SB2026060354 - SUSE update for the Linux Kernel
Published: June 3, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 205 vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2023-20585)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to a boundary error in IOMMU. A local administrator can trigger memory corruption and cause loss of SNP guest data integrity.
2) Improper locking (CVE-ID: CVE-2025-40219)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the sriov_add_vfs() and sriov_del_vfs() functions in drivers/pci/iov.c. A local user can perform a denial of service (DoS) attack.
3) Improper privilege management (CVE-ID: CVE-2025-54518)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in x86 CPU opcode cache handling when executing code on affected AMD Fam17h CPUs. A local user can execute code to escalate privileges.
The issue can permit escalation across privilege boundaries including userspace to kernel and guest to host, and only AMD Fam17h CPUs based on the Zen2 microarchitecture are believed to be affected.
4) Improper locking (CVE-ID: CVE-2025-68310)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the zpci_event_attempt_error_recovery() function in arch/s390/pci/pci_event.c. A local user can perform a denial of service (DoS) attack.
5) Infinite loop (CVE-ID: CVE-2025-71183)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the copy_inode_items_to_log() function in fs/btrfs/tree-log.c. A local user can perform a denial of service (DoS) attack.
6) Double free (CVE-ID: CVE-2025-71238)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the qla2x00_update_optrom() function in drivers/scsi/qla2xxx/qla_bsg.c. A local user can perform a denial of service (DoS) attack.
7) Improper locking (CVE-ID: CVE-2026-23168)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the fprop_global_destroy() function in lib/flex_proportions.c. A local user can perform a denial of service (DoS) attack.
8) Use-after-free (CVE-ID: CVE-2026-23209)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the macvlan_common_newlink() function in drivers/net/macvlan.c. A local user can escalate privileges on the system.
9) Memory leak (CVE-ID: CVE-2026-23236)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ufx_ops_ioctl() function in drivers/video/fbdev/smscufx.c. A local user can perform a denial of service (DoS) attack.
10) NULL pointer dereference (CVE-ID: CVE-2026-23237)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the cmpc_accel_sensitivity_show_v4(), cmpc_accel_sensitivity_store_v4(), cmpc_accel_g_select_show_v4(), cmpc_accel_g_select_store_v4(), cmpc_accel_open_v4(), cmpc_accel_sensitivity_show() and cmpc_accel_sensitivity_store() functions in drivers/platform/x86/classmate-laptop.c. A local user can perform a denial of service (DoS) attack.
11) Double free (CVE-ID: CVE-2026-23239)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the espintcp_close() function in net/xfrm/espintcp.c. A local user can perform a denial of service (DoS) attack.
12) Double free (CVE-ID: CVE-2026-23240)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a double free error within the tls_sw_cancel_work_tx() function in net/tls/tls_sw.c. A local user can perform a denial of service (DoS) attack.
13) Buffer over-read (CVE-ID: CVE-2026-23245)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the net/sched: act_gate component when handling action replacement while the hrtimer callback or dump path is walking the schedule list. A local user can trigger a race condition to cause a denial of service.
Exploitation requires access to the network scheduling subsystem and occurs due to lack of proper synchronization during parameter updates.
14) Out-of-bounds write (CVE-ID: CVE-2026-23246)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a boundary error in the wifi: mac80211 component when handling ML Reconfiguration elements. A remote attacker can send a specially crafted wireless packet to execute arbitrary code.
Exploitation involves sending a malicious ML Reconfiguration element with a link_id value of 15, which exceeds the valid index range of the link_removal_timeout array, resulting in a stack-based out-of-bounds write.
15) Exposure of resource to wrong sphere (CVE-ID: CVE-2026-23253)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization in the dvb_ringbuffer component when reopening a DVR device. A local user can open a specially crafted DVR device to cause a denial of service.
The issue arises because dvb_dvr_open() reinitializes the shared waitqueue head, which can orphan existing waitqueue entries from io_uring poll or epoll, leading to stale pointers and potential system instability.
16) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23260)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper memory management in the regmap maple tree component when storing a newly allocated block. A local user can trigger a failure in the storage operation to cause memory disclosure.
Memory allocated for a new entry is not freed on failure of mas_store_gfp(), potentially exposing uninitialized memory contents. The issue requires the ability to write to regmap-controlled hardware registers, typically available to privileged users.
17) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23261)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory resource management in the NVMe/FC controller initialization component when processing controller setup operations. A local user can trigger a failure during controller initialization to cause a denial of service.
The issue arises because the admin tagset is not released if initialization fails, leading to memory resource leaks. This requires the ability to create and initialize an NVMe/FC controller, which is restricted to users with appropriate privileges.
18) Out-of-bounds write (CVE-ID: CVE-2026-23262)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption and incorrect statistics reporting.
The vulnerability exists due to improper buffer size management in the gve driver's statistics reporting region when changing the number of queues. A local user can trigger a queue count change to cause the NIC to write past the allocated stats region or create gaps in stats reporting.
The issue arises because the driver and NIC miscalculate offsets into the shared memory region during queue count changes, potentially leading to memory corruption or incorrect statistics.
19) Type conversion (CVE-ID: CVE-2026-23264)
CWE-ID: CWE-704 - Type conversion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service, escalate privileges, or execute arbitrary code.
The vulnerability exists due to improper logic in the DRM/AMD GPU driver when handling PCIe ASPM (Active State Power Management) configuration for multi-GPU systems. A local user can trigger incorrect ASPM state evaluation on a system with multiple AMD GPUs where only one supports ASPM, leading to system crashes or instability that may be exploited to escalate privileges or execute arbitrary code.
The vulnerability specifically affects systems with two AMD GPUs where only one supports ASPM, and the flaw arises from reintroducing a previously reverted commit that did not account for per-device ASPM evaluation.
20) Symbolic Name not Mapping to Correct Object (CVE-ID: CVE-2026-23266)
CWE-ID: CWE-386 - Symbolic Name not Mapping to Correct Object
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide error in the fbdev: rivafb component when handling FBIOPUT_VSCREENINFO ioctl calls. A local user can send a specially crafted request to cause a divide error and crash the kernel.
The attacker can trigger the issue by calling FBIOPUT_VSCREENINFO on /dev/fb* with a malicious or misconfigured device that causes the state->mclk_khz value to be zero, leading to a division by zero in nv3_arb().
21) Improper Access Control (CVE-ID: CVE-2026-23268)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges, modify AppArmor security policies, and cause a denial of service.
The vulnerability exists due to improper access control in the AppArmor policy management interface when handling file descriptor operations. A local user can open the apparmorfs interface and pass the file descriptor to a privileged process, tricking it into performing privileged policy management operations on behalf of the user.
The user must have access to a privileged process that can be manipulated to write to the AppArmor interface. Once exploited, the user can load, replace, or remove AppArmor profiles, leading to removal of confinement, denial of service by blocking application execution, bypassing user namespace restrictions, and potentially enabling local privilege escalation via kernel exploits.
22) Out-of-bounds read (CVE-ID: CVE-2026-23269)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the AppArmor subsystem's DFA state table validation when processing untrusted policy data. A local user can provide a specially crafted AppArmor policy with an out-of-bounds start state to trigger an out-of-bounds read during policy unpacking.
Exploitation requires the ability to load or modify AppArmor policies, which typically requires privileged access. The out-of-bounds read may expose contents of kernel memory.
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a race condition in the perf subsystem when handling performance events. A local user can trigger a use-after-free condition during event overflow processing to execute arbitrary code, escalate privileges, and cause a denial of service.
The issue arises from improper synchronization between __perf_event_overflow() and perf_remove_from_context(), where the overflow handler may access memory after it has been freed by context removal routines. The attacker must be able to create and manipulate perf events, which typically requires low-privileged user access to the perf subsystem.
24) Use After Free (CVE-ID: CVE-2026-23273)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in the macvlan component of the Linux kernel when handling network interface creation errors. A local attacker can send a specially crafted netlink message to trigger improper RCU grace period handling during macvlan device creation, leading to a use-after-free condition.
Exploitation does not require elevated privileges and can result in a system crash due to access of already freed memory in the kernel network stack.
25) Uncontrolled Recursion (CVE-ID: CVE-2026-23276)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) when handling network packets in a specific tunnel and bonding configuration. A remote attacker can send specially crafted network traffic that triggers infinite recursion between bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), leading to kernel stack overflow and system crash.
