and softleaf_to_page() when handling migration entries during concurrent folio splitting and zap_nonpresent_ptes() processing. A local user can trigger the race to cause a denial of service.
The issue can result in VM_WARN_ON_ONCE() being triggered, and on systems before commit 93976a20345b it can manifest as a BUG_ON().
176) Resource exhaustion (CVE-ID: CVE-2026-31467)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the erofs bio completion path when processing decompression in process context. A local user can trigger memory pressure during this operation to cause a denial of service.
The issue can lead to a deadlock when memory reclaim causes swap I/O through submit_bio_wait.
177) Use-after-free (CVE-ID: CVE-2026-31469)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the virtio_net driver transmit path when transmitting packets after the network namespace is destroyed while previously queued skbs are still pending. A local user can trigger packet transmission and network namespace teardown to cause a denial of service.
The issue occurs when the virtio_net driver is configured with napi_tx disabled and the device's IFF_XMIT_DST_RELEASE flag is cleared.
178) Use-after-free (CVE-ID: CVE-2026-31473)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the media request and videobuf queue handling code when reinitializing media requests concurrently with queue teardown. A local user can trigger concurrent MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) operations to cause a denial of service.
Only request-capable devices are affected.
179) Improper access control (CVE-ID: CVE-2026-31476)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper access control in ksmbd session binding handling when processing a multichannel session binding request failure. A remote attacker can send a binding request with a wrong password to cause a denial of service.
The issue occurs because the target session looked up during binding can belong to another connection's user.
180) Memory leak (CVE-ID: CVE-2026-31477)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in smb2_lock() when handling error paths after list_del() detaches smb_lock from lock_list. A local user can trigger unexpected error conditions in lock and unlock processing to cause a denial of service.
The issue affects both the non-UNLOCK path on unexpected vfs_lock_file() errors and the UNLOCK path when vfs_lock_file() returns -ENOENT.
181) NULL pointer dereference (CVE-ID: CVE-2026-31477)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smb2_lock() when processing SMB lock rollback operations after allocation failure. A local user can trigger allocation failure during lock rollback to cause a denial of service.
182) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-31478)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper buffer size calculation in smb2_calc_max_out_buf_len() when handling SMB2 compound read responses. A remote user can send a specially crafted SMB request to cause a denial of service.
183) Deadlock (CVE-ID: CVE-2026-31480)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the osnoise cpu hotplug handling logic when processing cpu hotplug events while osnoise sleep paths contend for interface_lock. A local user can trigger cpu hotplug activity to cause a denial of service.
184) Observable discrepancy (CVE-ID: CVE-2026-31483)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper restriction of speculative execution in syscall dispatch table handling when processing a user-controlled syscall number. A local user can supply a crafted syscall number to disclose sensitive information.
185) Use-after-free (CVE-ID: CVE-2026-31485)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the spi-fsl-lpspi driver when tearing down DMA channels during controller removal while a SPI transfer is running. A local user can trigger a concurrent SPI transfer to cause a denial of service.
186) Improper Initialization (CVE-ID: CVE-2026-31492)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in irdma_create_qp and irdma_destroy_qp when handling a failure from ib_copy_to_udata during queue pair creation. A local user can trigger an error during queue pair creation to cause a denial of service.
187) Out-of-bounds write (CVE-ID: CVE-2026-31494)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in gem_get_ethtool_stats when handling ethtool statistics requests for devices with fewer active queues than the maximum supported queues. A local user can send a crafted ioctl request to cause a denial of service.
188) Improper input validation (CVE-ID: CVE-2026-31495)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ctnetlink when handling netlink attribute values. A local user can send a specially crafted netlink message to cause a denial of service.
The issue involves invalid TCP state, window scale, and flag values accepted through ctnetlink attributes.
189) Improper access control (CVE-ID: CVE-2026-31496)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in nf_conntrack_expect proc handling when reading proc entries. A local user can read expectation entries from other network namespaces to disclose sensitive information.
190) Out-of-bounds read (CVE-ID: CVE-2026-31497)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the btusb driver SCO alternate setting lookup in btusb_work() when processing transparent voice settings with more than three active SCO links. A local user can trigger Bluetooth connection states that cause the driver to index past the end of the alts[] table to cause a denial of service.
191) Resource exhaustion (CVE-ID: CVE-2026-31498)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in the Bluetooth L2CAP ERTM implementation when processing configuration requests and segmenting user-supplied protocol data. A remote attacker can send specially crafted L2CAP configuration data to cause a denial of service.