The issue specifically occurs when a bond device in broadcast mode has GRE tap interfaces as slaves and those GRE tunnels route back through the bond, causing multicast/broadcast traffic to trigger unbounded recursion. The existing XMIT_RECURSION_LIMIT is insufficient because tunnel recursion consumes more stack per level due to route lookups and full IP output processing.
26) NULL Pointer Dereference (CVE-ID: CVE-2026-23279)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the mesh_rx_csa_frame() function in the mac80211 subsystem when handling received CSA action frames. A remote user can send a specially crafted SPECTRUM_MGMT/CHL_SWITCH action frame that omits the Mesh Channel Switch Parameters IE but includes valid Mesh ID and Mesh Configuration IEs to cause a kernel NULL pointer dereference.
Exploitation requires an established mesh peer link (PLINK_ESTAB) and no additional authentication beyond open mesh peering.
27) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-23290)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the pegasus USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
28) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-23291)
CWE-ID: CWE-706 - Use of Incorrectly-Resolved Name or Reference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference counting in the NFC pn533 USB driver when handling device disconnection. A local user can disconnect a USB NFC device to cause a dangling reference, leading to a denial of service.
The issue arises because the USB interface reference obtained during driver probe is not properly released upon disconnection.
29) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2026-23298)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an infinite loop in the ucan driver when processing zero-length messages from a ucan device. A local user can connect a specially crafted ucan device to trigger an infinite loop in ucan_read_bulk_callback(), causing the system to hang.
30) NULL Pointer Dereference (CVE-ID: CVE-2026-23300)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the IPv6 routing subsystem when handling a standalone IPv6 nexthop object referencing the loopback device. A local user can create a specially crafted IPv6 nexthop and reference it from an IPv4 route to trigger a NULL pointer dereference in __mkroute_output(), leading to a system crash.
Successful exploitation may result in a kernel panic and denial of service.
31) NULL Pointer Dereference (CVE-ID: CVE-2026-23304)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the ipv6 routing subsystem when processing IPv6 packets. A remote attacker can send a specially crafted IPv6 packet to trigger a null pointer dereference in ip6_rt_get_dev_rcu(), leading to a system crash.
Exploitation does not require authentication or user interaction and occurs within the network stack during packet processing.
32) Use After Free (CVE-ID: CVE-2026-23306)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to a use-after-free in the pm8001_queue_command() function in the SCSI subsystem when handling SCSI commands during a phy down or device gone state. A local user can trigger a double free by issuing a command that leads to the erroneous return of -ENODEV after the task has already been freed, resulting in memory corruption that could lead to arbitrary code execution or privilege escalation.
The vulnerability specifically affects the pm8001 SAS controller driver and requires the ability to issue SCSI commands, which is typically available to local users with access to storage devices.
33) Out-of-bounds read (CVE-ID: CVE-2026-23307)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ems_usb_read_bulk_callback() function in the CAN USB driver when handling USB bulk callback data. A local user can provide specially crafted USB input to cause memory access beyond the buffer bounds, leading to a system crash.
The attacker must have local system access and the ability to interact with the CAN USB driver via USB interface.
34) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23308)
CWE-ID: CWE-692 - Incomplete Blacklist to Cross-Site Scripting
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of interrupt masking in the pinctrl driver when loading the equilibrium GPIO controller. A local user can trigger the loading of the driver, resulting in repeated kernel warning messages being logged, which may degrade system stability and generate unnecessary log entries.
The issue arises because the function 'eqbr_irq_mask_ack()' indirectly calls 'gpiochip_disable_irq()' through 'eqbr_irq_mask()', leading to spurious warnings during initialization. This behavior does not occur in similar drivers, indicating inconsistent interrupt handling.
35) Uncontrolled Recursion (CVE-ID: CVE-2026-23312)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kaweth USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with invalid or unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered remote as it targets kernel-level USB subsystem handling.
36) Resource exhaustion (CVE-ID: CVE-2026-23313)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the i40e NAPI poll tracepoint when handling network packets. A local user can trigger the tracepoint to cause a preempt count leak, leading to a denial of service.
The issue arises from using get_cpu() without a corresponding put_cpu() in the tracepoint, which results in an increment of the preempt count that is never decremented.
37) Out-of-bounds write (CVE-ID: CVE-2026-23315)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt76_connac2_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with an undersized payload to trigger an out-of-bounds write access.
Exploitation does not require authentication or user interaction.
38) Out-of-bounds read (CVE-ID: CVE-2026-23318)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the ALSA usb-audio driver when handling USB audio descriptors from a UAC3 device. An attacker with physical access can connect a malicious USB device presenting a truncated UAC3 header to cause out-of-bounds reads, leading to a denial of service.
Exploitation requires physical access to attach a malicious USB device.
39) Incomplete Blacklist to Cross-Site Scripting (CVE-ID: CVE-2026-23321)
CWE-ID: CWE-692 - Incomplete Blacklist to Cross-Site Scripting
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the MPTCP subsystem when handling endpoint removal. A local user can send a specially crafted sequence of netlink commands to trigger a kernel warning and system instability.
The attacker must be able to create and remove MPTCP endpoints with specific flags and manipulate connection states, which requires access to the MPTCP netlink interface.
40) Improper Resource Shutdown or Release (CVE-ID: CVE-2026-23324)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the USB CAN driver (etas_es58x) when handling URB (USB Request Block) anchoring in the read bulk callback. A local user can trigger improper submission of an unanchored URB to cause a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger USB read operations.
41) Out-of-bounds write (CVE-ID: CVE-2026-23325)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt7996_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with a short length to trigger an out-of-bounds write access and crash the system.
Exploitation does not require authentication or user interaction.
42) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-23335)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization of stack memory in the RDMA/irdma subsystem when handling user-space requests. A local user can trigger the creation of an address handle via the irdma_create_user_ah() function to disclose up to 4 bytes of kernel stack memory.
The uninitialized reserved field in the irdma_create_ah_resp structure is copied to user space without being zeroed, leading to a kernel stack information leak.
43) Use After Free (CVE-ID: CVE-2026-23336)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free error in the cfg80211 component when unregistering a wiphy device. A local user can trigger the cancellation of rfkill_block work during wiphy unregistration to execute arbitrary code or cause a denial of service.
The issue arises because the rfkill_block work is not properly cancelled when the wiphy is being unregistered, leading to a use-after-free condition upon subsequent access.
44) Missing release of memory after effective lifetime (CVE-ID: CVE-2026-23339)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nfc: nci component when handling early error paths in nci_transceive(). A local user can trigger error conditions to cause memory leaks.
Memory leaks occur due to failure to free socket buffer (skb) on early error returns, leading to gradual resource exhaustion.
45) Use After Free (CVE-ID: CVE-2026-23340)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to a use-after-free in the network scheduler (qdisc) component when resetting transmit queues for lockless qdiscs during changes in the number of real transmit queues. A local user can trigger a race condition between qdisc_reset() and the packet dequeue path, leading to use-after-free and potential execution of arbitrary code or system crash.
Exploitation requires the ability to modify network interface queue configurations, which typically requires local user privileges. The issue affects systems using lockless qdiscs such as pfifo_fast, especially under high network load and frequent queue resizing operations.
46) Integer overflow (CVE-ID: CVE-2026-23343)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service due to memory corruption.
The vulnerability exists due to improper input validation in the XDP (eXpress Data Path) subsystem when handling packet tailroom calculations. A local user can trigger a negative tailroom value that is interpreted as a large unsigned integer, leading to out-of-bounds memory access during XDP frame processing.
The issue arises when Ethernet drivers report fragment sizes smaller than the actual truesize, causing incorrect tailroom computation in functions such as bpf_xdp_frags_increase_tail().
47) Out-of-bounds read (CVE-ID: CVE-2026-23346)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ioremap_prot() function when handling memory protection settings from user mappings. A local user can trigger access to a specially crafted user memory region to cause a kernel memory access violation, leading to a system crash.
The issue specifically affects arm64 systems where user page protection flags are incorrectly processed during physical memory access, resulting in an unreadable memory access from kernel space.
48) Use After Free (CVE-ID: CVE-2026-23351)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nft_set_pipapo component when handling a large number of expired elements during commit-time garbage collection. A local user can trigger prolonged non-preemptible execution to cause a denial of service.
Exploitation requires triggering garbage collection under a large number of expired elements, leading to soft lockup warnings and RCU stall reports.
CWE-ID: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper bounds checking in the x86/fred component when handling speculative execution of interrupts. A local user can trigger a use of an out-of-bounds array index during interrupt handling to execute arbitrary code.
The issue arises because the array index is spilled to the stack before use, making it vulnerable to speculative execution attacks.
50) On-Chip Debug and Test Interface With Improper Access Control (CVE-ID: CVE-2026-23357)
CWE-ID: CWE-1191 - On-Chip Debug and Test Interface With Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper sequence of operations in the mcp251x CAN driver when handling error paths during device open. A local user can trigger the mcp251x_open function error path, which calls free_irq() while holding the mpc_lock mutex, leading to a deadlock if an interrupt is pending, resulting in a denial of service.
Exploitation requires access to the CAN device interface and the ability to trigger the error path in mcp251x_open.
51) Memory corruption (CVE-ID: CVE-2026-23362)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the CAN BCM (Broadcast Manager) subsystem when handling runtime updates of bcm_op structures. A local user can send a specially crafted request to trigger a use of an uninitialized spinlock, leading to a system crash.
The issue specifically occurs in the bcm_rx_setup() function, where the bcm_tx_lock is not initialized when the RX_RTR_FRAME flag is set, which can lead to undefined behavior during lock operations.
52) Out-of-bounds write (CVE-ID: CVE-2026-23363)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the mt7925_mac_write_txwi_80211 function when handling Wi-Fi management frames. A remote attacker can send a specially crafted 802.11 frame with a short length to trigger an out-of-bounds access and crash the system.
Exploitation does not require authentication or user interaction.
53) Uncontrolled Recursion (CVE-ID: CVE-2026-23365)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the kalmia USB driver when handling USB endpoints during device probing. A remote attacker can connect a malicious USB device with unexpected endpoint configurations to cause a denial of service.
Exploitation does not require authentication or user interaction beyond physically connecting the device; however, the attack vector is considered local due to physical access requirement.
54) Use of Uninitialized Variable (CVE-ID: CVE-2026-23367)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper initialization in the radiotap parser component when processing radiotap headers with undefined fields. A local user can provide a specially crafted radiotap header containing undefined field 18 to trigger uninitialized memory access and potentially execute arbitrary code.
The issue arises because iterator->_next_ns_data is not initialized when handling undefined fields in the standard radiotap namespace, leading to use of uninitialized data during subsequent checks.
55) Incorrect Register Defaults or Module Parameters (CVE-ID: CVE-2026-23368)
CWE-ID: CWE-1221 - Incorrect Register Defaults or Module Parameters
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
56) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2026-23370)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the dell-wmi-sysman driver when handling password data. A local user can access kernel logs to disclose sensitive information.
The vulnerability specifically involves the logging of plaintext passwords via a hex dump in the set_new_password() function, which could expose current and new passwords.
57) Use After Free (CVE-ID: CVE-2026-23372)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to use-after-free in the NFC raw socket (rawsock) component when handling socket teardown. A local user can trigger a race condition by terminating a process during active NFC transmission, leading to use-after-free or leaked references.
Exploitation requires an active NFC transmission and process interruption via signal such as SIGKILL.
58) Improper Synchronization (CVE-ID: CVE-2026-23373)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper return value handling in the rsi_mac80211_config function within the RSI Wi-Fi driver when configuring 802.11 hardware. A local user can trigger a misconfigured hardware initialization to cause a denial of service.
The issue arises because the driver defaults to returning -EOPNOTSUPP instead of 0 during configuration, which triggers a WARN_ON in ieee80211_hw_conf_init, leading to disruptive behavior.
59) Improper Synchronization (CVE-ID: CVE-2026-23374)
CWE-ID: CWE-662 - Improper Synchronization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper synchronization in the blktrace component when handling block I/O tracing operations. A local user can trigger a use of __this_cpu_read/write in a preemptible context to cause a kernel BUG and system crash.
The issue arises in process context where preemption is enabled, violating the requirement for preemption to be disabled when accessing per-CPU variables via __this_cpu_read/write. This can lead to undefined behavior including memory corruption.
60) Out-of-bounds write (CVE-ID: CVE-2026-23378)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper memory access in the net/sched: act_ife component when updating metadata lists during packet processing. A local user can send a specially crafted request to trigger out-of-bounds memory write via the ife_tlv_meta_encode function.
Exploitation requires the ability to configure or trigger traffic control (tc) actions within the kernel, which is typically available to local users with sufficient privileges to manipulate network scheduling policies.
61) NULL Pointer Dereference (CVE-ID: CVE-2026-23382)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper pointer validation in HID subsystem raw_event callbacks when processing input from unclaimed HID devices. A remote attacker can send specially crafted HID reports to trigger a NULL pointer dereference and crash the system.
Exploitation does not require user interaction or prior authentication.
62) Unchecked Error Condition (CVE-ID: CVE-2026-23383)
CWE-ID: CWE-391 - Unchecked Error Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper memory alignment in the BPF JIT compiler when handling 64-bit atomic operations on arm64. A local user can trigger execution of a specially crafted BPF program to cause a torn read of a 64-bit jump target, leading to control flow hijacking and arbitrary code execution.
Exploitation requires the ability to load and execute BPF programs, which is typically available to unprivileged users in modern Linux distributions with CONFIG_BPF_JIT enabled.
63) Resource exhaustion (CVE-ID: CVE-2026-23391)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the netfilter xt_CT module when handling packet queueing. A local user can trigger the queuing of packets that reference templates, which, upon removal of the template, are not properly flushed, leading to resource exhaustion and system instability.
Templates such as connection tracking helpers or timeout policies may be removed during module unloading or via nfnetlink_cttimeout, leaving packets enqueued without valid references.
64) Use After Free (CVE-ID: CVE-2026-23392)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or escalate privileges.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling flowtable hooks during error conditions. A local user can trigger a use-after-free condition by exploiting the improper release of a flowtable after an RCU grace period, leading to arbitrary code execution or privilege escalation.
Exploitation requires the ability to interact with the nfnetlink subsystem, typically available to local users with access to netfilter configuration interfaces.
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the bridge CFM component when handling peer MEP deletion. A local user can trigger the deletion of a peer MEP, leading to a use-after-free condition if a delayed work item is rescheduled after cancellation but before memory is freed, resulting in a system crash.
The race condition occurs because br_cfm_frame_rx() runs in softirq context under RCU read lock and can re-schedule the delayed work between the cancellation and the memory release.
66) Out-of-bounds write (CVE-ID: CVE-2026-23395)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the Bluetooth L2CAP component when handling L2CAP_ECRED_CONN_REQ packets. A remote attacker can send a specially crafted sequence of L2CAP connection requests with the same command identifier to cause an overflow in channel allocation, leading to a denial of service.
Exploitation requires proximity to initiate a Bluetooth connection. The issue arises from failure to check for duplicate command identifiers during Enhanced Credit Control connection setup.
67) NULL pointer dereference (CVE-ID: CVE-2026-23396)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper pointer dereference in the mesh_matches_local() function in the Linux kernel's mac80211 subsystem when handling Wi-Fi mesh action frames. An attacker with physical access can send a specially crafted CSA action frame that includes a valid Mesh ID IE but omits the Mesh Configuration IE to cause a kernel NULL pointer dereference, resulting in a system crash.
The vulnerability specifically affects Wi-Fi mesh mode processing and requires the attacker to be within radio range to transmit the malicious frame. No authentication or user interaction is required for exploitation.
68) Out-of-bounds read (CVE-ID: CVE-2026-23397)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the nfnetlink_osf component when handling TCP option fingerprints. A remote attacker can send a specially crafted request to cause a denial of service.
Exploitation involves sending malicious TCP packets with zero-length options or MSS options with length less than 4, leading to null pointer dereference and out-of-bounds reads during packet matching.
69) Memory leak (CVE-ID: CVE-2026-23399)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the nf_tables subsystem when handling stateful expressions in dynamic sets. A local user can trigger a memory leak by causing a failure during the cloning of stateful expressions, leading to unbounded memory consumption over time.
The issue occurs in the nft_dynset component when GFP_ATOMIC allocation fails, leaving the first stateful expression unreleased.