The issue can be triggered during channel reconfiguration in the connected state, and a zero remote_mps value can lead to an infinite loop that exhausts available memory.
192) Improper access control (CVE-ID: CVE-2026-31503)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the UDP socket bind conflict check when binding a wildcard address after multiple sockets are already bound to the same local port. A local user can bind sockets to multiple specific local addresses on the same port and then bind a wildcard address to bypass conflict detection and cause a denial of service.
The issue affects IPv6 wildcard, IPv4 wildcard, and IPv4-mapped wildcard addresses when the bind bucket count exceeds 10.
193) Use-after-free (CVE-ID: CVE-2026-31504)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
194) Double free (CVE-ID: CVE-2026-31507)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in smc_rx_pipe_buf_release() and SMC splice pipe buffer handling when duplicating splice pipe buffers with tee(2) or splice_pipe_to_pipe(). A local user can duplicate an SMC splice buffer to cause a denial of service.
The issue can trigger a slab-use-after-free that leads to a NULL-pointer dereference and kernel panic.
195) Race condition (CVE-ID: CVE-2026-31508)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch port teardown code when unregistering a netdevice. A local user can trigger netdevice unregistration to cause a denial of service.
The issue can occur on PREEMPT_RT kernels if the device is freed before unregistration completes.
196) Improper locking (CVE-ID: CVE-2026-31509)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an improper lock handling issue in nci_close_device when flushing rx_wq and tx_wq while holding req_lock. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can result in a circular locking dependency and has been observed during execution of the nci selftest on debug kernels.
197) NULL pointer dereference (CVE-ID: CVE-2026-31510)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in l2cap_sock_ready_cb when handling L2CAP connection state changes. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can lead to a kernel panic.
198) Out-of-bounds read (CVE-ID: CVE-2026-31512)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in l2cap_ecred_data_rcv() when processing a crafted L2CAP Enhanced Credit Based Flow Control data packet with less than 2 bytes of data. A remote attacker can send a specially crafted Bluetooth packet to disclose sensitive information.
199) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
200) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31518)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in esp_output_tail_tcp when handling a full espintcp TX queue with asynchronous crypto. A local user can trigger packet processing errors to cause a denial of service.
The issue occurs when asynchronous crypto is used instead of synchronous crypto.
201) Race condition (CVE-ID: CVE-2026-31519)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in btrfs subvolume lookup and orphan cleanup handling when looking up a subvolume after dentry cache eviction with concurrent delayed iputs and unlink activity. A local user can trigger concurrent filesystem operations to cause a denial of service.
The issue can result in a negative dentry being created for a valid subvolume, causing filesystem operations on that subvolume to fail and potentially abort the filesystem.
202) Memory leak (CVE-ID: CVE-2026-31520)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in apple_report_fixup() in the HID apple driver when processing crafted HID report descriptors. A local user can connect or emulate a crafted HID device to cause a denial of service.
203) Out-of-bounds read (CVE-ID: CVE-2026-31521)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in simplify_symbols() when parsing a crafted module ELF file with an invalid section index. A local user can load a specially crafted module to cause a denial of service.
This can be triggered when the module ELF legitimately uses SHN_XINDEX or when the file is corrupted.
204) Memory leak (CVE-ID: CVE-2026-31522)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in magicmouse_report_fixup() when processing HID report descriptors. A local user can trigger the vulnerable code path to cause a denial of service.
205) Race condition (CVE-ID: CVE-2026-31523)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nvme-pci polled queue handling when polling a queue during a reset while queue mappings are being updated. A local user can change the polled queue count at run time to trigger double completions and cause a denial of service.
The issue occurs during a brief window before the block layer has updated the queue maps.
206) Out-of-bounds read (CVE-ID: CVE-2026-31524)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in asus_report_fixup() when copying the HID report descriptor. A local user can attach or interact with a crafted device descriptor to cause a denial of service.
207) Use-after-free (CVE-ID: CVE-2026-31533)
The vulnerability allows a local user to cause a use-after-free.
The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.
The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.
208) NULL pointer dereference (CVE-ID: CVE-2026-31540)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the i915 driver suspend handling path when suspending a system without i915 driver firmware binaries present. A local user can trigger a suspend operation to cause a denial of service.
The issue occurs because the set_default_submission function pointer may be unset and still dereferenced during suspend.
209) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31545)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource handling in the nxp-nci driver GPIO handling logic when operating GPIOs connected to I2C GPIO expanders. A local user can trigger the vulnerable code path to cause a denial of service.
The issue results in a kernel WARN_ON condition.