70) Memory leak (CVE-ID: CVE-2026-23403)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory management in the AppArmor subsystem when processing multiple profiles during profile unpacking. A local user can provide specially crafted profile data to cause a memory leak, leading to resource exhaustion.
Exploitation requires the ability to load AppArmor profiles, which is restricted to users with appropriate privileges.
71) Uncontrolled Recursion (CVE-ID: CVE-2026-23404)
CWE-ID: CWE-674 - Uncontrolled Recursion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor profile removal functionality when handling deeply nested profiles. A local attacker can send a specially crafted request to cause a denial of service.
Exploitation requires the ability to load AppArmor profiles and trigger their removal, which is typically available to unprivileged users on systems where AppArmor is enabled.
72) Resource exhaustion (CVE-ID: CVE-2026-23405)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in the AppArmor policy namespace subsystem when creating nested policy namespaces. A local user can create deeply nested policy namespaces to cause a denial of service.
Exploitation requires the ability to create AppArmor policy namespaces, which is available to unprivileged users in a user namespace.
73) Out-of-bounds write (CVE-ID: CVE-2026-23406)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or potentially execute arbitrary code.
The vulnerability exists due to improper pointer arithmetic in the AppArmor match_char() macro within the Linux kernel's DFA matching logic when processing path permissions during file open operations. A local user can provide a specially crafted file access request that triggers differential encoding chain traversal with a post-incremented string pointer, causing the pointer to advance multiple times per iteration and resulting in out-of-bounds memory reads. This can lead to kernel memory corruption and system instability.
The vulnerability is exploitable during AppArmor policy enforcement when opening files, and may allow privilege escalation or system crash.
74) Out-of-bounds write (CVE-ID: CVE-2026-23407)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code or cause a denial of service.
The vulnerability exists due to improper bounds checking in the AppArmor verify_dfa() function when parsing a malformed DFA policy. A local user can provide a specially crafted AppArmor policy with differential encoding that triggers out-of-bounds memory access to execute arbitrary code or crash the kernel.
Successful exploitation requires the ability to load a malicious AppArmor profile, which requires user privileges but no special administrative rights beyond those needed to manage AppArmor policies.
75) Double free (CVE-ID: CVE-2026-23408)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in the AppArmor profile replacement component when processing user-supplied profile data. A local user can send a specially crafted request to cause a denial of service.
76) Resource exhaustion (CVE-ID: CVE-2026-23409)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in AppArmor's differential encoding verification when processing encoded profile data. A local user can provide a specially crafted differential-encoded profile that creates loops in the chain to cause a denial of service.
Successful exploitation requires the ability to load AppArmor profiles, which is restricted to privileged users. However, since no additional authentication beyond standard system privileges is required, the attacker capability is considered as a local user with low privileges in the context of the vulnerability.
77) Use-after-free (CVE-ID: CVE-2026-23410)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in AppArmor rawdata inode handling when opening rawdata files while simultaneously removing the corresponding profile. A local attacker can trigger a race condition to access freed memory and cause a denial of service.
78) Race condition (CVE-ID: CVE-2026-23411)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the AppArmor i_private data management when accessing filesystem callback functions after reference removal. A local attacker can trigger a use-after-free condition by exploiting the race between freeing data and filesystem access to trigger a denial of service.
The issue arises when the inode persists beyond AppArmor data cleanup and filesystem callbacks are invoked after the reference has been released. This race condition primarily affects data stored in i_private, including rawdata/loaddata interfaces.
79) Use-after-free (CVE-ID: CVE-2026-23412)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in nfnl_hook_dump_one when dumping hooks via nfnetlink_hooks during concurrent access. A local attacker can trigger concurrent hook dump activity to cause a denial of service.
The issue is triggered by a race condition involving concurrent readers and may lead to a kernel crash.
80) Memory leak (CVE-ID: CVE-2026-23418)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in drm/xe/reg_sr when handling an xa_store() failure on the error path. A local user can trigger the error condition to cause a denial of service.
The issue occurs on an error path involving a newly allocated entry that is not freed when storage fails.
81) Deadlock (CVE-ID: CVE-2026-23419)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a circular locking dependency in rds_tcp_tune when upgrading network reference counting while holding the socket lock. A local user can trigger the vulnerable code path to cause a denial of service.
The issue is caused by memory allocation occurring under the socket lock, creating a lock dependency with fs_reclaim in the Linux kernel RDS TCP code path.
82) Improper locking (CVE-ID: CVE-2026-23420)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in wlcore when handling wireless operations. A local user can trigger the affected code path to cause a denial of service.
The issue is caused by unlocking wl->mutex without ensuring that it is locked first.
83) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-23426)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a device node reference leak in logicvc_drm_config_parse() when parsing the "layers" node from the device tree. A local user can trigger the vulnerable code path to cause a denial of service.
The issue results from a missing release of the reference returned by of_get_child_by_name(). No user interaction is required.
84) Race condition (CVE-ID: CVE-2026-23434)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in nand_lock() and nand_unlock() when serializing lock and unlock operations against other NAND operations. A local user can trigger concurrent NAND operations to cause a denial of service.
The issue occurs because chip->ops.lock_area and unlock_area are called without holding the NAND device lock, which can result in cmd_pending conflicts on the NAND controller during concurrent UBI/UBIFS background erase or write operations.
85) Race condition (CVE-ID: CVE-2026-23440)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the net/mlx5e IPSec ESN update handling path when processing ESN wrap events in IPSec full offload mode. A local user can trigger duplicate ESN update handling to cause a denial of service.
Processing the same event twice can incorrectly increment the ESN high-order bits and program invalid ESN state into hardware, resulting in anti-replay failures and a complete halt of IPSec traffic.
86) Race condition (CVE-ID: CVE-2026-23441)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause unexpected behavior and incorrect results.
The vulnerability exists due to a race condition in the IPSec ASO context handling in the mlx5e driver when processing concurrent IPSec offload ASO operations. A local user can trigger concurrent query or update operations to cause unexpected behavior and incorrect results.
The issue arises because a shared DMA-mapped context is used for ASO operations and can be overwritten before earlier hardware processing completes.
87) NULL pointer dereference (CVE-ID: CVE-2026-23442)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in seg6_hmac_validate_skb() and ipv6_srh_rcv() when processing SRv6 paths on a device without IPv6 configuration. A remote attacker can send specially crafted IPv6 traffic to cause a denial of service.
The issue occurs when __in6_dev_get() returns NULL, such as on a device with no IPv6 configuration, including after device unregister or when the MTU is below the IPv6 minimum MTU.
88) Use-after-free (CVE-ID: CVE-2026-23443)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in acpi_processor_errata_piix4() when handling device objects. A local attacker can trigger the vulnerable code path to cause a denial of service.
The issue occurs because device pointers may be dereferenced after references to the corresponding device objects have been dropped.
89) Use-after-free (CVE-ID: CVE-2026-23445)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the igc driver XDP TX timestamp handling when shutting down an XDP application with TX timestamping while the interface link remains up. A local user can trigger TX ring shutdown and concurrent IRQ handling to cause a denial of service.
The issue occurs because stale xsk_meta pointers remain after TX ring shutdown and are later accessed by the interrupt handler, leading to a kernel page fault. TX timestamps on other queues remain unaffected.
90) Improper locking (CVE-ID: CVE-2026-23446)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to improper control of interaction with the power management subsystem in aqc111_suspend when handling a suspend callback. A local attacker can trigger a suspend operation to cause a denial of service.
The issue can lead to a hung task in rpm_resume and block another task holding rtnl_lock, which can lock up the networking stack.
91) Out-of-bounds read (CVE-ID: CVE-2026-23447)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp32() when processing a crafted NDP32 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size is validated against the total skb length without accounting for ndpoffset, allowing reads beyond the intended bounds when the NDP32 is placed near the end of the NTB.
92) Out-of-bounds read (CVE-ID: CVE-2026-23448)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cdc_ncm_rx_verify_ndp16() and cdc_ncm_rx_fixup() when parsing a crafted NDP16 structure in a received NTB. A remote attacker can send a specially crafted network packet to disclose sensitive information.
The issue occurs because the DPE array size check does not account for ndpoffset, allowing DPE entries near the end of the buffer to extend past the skb data buffer and be read out of bounds.
93) Double free (CVE-ID: CVE-2026-23449)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in teql_master_xmit in the TEQL qdisc handling code when resetting a TEQL device with a lockless qdisc as root while racing with the datapath. A local user can trigger concurrent qdisc operations to cause a denial of service.
The issue can lead to kernel crashes. Exploitation requires local access to interact with the affected traffic control functionality.
94) NULL pointer dereference (CVE-ID: CVE-2026-23450)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers access to a NULL sk_user_data pointer to cause a denial of service.
The issue arises when sk_user_data is set to NULL during the close path while the TCP receive path reads it and dereferences the associated state, leading to a kernel panic.
95) Use-after-free (CVE-ID: CVE-2026-23450)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a race condition leading to a NULL pointer dereference and use-after-free in smc_tcp_syn_recv_sock() when processing TCP connection requests concurrently with closing an SMC listen socket. A remote attacker can send network traffic that triggers the TCP handshake path to cause a denial of service.
The issue occurs because sk_user_data may become NULL or reference a freed smc_sock while the TCP receive path accesses it, resulting in a kernel panic.
96) Use-after-free (CVE-ID: CVE-2026-23452)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in pm_runtime_work() when handling device removal during runtime power management. A local user can trigger a race condition involving device removal to cause a denial of service.
The issue is caused by dereferencing the dev->parent pointer after the parent device has been freed. It is reproducible sporadically with blktest block/001 and results in a KASAN-reported slab-use-after-free.
97) Use-after-free (CVE-ID: CVE-2026-23454)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in mana_hwc_destroy_channel() when tearing down hardware channels while interrupt handlers are still executing. A local attacker can trigger concurrent channel teardown and interrupt handling to cause a denial of service.
The issue is caused by a race condition where caller_ctx may be freed before the completion queue and event queue are destroyed, which can lead to a use-after-free or NULL pointer dereference in mana_hwc_handle_resp().
98) Out-of-bounds read (CVE-ID: CVE-2026-23455)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in DecodeQ931() in the nf_conntrack_h323 netfilter component when parsing a crafted Q.931 packet with a zero UserUserIE length field. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue occurs because a 16-bit length value is decremented by 1 to skip the protocol discriminator byte, and an encoded length of 0 wraps to -1 and is then passed to DecodeH323_UserInformation() as a large value.
99) Out-of-bounds read (CVE-ID: CVE-2026-23456)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in decode_int() in nf_conntrack_h323 when parsing malformed H.323/RAS packets. A remote attacker can send a specially crafted packet to disclose sensitive information.
The issue can result in a 1-4 byte slab out-of-bounds read.
100) Integer overflow (CVE-ID: CVE-2026-23457)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to integer truncation in nf_conntrack_sip when parsing the SIP Content-Length header in sip_help_tcp() over TCP. A remote attacker can send a specially crafted SIP message with an oversized Content-Length value to cause a denial of service.
On 64-bit systems, a Content-Length value exceeding UINT_MAX can be truncated before the SIP message boundary is computed, causing trailing TCP segment data to be treated as a second SIP message and processed through the SDP parser.
101) Use-after-free (CVE-ID: CVE-2026-23458)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in ctnetlink_dump_exp_ct() and ctnetlink_exp_ct_dump_table() when handling multi-round netlink dump requests. A local user can trigger a netlink dump that spans multiple recvmsg() calls to cause a denial of service.
The issue occurs because a conntrack pointer stored in callback data is dereferenced after its reference is dropped, and the second dump round can access the freed object via nfct_help(ct). The proof of concept shows a slab-use-after-free read detected by KASAN.
102) NULL pointer dereference (CVE-ID: CVE-2026-23460)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in rose_transmit_link in the ROSE socket implementation when closing a socket after a second connect() call is issued while the first connection attempt is still in progress. A local user can trigger repeated connect() calls and then close the socket to cause a denial of service.
The issue occurs when the socket is in TCP_SYN_SENT state and the reconnect path leaves rose->state as ROSE_STATE_1 with rose->neighbour set to NULL before the close path reaches rose_transmit_link().
103) Use-after-free (CVE-ID: CVE-2026-23461)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in l2cap_unregister_user when accessing conn->users and conn->hchan concurrently with l2cap_conn_del(). A local attacker can trigger a race condition to cause a denial of service.
The issue is caused by inconsistent locking on the l2cap_conn structure and may also result in list corruption.
104) Use-after-free (CVE-ID: CVE-2026-23462)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the HIDP subsystem when handling a user->remove callback without dropping the l2cap_conn reference. A local user can trigger the affected code path to cause a denial of service.
The issue is in the Linux kernel Bluetooth HIDP code path and is evidenced by a kernel crash trace during connection cleanup.
105) Race condition (CVE-ID: CVE-2026-23463)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in qman_destroy_fq when freeing and reallocating dynamic fqids. A local user can trigger concurrent qman_destroy_fq() and qman_create_fq() operations to cause a denial of service.
The issue occurs when QMAN_FQ_FLAG_DYNAMIC_FQID is set and may trigger a WARN_ON() due to inconsistent fq_table state during fqid reuse.
106) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-23465)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause data loss.
The vulnerability exists due to improper handling of directory entry logging in btrfs directory logging when logging the parent directory of a conflicting inode during fsync and log replay conditions. A local user can create and remove directories and files and trigger fsync operations to cause data loss.
After a power failure and log replay, newly created directory entries may be missing because the parent directory can be marked as logged without its new dentries being recorded.
107) Improper access control (CVE-ID: CVE-2026-23466)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in GGTT MMIO access protection when tearing down the xe driver after a failed driver load or asynchronous buffer object cleanup. A local user can trigger access to the GGTT MMIO region after teardown begins to cause a denial of service.
The issue occurs because existing protection based on drm_dev_enter is insufficient if driver load fails, and buffer objects with GGTT mappings may be freed asynchronously by worker threads.
108) Improper input validation (CVE-ID: CVE-2026-23468)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the amdgpu BO list handling when processing the bo_number field from userspace. A local user can supply an excessive number of BO list entries to cause a denial of service.
The issue can lead to excessive memory allocation and unnecessarily long list processing times.
109) Deadlock (CVE-ID: CVE-2026-23470)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking in the soft reset sequence in the drm/imagination driver when handling interrupts. A local user can trigger a soft reset to cause a denial of service.
The issue results in a deadlock because the soft reset sequence is executed from the threaded IRQ handler.
110) Improper Initialization (CVE-ID: CVE-2026-23472)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper initialization handling in handle_tx() when processing PORT_UNKNOWN serial ports. A local user can use a PORT_UNKNOWN serial port to trigger an infinite loop and cause a denial of service.
This issue occurs because write-room reporting can indicate available space while write operations return zero when the transmit buffer is NULL, which can lead to a system hang.
111) Race condition (CVE-ID: CVE-2026-23473)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a wakeup race in io_uring multishot recv polling when processing socket wakeups and shutdown state changes. A local user can trigger back-to-back socket send and shutdown events to cause a denial of service.
The issue can cause the multishot recv operation to hang indefinitely because the shutdown event may be lost and no further wakeups occur.
112) Out-of-bounds read (CVE-ID: CVE-2026-23474)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the RedBoot partition table parser when parsing a RedBoot partition table. A local attacker can trigger the parser with crafted partition table data to cause a denial of service.
The issue can lead to a kernel warning and boot crash on systems built with CONFIG_FORTIFY_SOURCE enabled and a recent compiler.
113) NULL pointer dereference (CVE-ID: CVE-2026-23475)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL-pointer dereference in the spi controller sysfs attributes when handling sysfs attribute access before controller statistics allocation. A remote attacker can access the affected sysfs attributes during this window to cause a denial of service.
The issue occurs because controller per-cpu statistics are not allocated until after the controller has been registered, creating a race window that can crash the kernel.
114) Use-after-free (CVE-ID: CVE-2026-31389)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to use-after-free in the spi controller registration logic when handling controller registration failure. A local attacker can trigger controller registration failure to cause a denial of service.
The issue occurs if per-cpu statistics allocation fails during controller registration, which can lead to use-after-free of driver resources and unclocked register accesses.
115) Improper access control (CVE-ID: CVE-2026-31392)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to a share using incorrect credentials.
The vulnerability exists due to improper access control in the smb client session matching logic when processing cifs mounts with sec=krb5 and a username mount option. A local user can mount another share with a different username option to gain access to a share using incorrect credentials.