210) NULL pointer dereference (CVE-ID: CVE-2026-31546)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in bond_debug_rlb_hash_show when reading debugfs entries for RLB hash-table entries with no assigned slave. A local user can read the affected debugfs entry to cause a denial of service.
The issue occurs when an entry remains on the rx_hashtbl_used_head list with its slave pointer set to NULL.
211) Race condition (CVE-ID: CVE-2026-31548)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in cfg80211 PMSR handling when closing the nl80211 socket that originated a PMSR request while the interface is concurrently being torn down. A local user can trigger concurrent abort processing and interface teardown to cause a denial of service.
The issue can result in the driver's abort_pmsr callback operating on a torn-down interface.
212) NULL pointer dereference (CVE-ID: CVE-2026-31549)
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the cp2615 driver probe routine when probing a malicious USB device that lacks a serial string. An attacker with physical access can connect a specially crafted device to trigger a NULL pointer dereference and cause a denial of service.
213) Resource exhaustion (CVE-ID: CVE-2026-31550)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper timeout handling in bcm2835_asb_control() when handling runtime power management suspend operations for V3D. A local user can trigger intensive workloads to cause a denial of service.
The issue can leave V3D in a broken state, leading to bus faults or system hangs on later accesses.
214) Race condition (CVE-ID: CVE-2026-31551)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in aql_enable_write in the mac80211 debugfs interface when handling concurrent write operations to debugfs. A local user can perform concurrent writes to the aql control file to cause a denial of service.
215) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2026-31552)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in wlcore_tx_work_locked() when processing transmit frames after memory allocation for skb headroom fails. A local user can trigger memory allocation failure during packet transmission to cause a denial of service.
The issue can lead to an infinite retry loop and a CPU soft lockup.
216) Use-after-free (CVE-ID: CVE-2026-31555)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a stale pointer in futex_lock_pi() retry path in kernel/futex/core.c when retrying priority-inheritance futex locking after owner exit handling. A local user can trigger repeated futex_lock_pi() operations to cause a kernel warning and crash.
217) Improper resource shutdown or release (CVE-ID: CVE-2026-31563)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the macb TX SKB freeing logic when freeing transmitted socket buffers in an IRQ-disabled context. A local user can trigger network traffic processing to cause a denial of service.
218) Deadlock (CVE-ID: CVE-2026-31565)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the irdma RDMA subsystem when executing a netdev reset while RDMA applications have active connections. A local user can trigger a netdev reset during active RDMA connections to cause a denial of service.
The issue occurs during device removal in iWARP mode when client cleanup creates a circular dependency involving QP reference counting.
219) Use-after-free (CVE-ID: CVE-2026-31566)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in amdgpu_amdkfd_submit_ib() when waiting for GPU job completion after submitting a GPU job. A local user can trigger the vulnerable code path to cause a denial of service.
220) Out-of-bounds write (CVE-ID: CVE-2026-31570)
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
221) Information disclosure (CVE-ID: CVE-2026-31628)
The vulnerability allows a local attacker to disclose sensitive information.
The vulnerability exists due to improper isolation of partial divider results in x86 CPU handling when executing division operations on Zen1 processors. A local attacker can run a thread that observes residual partial results from previous operations to disclose sensitive information.
Exploitation requires another thread to access leaked partial results left by a previous operation under certain circumstances.
222) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31634)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a reference count leak in rxrpc_server_keyring() when handling RxRPC server keyring setup. A local user can trigger the vulnerable code path to cause a denial of service.
223) Integer underflow (CVE-ID: CVE-2026-31649)
The vulnerability allows a local user to disclose sensitive information and cause memory corruption.
The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.
On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.
224) NULL pointer dereference (CVE-ID: CVE-2026-31651)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the vub300 mmc driver disconnect handler when disconnecting the device. A local user can trigger a device disconnect to cause a denial of service.
The issue may also lead to a use-after-free condition.
225) Use-after-free (CVE-ID: CVE-2026-31656)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in intel_engine_park_heartbeat when racing the heartbeat worker and request retirement paths while releasing engine->heartbeat.systole. A local user can trigger concurrent request retirement and heartbeat handling to cause a denial of service.
The issue arises because the same systole request can be released twice after a stale non-NULL pointer is observed in a non-atomic read-and-clear sequence.
226) Use-after-free (CVE-ID: CVE-2026-31657)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the batman-adv BLA claim handling code when processing netlink claim dump operations or checking claims. A local user can trigger concurrent claim updates and reader access to dereference a freed backbone gateway pointer to cause a denial of service.
227) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31658)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in tse_start_xmit() when handling DMA mapping failures. A local user can trigger DMA mapping failures to cause a denial of service.
228) Heap-based buffer overflow (CVE-ID: CVE-2026-31659)
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in batadv_tt_prepare_tvlv_global_data() when processing an oversized global TT response from a remote originator. A remote attacker can advertise a large global TT to trigger a wrapped allocation and write past the end of the heap object to cause a denial of service or execute arbitrary code.
229) NULL pointer dereference (CVE-ID: CVE-2026-31660)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in pn532_receive_buf() when processing received bytes. A local user can trigger an allocation failure during frame reception to cause a denial of service.
230) Improper resource shutdown or release (CVE-ID: CVE-2026-31661)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the brcmsmac driver when freeing DMA-coherent memory. A local user can trigger the vulnerable code path to cause a denial of service.
231) Integer underflow (CVE-ID: CVE-2026-31662)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in tipc_group_proto_rcv() when handling duplicate or stale GRP_ACK_MSG messages. A remote attacker can send duplicate group acknowledgment messages to cause a denial of service.
After the counter wraps, group broadcasts on the affected socket remain blocked until the group is recreated.
232) Use of uninitialized resource (CVE-ID: CVE-2026-31664)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized memory exposure in build_polexpire() when sending netlink multicast notifications to XFRMNLGRP_EXPIRE listeners. A local user can receive a crafted expiration notification to disclose sensitive information.
The issue leaks trailing padding bytes from struct xfrm_user_polexpire to userspace.
233) Use-after-free (CVE-ID: CVE-2026-31665)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nft_ct_timeout_obj_destroy() when destroying timeout objects during concurrent packet processing. A local user can trigger concurrent packet processing and object destruction to cause a denial of service.
The issue arises because other CPUs may still hold RCU-protected references to the timeout object.
234) Improper locking (CVE-ID: CVE-2026-31667)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in the uinput force-feedback handling path when processing force-feedback operations and device lifecycle events. A local user can trigger a circular locking dependency to cause a denial of service.
The issue can be triggered when using a force-feedback gamepad with uinput.
235) Improper access control (CVE-ID: CVE-2026-31668)
The vulnerability allows a local user to bypass routing policy restrictions.
The vulnerability exists due to improper access control in the seg6 lwtunnel dst_cache handling when processing input and output paths in different routing contexts. A local user can trigger packet processing through one path so that the other path reuses an incorrect cached destination to bypass routing policy restrictions.
The issue occurs because a single destination cache is shared between seg6_input_core() and seg6_output_core(), even though these paths may perform SID lookup under different routing contexts such as ingress-interface-based rules or VRF table separation.
236) Use-after-free (CVE-ID: CVE-2026-31669)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.
The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.
237) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-31670)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the rfkill event handling logic when userspace creates rfkill events without consuming them from the rfkill file descriptor. A local user can create an unlimited number of pending rfkill events to cause a denial of service.
The issue can lead to an out-of-memory condition on systems configured to allow userspace to create such events.
238) Improper Initialization (CVE-ID: CVE-2026-31671)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in build_report() when copying a xfrm_user_report structure to userspace. A local user can trigger the affected code path to disclose sensitive information.
The issue is caused by uninitialized padding bytes in the structure being exposed to userspace.
239) Improper resource shutdown or release (CVE-ID: CVE-2026-31672)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the rt2x00usb USB driver when unbinding the driver from a USB interface without physically disconnecting the device. A local user can trigger driver unbind conditions to cause a denial of service.
This can occur during probe deferral or configuration changes.
240) Out-of-bounds read (CVE-ID: CVE-2026-31674)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in rt_mt6() when processing a malformed rt match rule with an oversized addrnr value. A local user can install a specially crafted rule to cause a denial of service.
241) Race condition (CVE-ID: CVE-2026-31678)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the openvswitch tunnel device destruction path when destroying a tunnel vport after device unregistration. A local user can trigger concurrent access to a detached device reference to cause a denial of service.
242) Improper input validation (CVE-ID: CVE-2026-31679)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in openvswitch SET/SET_MASKED action handling for OVS_KEY_ATTR_MPLS when processing crafted MPLS action payload lengths. A local user can send a specially crafted request to cause a denial of service.
243) Use-after-free (CVE-ID: CVE-2026-31680)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in ip6fl_seq_show() when reading /proc/net/ip6_flowlabel concurrently with flowlabel release. A local user can trigger concurrent access to dereference freed option state and cause a denial of service.