The issue occurs when Kerberos mounts reuse an SMB session from a previous mount even though a different username was specified, which can cause a mount that should fail with -ENOKEY to proceed with the first user's session.
116) Out-of-bounds read (CVE-ID: CVE-2026-31393)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose adjacent memory contents.
The vulnerability exists due to an out-of-bounds read in l2cap_information_rsp() when processing a truncated L2CAP_INFO_RSP packet with a successful result. A remote attacker can send a specially crafted Bluetooth L2CAP response to disclose adjacent memory contents.
The issue occurs because the code reads response payload data beyond the validated fixed header length for L2CAP_IT_FEAT_MASK and L2CAP_IT_FIXED_CHAN cases.
117) NULL pointer dereference (CVE-ID: CVE-2026-31394)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in ieee80211_chan_bw_change for AP_VLAN stations when processing channel bandwidth changes during CSA. A local attacker can trigger the vulnerable code path to cause a denial of service.
The issue affects stations on AP_VLAN interfaces such as 4addr WDS clients, where link reservation data can remain zero-initialized with a NULL channel pointer.
118) Out-of-bounds write (CVE-ID: CVE-2026-31395)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service or corrupt kernel memory.
The vulnerability exists due to an out-of-bounds write in bnxt_async_event_process() when processing the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER async event. A local attacker can use a malicious or compromised NIC that supplies a crafted type value to trigger an out-of-bounds access and corrupt kernel memory or cause a crash.
The issue occurs because a firmware-supplied 16-bit type field from DMA-mapped completion ring memory is used directly as an index into bp->bs_trace[] without bounds validation.
119) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-31400)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in cache_release when closing a reader file descriptor during a partial read of a cache_request. A local user can close a file descriptor in that state to cause a denial of service.
The issue occurs because the request readers count is decremented without freeing the cache_request when the count reaches zero and CACHE_PENDING is clear, which can result in a memory leak.
120) Heap-based buffer overflow (CVE-ID: CVE-2026-31402)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to corrupt heap memory.
The vulnerability exists due to a heap-based buffer overflow in the NFSv4.0 LOCK replay cache when encoding denied LOCK operation responses. A remote attacker can trigger conflicting lock requests with a large lock owner value to corrupt heap memory.
The issue is caused by copying an encoded LOCK denied response into a fixed 112-byte inline replay buffer without sufficient bounds checking, resulting in a slab out-of-bounds write of up to 944 bytes. Exploitation requires two cooperating NFSv4.0 clients and can be performed remotely without authentication.
121) Use-after-free (CVE-ID: CVE-2026-31403)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the /proc/fs/nfs/exports proc entry handling when reading from a still-open file descriptor after the associated network namespace is torn down. A local user can keep the file descriptor open across namespace teardown and perform subsequent reads to cause a denial of service.
The issue occurs because the open file captures the current network namespace and stores its export cache without holding a reference to the namespace for the lifetime of the file descriptor.
122) Use-after-free (CVE-ID: CVE-2026-31404)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in NFSD export cache object cleanup when accessing export information through RCU readers concurrently with cache entry removal. A local attacker can trigger concurrent export cache cleanup and access to freed sub-objects to cause a denial of service.
The issue can result in a NULL pointer dereference in d_path when ex_path or ex_client->name related sub-objects are freed before the RCU grace period completes.
123) Out-of-bounds read (CVE-ID: CVE-2026-31405)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to an out-of-bounds read in handle_one_ule_extension() extension handler tables when processing network-controlled ULE extension header data. A remote attacker can send a specially crafted SNDU with an extension header type value of 255 to execute arbitrary code.
The out-of-bounds value may be dereferenced and called as a function pointer.
124) Improper input validation (CVE-ID: CVE-2026-31407)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the sctp netlink attribute handling when processing crafted netlink attributes. A remote attacker can supply an invalid CTA_PROTOINFO_SCTP_STATE value to cause a denial of service.
125) Out-of-bounds read (CVE-ID: CVE-2026-31407)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the sctp and ctnetlink netlink attribute handling when processing crafted netlink attributes. A remote attacker can send specially crafted netlink messages to disclose sensitive information.
The issue is caused by missing validation of user-supplied netlink attribute values before they are used by the kernel.
126) Use-after-free (CVE-ID: CVE-2026-31408)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in sco_recv_frame() when processing Bluetooth SCO frames during concurrent socket closure. A local user can trigger a race condition to cause a denial of service.
The issue occurs because the socket reference is not held after releasing sco_conn_lock() before accessing sk->sk_state.
127) Improper input validation (CVE-ID: CVE-2026-31411)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in sigd_send() when handling sendmsg() input containing a forged vcc pointer. A local user can send a specially crafted message to cause a denial of service.
Exploitation requires control of the ATM signaling daemon role via the ATMSIGD_CTRL ioctl.
128) Integer overflow (CVE-ID: CVE-2026-31412)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause memory corruption or out-of-bounds access.
The vulnerability exists due to integer overflow in check_command_size_in_blocks() when processing crafted SCSI READ or WRITE commands from a USB host. A remote attacker can send a specially crafted command requesting a large amount of data to cause memory corruption or out-of-bounds access.
The issue occurs because a left shift of the command-derived data size by the logical block size can wrap around and truncate the resulting byte count.
129) Integer overflow (CVE-ID: CVE-2026-31415)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in ip6_datagram_send_ctl() when processing repeated IPV6_DSTOPTS control messages. A local user can send specially crafted ancillary data to cause a denial of service.
Exploitation can trigger a kernel panic through skb_under_panic(), and unprivileged exploitation is possible in environments where unprivileged user namespaces are enabled and the attacker can obtain namespaced CAP_NET_RAW.
130) Incorrect calculation (CVE-ID: CVE-2026-31416)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper calculation of netlink header size in nfnetlink_log when processing netlink messages. A local user can send a specially crafted netlink message to cause a denial of service.
The issue results in a kernel warning and the affected netlink message being dropped, with no other explicitly stated effects.
131) Integer overflow (CVE-ID: CVE-2026-31417)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an integer overflow in the x25 packet reassembly logic when accumulating fragmented packets. A local user can send specially crafted packets to cause a denial of service.
132) Improper input validation (CVE-ID: CVE-2026-31420)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in br_mrp_start_test(), br_mrp_start_in_test(), and br_mrp_start_in_test_parse() when processing user-supplied netlink attributes. A local user can supply a zero interval value to cause a denial of service.
A zero interval causes delayed work to be rescheduled with no delay, creating a tight loop that allocates and transmits MRP test frames until system memory is exhausted and the kernel panics via OOM deadlock.
133) NULL pointer dereference (CVE-ID: CVE-2026-31421)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in fw_classify() in the cls_fw packet classifier when classifying a packet after attaching an empty cls_fw filter to a shared block using the old method without TCA_OPTIONS. A local user can attach such a filter and trigger packet classification with a nonzero major skb mark to cause a denial of service.
The issue occurs because shared blocks leave block->q NULL in the old-method path.
134) NULL pointer dereference (CVE-ID: CVE-2026-31422)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in flow_change() in the cls_flow classifier when creating a flow filter without a fully qualified baseclass on a shared block. A local user can create such a flow filter to cause a denial of service.
135) Division by zero (CVE-ID: CVE-2026-31423)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a divide-by-zero error in rtsc_min() in the HFSC scheduler when processing crafted traffic control parameters. A local user can supply values that make the truncated divisor become zero to cause a denial of service.
The issue is triggered in the concave-curve intersection path.
136) Improper access control (CVE-ID: CVE-2026-31424)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in xt_check_match/xt_check_target extension validation in x_tables when processing ARP chains through nft_compat. A local user can load a match or target with incompatible hook assumptions to cause a denial of service.
The issue can result in a NULL pointer dereference and kernel panic when extensions registered with NFPROTO_UNSPEC are used on ARP hooks with different semantics.
137) NULL pointer dereference (CVE-ID: CVE-2026-31425)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in rds_ib_get_mr() when processing sendmsg() requests with the RDS_CMSG_RDMA_MAP control message on a connection before IB connection establishment. A local user can send a specially crafted sendmsg request to cause a denial of service.
The issue occurs on a fresh outgoing connection before the rdma_cm_id and queue pair have been created.
138) Use-after-free (CVE-ID: CVE-2026-31426)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in acpi_ec_space_handler() when handling AML evaluation that accesses an EC OpRegion field after probe deferral leaves a stale handler context. A local user can trigger a sysfs read that causes AML to touch an EC OpRegion to cause a denial of service.
The issue occurs on reduced-hardware EC platforms when the GPIO IRQ provider defers probing.
139) Use of Uninitialized Variable (CVE-ID: CVE-2026-31427)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause incorrect SDP address rewriting.
The vulnerability exists due to use of uninitialized memory in process_sdp in nf_conntrack_sip when processing SDP bodies. A remote attacker can send a specially crafted SDP message to cause incorrect SDP address rewriting.
When stack auto-initialization is enabled, the rewritten session-level addresses may become 0.0.0.0; otherwise, stale stack data may be used.
140) Use of Uninitialized Variable (CVE-ID: CVE-2026-31428)
CWE-ID: CWE-457 - Use of Uninitialized Variable
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized padding in the NFULA_PAYLOAD netlink attribute in nfnetlink_log when constructing packet messages for the NFLOG netlink socket. A local user can read the leaked padding bytes to disclose sensitive information.
The issue leaks stale heap contents to userspace when the payload length is not 4-byte aligned.
141) Double free (CVE-ID: CVE-2026-31436)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double completion in llist_abort_desc() when aborting descriptor lists. A local user can trigger descriptor completion handling to cause a denial of service.
The issue can also result in descriptor leaks.
142) Out-of-bounds read (CVE-ID: CVE-2026-31449)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in ext4_ext_correct_indexes when processing a corrupted or crafted on-disk extent header. A local user can supply a crafted filesystem image to disclose sensitive information.
143) Out-of-bounds read (CVE-ID: CVE-2026-31470)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the tdx guest quote handling logic when copying a host-controlled quote buffer to guest userspace. A local user can trigger quote retrieval to disclose sensitive information.
The leak may cross container protection boundaries in deployments exposing per-container configs-tsm-report interfaces.
144) Use-after-free (CVE-ID: CVE-2026-31488)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in the amdgpu display manager stream handling logic when processing KMS commits involving DSC validation and unrelated mode changes. A local user can trigger a crafted display configuration change to cause a denial of service.
The issue can occur when MST/DSC configuration changes happen in the same commit as a separate mode change, leading to incorrect stream lifetime handling when the stream is later disabled.
145) Out-of-bounds write (CVE-ID: CVE-2026-31494)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in gem_get_ethtool_stats when handling ethtool statistics requests for devices with fewer active queues than the maximum supported queues. A local user can send a crafted ioctl request to cause a denial of service.
146) Improper access control (CVE-ID: CVE-2026-31496)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper access control in nf_conntrack_expect proc handling when reading proc entries. A local user can read expectation entries from other network namespaces to disclose sensitive information.
147) Use-after-free (CVE-ID: CVE-2026-31504)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in packet_release() and fanout group handling when processing a concurrent NETDEV_UP event during socket release. A local user can trigger a race condition to cause a denial of service.
The issue affects fanout sockets during a race that can leave a dangling pointer in the fanout array.
148) Out-of-bounds write (CVE-ID: CVE-2026-31505)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds write in iavf_get_ethtool_stats() when handling concurrent ethtool channel and statistics operations. A local user can issue crafted ethtool requests to cause a denial of service.
The issue can be triggered when "ethtool -L" and "ethtool -S" are executed simultaneously during queue reconfiguration.
149) Double free (CVE-ID: CVE-2026-31507)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to double free in smc_rx_pipe_buf_release() and SMC splice pipe buffer handling when duplicating splice pipe buffers with tee(2) or splice_pipe_to_pipe(). A local user can duplicate an SMC splice buffer to cause a denial of service.
The issue can trigger a slab-use-after-free that leads to a NULL-pointer dereference and kernel panic.
150) Out-of-bounds read (CVE-ID: CVE-2026-31512)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in l2cap_ecred_data_rcv() when processing a crafted L2CAP Enhanced Credit Based Flow Control data packet with less than 2 bytes of data. A remote attacker can send a specially crafted Bluetooth packet to disclose sensitive information.
151) Heap-based buffer overflow (CVE-ID: CVE-2026-31515)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a buffer overflow in pfkey_send_migrate() when processing migration requests with invalid old or new address families. A local user can trigger the vulnerable code path to cause a denial of service.
152) Race condition (CVE-ID: CVE-2026-31519)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in btrfs subvolume lookup and orphan cleanup handling when looking up a subvolume after dentry cache eviction with concurrent delayed iputs and unlink activity. A local user can trigger concurrent filesystem operations to cause a denial of service.
The issue can result in a negative dentry being created for a valid subvolume, causing filesystem operations on that subvolume to fail and potentially abort the filesystem.
153) Integer overflow (CVE-ID: CVE-2026-31525)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to access out-of-bounds map values.
The vulnerability exists due to improper handling of signed integer minimum values in the BPF interpreter's signed 32-bit division and modulo handlers when processing crafted BPF operations that use INT_MIN. A local user can load a crafted BPF program to access out-of-bounds map values.
The issue is caused by a verifier and interpreter mismatch in range tracking for signed 32-bit division and modulo operations.
154) Out-of-bounds read (CVE-ID: CVE-2026-31528)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds memory access in x86_pmu_del() when rolling back a failed group_sched_in() operation for a group whose leader is a software event. A local user can trigger a failed group scheduling operation to cause a denial of service.
The issue occurs because inherited events may use the wrong PMU context for grouped events.
155) Use-after-free (CVE-ID: CVE-2026-31533)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a use-after-free.
The vulnerability exists due to use-after-free in tls_do_encryption() when handling an -EBUSY error path during asynchronous encryption processing. A local user can trigger asynchronous encryption and a subsequent sendmsg to cause a use-after-free.
The issue occurs because a pending cryptd callback may access a freed tls_rec after cleanup state is corrupted by double handling of encrypt_pending and scatterlist restoration.
156) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-31547)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource management in ccs_mode_store when invoking xe_gt_reset without holding an outer runtime PM reference. A local user can trigger the affected sysfs store handler to cause a denial of service.
157) Resource exhaustion (CVE-ID: CVE-2026-31550)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper timeout handling in bcm2835_asb_control() when handling runtime power management suspend operations for V3D. A local user can trigger intensive workloads to cause a denial of service.
The issue can leave V3D in a broken state, leading to bus faults or system hangs on later accesses.
158) Deadlock (CVE-ID: CVE-2026-31565)
CWE-ID: CWE-833 - Deadlock
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a deadlock condition in the irdma RDMA subsystem when executing a netdev reset while RDMA applications have active connections. A local user can trigger a netdev reset during active RDMA connections to cause a denial of service.
The issue occurs during device removal in iWARP mode when client cleanup creates a circular dependency involving QP reference counting.
159) Out-of-bounds write (CVE-ID: CVE-2026-31570)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or corrupt memory.
The vulnerability exists due to an out-of-bounds write in cgw_csum_crc8_rel() when processing CAN gateway crc8 checksum configuration with crafted negative indices. A local user can supply crafted checksum index values to cause a denial of service or corrupt memory.
Exploitation requires CAP_NET_ADMIN to configure the can-gw crc8 checksums.
160) Use-after-free (CVE-ID: CVE-2026-31586)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in cgwb_release_workfn() when releasing writeback resources and later dereferencing wb->blkcg_css after dropping its last reference. A local user can trigger the race condition to cause a denial of service.
The issue is race-dependent and can be observed as a KASAN-reported slab-use-after-free in blkcg_unpin_online().
161) Use-after-free (CVE-ID: CVE-2026-31588)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in complete_emulated_mmio() when servicing an emulated MMIO write that splits a page boundary across MMIO pages. A local user can trigger crafted KVM_RUN operations to cause a denial of service.
The issue occurs for write payloads of 8 bytes or less and is most visible when the second KVM_RUN is performed by a separate task.
162) Out-of-bounds write (CVE-ID: CVE-2026-31602)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in ct_vm_map() in the ALSA ctxfi driver when handling large aggregate memory allocations for playback streams. A local user can trigger crafted allocation patterns through ioctl operations to cause a denial of service.