The issue occurs because the flowlabel remains reachable through the global hash table under RCU after its option state has been freed.
244) Out-of-bounds read (CVE-ID: CVE-2026-31682)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
245) Heap-based buffer overflow (CVE-ID: CVE-2026-31683)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in batman-adv OGM aggregation handling when aggregating forwarded packets after OGM aggregation state is toggled at runtime. A local user can trigger aggregation with insufficient skb tailroom to cause a denial of service.
246) Improper Initialization (CVE-ID: CVE-2026-31689)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in edac_mc_alloc() when handling a failed mci->pvt_info allocation. A local user can trigger the vulnerable error path to cause a denial of service.
The issue occurs because put_device() may invoke the device release function before device initialization has completed.
247) Use-after-free (CVE-ID: CVE-2026-31695)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the virt_wifi net device handling when performing ethtool operations on a virt_wifi device that is being unregistered. A local user can send a specially crafted netlink message to trigger the use-after-free and cause a denial of service.
The issue occurs because the device parent reference may point to freed memory during unregister processing.
248) Stack-based buffer overflow (CVE-ID: CVE-2026-31720)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack-based buffer overflow in f_audio_complete() in the f_uac1_legacy USB gadget function driver when handling host-controlled USB control requests. A remote attacker can send a specially crafted USB control request with an oversized length value to cause a denial of service.
The issue arises because request data is copied into a fixed-size 4-byte stack variable using a host-influenced length.
249) Improper Initialization (CVE-ID: CVE-2026-31721)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization of wait queues in f_hid when re-binding the UDC while a previously opened /dev/hidg0 file descriptor remains registered with epoll. A local user can use the file descriptor in epoll operations across unbind and rebind events to cause a denial of service.
The issue is triggered when the same file descriptor is used with EPOLL_CTL_ADD before unbinding and with EPOLL_CTL_DEL after rebinding.
250) NULL pointer dereference (CVE-ID: CVE-2026-31726)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference in the uvc gadget driver release and disconnect paths when resuming or aborting a suspend during gadget unbind. A local user can trigger a power management transition during device unbind to cause a denial of service.
The issue occurs because freezing user space processes can abort the unbind wait early, after which the V4L2 release path may access a nullified gadget pointer.
251) Race condition (CVE-ID: CVE-2026-31728)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the u_ether gadget driver when handling concurrent disconnect and stop operations. A local user can trigger concurrent gether_disconnect() and eth_stop() execution to cause a denial of service.
The issue can lead to a kernel NULL pointer dereference followed by a hardlockup.
252) Improper resource shutdown or release (CVE-ID: CVE-2026-31737)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in ftgmac100_alloc_rings() when opening the network device. A local user can trigger an open failure to cause a denial of service.
253) Out-of-bounds read (CVE-ID: CVE-2026-31738)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in vxlan_na_create when parsing neighbor discovery options. A remote attacker can send a specially crafted packet to cause a denial of service.
254) Out-of-bounds read (CVE-ID: CVE-2026-31747)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in me4000_xilinx_download() when parsing a crafted firmware file. A local user can supply a specially crafted firmware file to cause a denial of service.
The issue occurs because the function reads a length value from the first 4 bytes of the firmware and then reads data from offset 16 onward without ensuring the supplied firmware is large enough to contain the declared data stream.
255) Out-of-bounds read (CVE-ID: CVE-2026-31748)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in me2600_xilinx_download() when parsing a crafted firmware file. A local user can provide a specially crafted firmware file to cause a denial of service.
The issue occurs because the data stream length is read from the first 4 bytes of the firmware and the function reads data from offset 16 without verifying that the supplied firmware contains the full data stream.
256) NULL pointer dereference (CVE-ID: CVE-2026-31749)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the ni_atmio16d driver detach handler when cleaning up after a failed attach operation. A local user can trigger a failed attach operation to cause a denial of service.
The issue occurs because the detach path may call the reset routine before the device has been fully initialized.
257) Improper input validation (CVE-ID: CVE-2026-31751)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper hardware presence validation in the dt2815 driver when handling COMEDI_DEVCONFIG ioctl requests with arbitrary I/O port addresses. A local user can attach the driver to a non-existent I/O port to cause a denial of service.
The issue can result in a kernel page fault during write operations when no hardware is present at the specified port.
258) Out-of-bounds read (CVE-ID: CVE-2026-31752)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing malformed neighbor discovery options. A remote attacker can send a specially crafted neighbor solicitation packet to cause a denial of service.
259) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31754)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the cdns3 gadget role-switch handling when switching from a failed gadget initialization to host mode via sysfs. A local user can trigger a role switch after gadget startup failure to cause a denial of service.
The issue can result in a synchronous external abort in xhci_gen_setup() during host controller setup.
260) NULL pointer dereference (CVE-ID: CVE-2026-31755)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in __cdns3_gadget_ep_queue() when queueing requests on a disabled or unconfigured gadget endpoint. A local user can trigger the vulnerable code path to cause a denial of service.
261) Improper locking (CVE-ID: CVE-2026-31756)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper lock management in dwc2_hsotg_udc_stop() when stopping the USB gadget controller. A local user can trigger the vulnerable code path to cause a denial of service.
The issue can result in a deadlock because a spin unlock operation is performed without the required lock being held, after which the lock may remain held for a later locking operation in the same function.
262) Use-after-free (CVE-ID: CVE-2026-31758)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in usbtmc_release when handling pending anchored URBs during device release. A local user can trigger release while anchored URBs are still pending to cause a denial of service.
263) Double free (CVE-ID: CVE-2026-31759)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ulpi_register_interface() when handling a device registration failure. A local user can trigger the vulnerable error path to cause a denial of service.
264) Race condition (CVE-ID: CVE-2026-31761)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the mpu3050 gyroscope driver probe function when registering the iio device during device initialization. A local user can trigger concurrent access during initialization to cause a denial of service.
265) Improper resource shutdown or release (CVE-ID: CVE-2026-31762)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in mpu3050_trigger_probe() in drivers/iio/gyro/mpu3050-core.c when handling trigger registration failures after setting up an interrupt handler. A local user can trigger the vulnerable error path to cause a denial of service.
266) Improper resource shutdown or release (CVE-ID: CVE-2026-31763)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the mpu3050 gyroscope driver IRQ teardown logic when removing the driver or tearing down IRQ handling. A local user can trigger the vulnerable code path to cause a denial of service.
267) Memory corruption (CVE-ID: CVE-2026-31768)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory handling in the ti-adc161s626 SPI read path when performing spi_read() operations. A local user can trigger the vulnerable code path to cause a denial of service.
268) Division by zero (CVE-ID: CVE-2026-31770)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to division by zero in occ_show_power_1() when reading power sensor data before any samples have been collected. A local user can trigger access to the affected sensor path to cause a denial of service.
This can occur during early boot when the sensor block is present but has not yet been updated.
269) Improper Authentication (CVE-ID: CVE-2026-31773)
The vulnerability allows a remote attacker to bypass authentication requirements.
The vulnerability exists due to improper authentication state handling in the Bluetooth SMP legacy responder STK handling in smp_random() when processing Just Works or Confirm legacy pairing. A remote attacker can initiate a legacy pairing sequence that results in an unauthenticated STK being stored as authenticated to bypass authentication requirements.
The issue affects the legacy responder path and occurs when high security is requested but the pairing flow does not achieve MITM authentication.
270) Out-of-bounds read (CVE-ID: CVE-2026-31776)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds array access in daio_device_index() for the ALSA ctxfi hw20k2 SPDIF1 DAIO type when handling a crafted device type. A local attacker can trigger the vulnerable code path to cause a denial of service.
271) Out-of-bounds read (CVE-ID: CVE-2026-31778)
The vulnerability allows an attacker with physical access to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the ALSA caiaq init_card path when processing a crafted USB device product name. An attacker with physical access can connect a specially crafted USB device to disclose sensitive information.
The issue is triggered by a product name containing many non-ASCII, non-space characters, which can cause a non-null-terminated string to be scanned past the end of a stack buffer.
272) Out-of-bounds read (CVE-ID: CVE-2026-31779)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in iwl_mvm_nd_match_info_handler() when processing a crafted notification packet. A local user can supply a notification with an insufficient packet length to disclose sensitive information.
273) Heap-based buffer overflow (CVE-ID: CVE-2026-31780)
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in the wilc1000 SSID scan buffer handling when processing configured SSIDs to scan. A local user can provide a crafted set of SSIDs to trigger a heap-based overwrite to cause a denial of service or execute arbitrary code.
The issue is caused by an integer wraparound in the buffer size calculation, where the accumulated SSID length can exceed the range of an 8-bit value before memory is allocated and copied.
274) Observable discrepancy (CVE-ID: CVE-2026-31781)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper restriction of speculative execution in drm_compat_ioctl when processing a user-controlled pointer used as an index into a function pointer table. A local user can supply a crafted index value to disclose sensitive information.
The issue affects the drm compat ioctl path.
275) Out-of-bounds read (CVE-ID: CVE-2026-31786)
The vulnerability allows a local user to disclose sensitive information, cause a denial of service, or escalate privileges.
The vulnerability exists due to an out-of-bounds read in the Xen-related sysfs buildid handler when reading the /sys/hypervisor/properties/buildid sysfs file. A local user can read the crafted sysfs output to disclose sensitive information, cause a denial of service, or escalate privileges.
In rare cases, the issue may also result in writing past the 4 kB sysfs buffer if no zero byte is found in adjacent data.
276) Double free (CVE-ID: CVE-2026-31787)
The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.
The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.
Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.
277) Improper Privilege Management (CVE-ID: CVE-2026-31788)
The vulnerability allows a local user to escalate privileges and modify kernel memory contents, breaking secure boot protections.
The vulnerability exists due to improper access control in the Xen privcmd driver when handling hypercalls from user space processes in an unprivileged domU running with secure boot enabled. A local user can exploit this by issuing arbitrary hypercalls to escalate privileges and modify kernel memory, compromising the integrity of the secure boot environment.
Exploitation requires the user to have root privileges within the unprivileged domU guest. The impact is particularly severe when secure boot is enabled, as it allows bypassing memory integrity protections.
278) Double free (CVE-ID: CVE-2026-43011)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to double free in x25_queue_rx_frame and x25_backlog_rcv when processing received x25 frames after alloc_skb failure. A local attacker can trigger the error path to cause a denial of service.
279) NULL pointer dereference (CVE-ID: CVE-2026-43013)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in mlx5_ldev_add_debugfs() when accessing debugfs entries created without a valid LAG context. A local user can access a specially exposed debugfs interface to cause a denial of service.
The issue occurs when debugfs entries are created even though no valid ldev pointer is available.
280) Improper resource shutdown or release (CVE-ID: CVE-2026-43014)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the macb network driver clock registration handling when unregistering fixed rate clocks. A local user can trigger the affected code path to cause a denial of service.
281) Use-after-free (CVE-ID: CVE-2026-43015)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the macb PCI glue driver clock handling during device removal when unregistering the driver and triggering a runtime resume callback. A local user can unload the affected module to trigger a use-after-free and cause a denial of service.
The issue is triggered during driver removal because a runtime resume callback may still access registered clock objects after the platform device has been unregistered.
282) Improper input validation (CVE-ID: CVE-2026-43017)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth MGMT mesh send handler when processing a crafted MGMT_OP_MESH_SEND command. A local user can send a specially crafted command with a truncated advertising payload length to cause a denial of service.
The issue arises because the supplied flexible adv_data[] array bytes may not match the embedded adv_data_len field, allowing the async mesh send path to read past the end of the queued command buffer.
283) Use-after-free (CVE-ID: CVE-2026-43018)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in hci_le_remote_conn_param_req_evt when handling Bluetooth LE remote connection parameter request events. A local attacker can trigger concurrent connection handling to cause a denial of service.
284) Stack-based buffer overflow (CVE-ID: CVE-2026-43020)
The vulnerability allows a remote user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in the Bluetooth MGMT Long Term Key load and reply handling logic when processing a crafted management LTK record with an oversized enc_size value. A remote user can supply a specially crafted LTK record to overflow a reply stack buffer to cause a denial of service or execute arbitrary code.
285) Race condition (CVE-ID: CVE-2026-43023)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition leading to use-after-free in sco_sock_connect() when handling concurrent connect() calls on the same Bluetooth SCO socket. A local user can issue concurrent connect() syscalls on the same socket to cause a denial of service.
The issue can revive a BT_CLOSED and SOCK_ZAPPED socket back to BT_CONNECT during concurrent execution.
286) Improper input validation (CVE-ID: CVE-2026-43024)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in nf_tables verdict handling when processing nftables rules. A local user can create a rule with an immediate NF_QUEUE verdict to cause a denial of service.
The issue is reachable in the arp family even though queue support is not provided there.
287) Out-of-bounds read (CVE-ID: CVE-2026-43025)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the ctnetlink expectation handling code when processing netlink requests that create expectations with a helper different from the existing master conntrack helper. A remote user can send a specially crafted netlink request to disclose sensitive information.
The issue can allow reading kernel memory bytes beyond the expectation boundary.
288) Use of Uninitialized Variable (CVE-ID: CVE-2026-43026)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to use of uninitialized memory in ctnetlink expectation handling when processing a netlink message without CTA_EXPECT_NAT. A remote user can send a specially crafted netlink message to disclose sensitive information.
The issue can cause stale data from a previous slab allocation to be exposed in a dumped CTA_EXPECT_NAT attribute, and it is relevant only when NAT support is enabled.
289) Use-after-free (CVE-ID: CVE-2026-43027)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.
The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.
290) Improper Null Termination (CVE-ID: CVE-2026-43028)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in x_tables when processing names supplied to functions that expect c-strings. A local user can provide a name that lacks a nul terminator to cause a denial of service.
291) Improper input validation (CVE-ID: CVE-2026-43030)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in regsafe() when verifying pointers to packet. A local user can load a specially crafted bpf program to cause a denial of service.
292) Improper input validation (CVE-ID: CVE-2026-43032)
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in pn532_receive_buf() when processing malformed UART traffic. A local attacker can send a continuous stream of bytes without a valid frame header to cause a denial of service.
293) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43033)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of high-order sequence bits in authencesn when decrypting data out of place. A local user can trigger out-of-place decryption with a specially crafted data layout to cause a denial of service.
294) Improper Initialization (CVE-ID: CVE-2026-43035)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in tc_chain_fill_node() when building netlink messages. A local user can trigger the kernel to generate a netlink message to disclose sensitive information.
Kernel heap memory may be exposed to userspace through the 4-byte tcm_info field of struct tcmsg.
295) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
296) Out-of-bounds read (CVE-ID: CVE-2026-43038)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
297) Improper Initialization (CVE-ID: CVE-2026-43040)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper initialization in ndisc_ra_useropt when processing router advertisements with user options. A remote attacker can send a specially crafted router advertisement to disclose sensitive information.
The issue affects the RTM_NEWNDUSEROPT netlink message because padding fields in the nduseroptmsg structure are not zeroed before being exposed.
298) Memory leak (CVE-ID: CVE-2026-43041)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in qrtr_tx_flow when handling radix tree node allocation failures. A local user can trigger allocation failures that leave orphaned internal nodes in the tree to cause a denial of service.
299) NULL pointer dereference (CVE-ID: CVE-2026-43043)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the crypto scatterwalk code when processing sendmsg() operations that chain a new scatter/gather list after an existing list is filled exactly to MAX_SGL_ENTS. A local user can send crafted messages through the AF_ALG interface to cause a denial of service.
The issue is triggered when a subsequent sendmsg() allocates a new scatter/gather list after the previous list's last data entry remains incorrectly marked as the end, leading to a kernel panic.
300) Improper input validation (CVE-ID: CVE-2026-43046)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the btrfs root item handling and relocation recovery code when mounting a btrfs filesystem containing corrupted metadata. A local user can mount a crafted filesystem image to cause a denial of service.
The issue is triggered during relocation recovery at mount time when a root item contains a non-zero drop_progress.objectid together with a zero drop_level.
301) Out-of-bounds write (CVE-ID: CVE-2026-43047)
The vulnerability allows an attacker with physical access to cause a denial of service or perform an out-of-bounds write.
The vulnerability exists due to an out-of-bounds write in the HID multitouch feature report handling when processing a device response to a feature request. An attacker with physical access can provide a malicious device that responds with a mismatched report ID to cause a denial of service or perform an out-of-bounds write.
The issue is triggered when a device returns a different report ID than the one originally requested.
302) Use-after-free (CVE-ID: CVE-2026-43050)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in sock_def_readable() when accessing priv->lecd during concurrent socket teardown. A local user can trigger a race condition to cause a denial of service.
The issue occurs because concurrent code paths dereference priv->lecd without protection while lec_atm_close() clears the pointer and the socket may be freed via RCU.
303) Out-of-bounds read (CVE-ID: CVE-2026-43051)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in wacom_intuos_bt_irq when processing Bluetooth HID reports. A remote attacker can send a specially crafted short report to disclose sensitive information.
Report ID 0x03 requires at least 22 bytes, and report ID 0x04 requires at least 32 bytes.
304) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43054)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in tcm_loop_target_reset() when handling SCSI target reset recovery. A local user can trigger a reset while commands remain in flight to cause a denial of service.
The issue can leak a LUN reference and cause configfs LUN unlink to hang in D-state.
305) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43057)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of checksum offload fallback in the IPv6 GSO fallback logic when processing tunneled IPv6 traffic with extension headers or without an inner IP protocol. A local user can send specially crafted packets to cause a denial of service.
The issue affects tunneled traffic, including cases where the inner header rather than the outer network header must be validated.
Remediation
Install update from vendor's website.