The issue is triggered on AMD64 systems when aggregate memory allocations exceed the single-page table coverage limit.
163) Heap-based buffer overflow (CVE-ID: CVE-2026-31607)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a heap-based buffer overflow in usbip_pack_ret_submit() when processing a RET_SUBMIT response from a USB/IP server. A remote attacker can send a specially crafted response with an oversized number_of_packets value to cause a denial of service or execute arbitrary code.
The issue occurs because the response value is later used as the loop bound for accesses to urb->iso_frame_desc[], whose allocation size was determined by the original submission.
164) Heap-based buffer overflow (CVE-ID: CVE-2026-31622)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in digital_in_recv_sdd_res() when processing crafted NFC-A SDD and SEL responses from a peer device. A remote attacker can send crafted responses to cause a denial of service.
The issue occurs because the peer device can control the number of NFC-A anti-collision cascade rounds and the amount of data appended to target->nfcid1 on each round.
165) Integer underflow (CVE-ID: CVE-2026-31649)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information and cause memory corruption.
The vulnerability exists due to integer underflow in jumbo_frm() chain-mode implementation in the stmmac driver when processing a packet whose linear portion is smaller than the buffer size but whose total length exceeds it due to page fragments. A local user can send a specially crafted packet to disclose sensitive information and cause memory corruption.
On systems without an IOMMU, the issue can cause DMA mappings to reference kernel memory beyond the skb buffer.
166) Use-after-free (CVE-ID: CVE-2026-31656)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in intel_engine_park_heartbeat when racing the heartbeat worker and request retirement paths while releasing engine->heartbeat.systole. A local user can trigger concurrent request retirement and heartbeat handling to cause a denial of service.
The issue arises because the same systole request can be released twice after a stale non-NULL pointer is observed in a non-atomic read-and-clear sequence.
167) Integer underflow (CVE-ID: CVE-2026-31662)
CWE-ID: CWE-191 - Integer underflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an integer underflow in tipc_group_proto_rcv() when handling duplicate or stale GRP_ACK_MSG messages. A remote attacker can send duplicate group acknowledgment messages to cause a denial of service.
After the counter wraps, group broadcasts on the affected socket remain blocked until the group is recreated.
168) Improper access control (CVE-ID: CVE-2026-31668)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass routing policy restrictions.
The vulnerability exists due to improper access control in the seg6 lwtunnel dst_cache handling when processing input and output paths in different routing contexts. A local user can trigger packet processing through one path so that the other path reuses an incorrect cached destination to bypass routing policy restrictions.
The issue occurs because a single destination cache is shared between seg6_input_core() and seg6_output_core(), even though these paths may perform SID lookup under different routing contexts such as ingress-interface-based rules or VRF table separation.
169) Use-after-free (CVE-ID: CVE-2026-31669)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in __inet_lookup_established when performing concurrent ehash lookups on MPTCP IPv6 subflow child sockets under rcu_read_lock. A local user can trigger socket allocation and freeing patterns to cause a denial of service.
The issue affects MPTCP IPv6 subflow child sockets because they may be allocated from a cache without SLAB_TYPESAFE_BY_RCU, allowing freed memory to be reused during lockless lookups.
170) Out-of-bounds read (CVE-ID: CVE-2026-31675)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds access in netem_enqueue() when processing fully non-linear packets sent over an IPIP tunnel through an AF_PACKET TX_RING. A local user can send a specially crafted packet to cause a denial of service.
171) Improper input validation (CVE-ID: CVE-2026-31679)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in openvswitch SET/SET_MASKED action handling for OVS_KEY_ATTR_MPLS when processing crafted MPLS action payload lengths. A local user can send a specially crafted request to cause a denial of service.
172) Out-of-bounds read (CVE-ID: CVE-2026-31681)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ports_match_v1() in the xt_multiport netfilter module when processing malformed multiport v1 rules. A local user can supply a crafted rule with invalid range encoding to cause a denial of service.
173) Out-of-bounds read (CVE-ID: CVE-2026-31682)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in br_nd_send when parsing neighbor discovery options from a non-linear skb. A remote attacker can send a specially crafted ICMPv6 neighbor solicitation request to cause a denial of service.
174) Out-of-bounds read (CVE-ID: CVE-2026-31684)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in tcf_csum_act() when processing packets with nested in-payload VLAN headers. A remote attacker can send a specially crafted packet to cause a denial of service.
175) Improper input validation (CVE-ID: CVE-2026-31685)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ip6t_eui64 when processing packets with an invalid MAC header. A remote attacker can send a specially crafted packet to cause a denial of service.
176) Heap-based buffer overflow (CVE-ID: CVE-2026-31694)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in fuse_add_dirent_to_cache() when processing directory entries returned by a FUSE server. A remote attacker can return a specially crafted directory entry with an oversized name length to cause a denial of service.
The issue occurs when a serialized directory entry exceeds a single page size and is copied into the readdir cache.
177) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31700)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass safety checks.
The vulnerability exists due to a time-of-check time-of-use race condition in tpacket_snd() when processing a mmap'd vnet_hdr in the TPACKET TX path with PACKET_VNET_HDR enabled. A local user can modify vnet_hdr fields in the shared ring buffer between validation and use to bypass safety checks.
Only the TPACKET TX path is affected.
178) Out-of-bounds read (CVE-ID: CVE-2026-31738)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in vxlan_na_create when parsing neighbor discovery options. A remote attacker can send a specially crafted packet to cause a denial of service.
179) Double free (CVE-ID: CVE-2026-31787)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to circumvent kernel lockdown restrictions.
The vulnerability exists due to double free in the Linux kernel privcmd driver when handling privcmd operations. A local privileged user can trigger a double free of kernel memory to circumvent kernel lockdown restrictions.
Only Linux PVH or HVM domains booted in secure mode are affected; PV domains and non-Linux domains are not vulnerable.
180) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43009)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to bypass BPF verifier state tracking.
The vulnerability exists due to improper state management in the BPF verifier backtrack_insn logic when processing BPF atomic fetch instructions. A local user can load a crafted BPF program to bypass BPF verifier state tracking.
The issue occurs because atomic fetch operations are not tracked correctly for precision propagation, which can cause the verifier to incorrectly treat distinct execution states as equivalent and prune branches that should remain separate.
181) Out-of-bounds read (CVE-ID: CVE-2026-43025)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the ctnetlink expectation handling code when processing netlink requests that create expectations with a helper different from the existing master conntrack helper. A remote user can send a specially crafted netlink request to disclose sensitive information.
The issue can allow reading kernel memory bytes beyond the expectation boundary.
182) Use-after-free (CVE-ID: CVE-2026-43027)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in nf_conntrack_helper_unregister and expectation handling in netfilter nf_conntrack_helper when unregistering a helper while stale expectations remain. A local user can trigger helper unregistration and subsequent expectation access to cause a denial of service.
The issue is triggered because expectations referencing the helper survive cleanup and are later dereferenced during expectation dumps or packet-driven conntrack initialization.
183) Stack-based buffer overflow (CVE-ID: CVE-2026-43037)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a stack-based buffer overflow in ip4ip6_err() and __ip_options_echo() when processing a crafted packet that triggers ICMP error handling on a cloned skb. A remote attacker can send a specially crafted packet to execute arbitrary code.
The issue is caused by reusing skb cb[] data written by the IPv6 receive path as IPv4 metadata, allowing attacker-controlled packet data to influence the copied option length.
184) Out-of-bounds read (CVE-ID: CVE-2026-43038)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in ip6_err_gen_icmpv6_unreach() when processing a forged ICMPv4 error containing a CIPSO IP option and an attacker-controlled inner IPv6 packet. A remote attacker can send a specially crafted ICMP error packet to cause a denial of service.
The issue arises because IPv4 control buffer data is reused as IPv6 control buffer data in a cloned skb, which can lead to a forged home address option offset being used during IPv6 TLV parsing.
185) Incorrect Calculation of Buffer Size (CVE-ID: CVE-2026-43044)
CWE-ID: CWE-131 - Incorrect Calculation of Buffer Size
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt memory.
The vulnerability exists due to improper memory allocation in the caam crypto driver when processing HMAC keys longer than the block size. A local user can supply a specially crafted long HMAC key to corrupt memory.
The issue occurs because the buffer size was not allocated using the rounded DMA cache alignment size.
186) Use-after-free (CVE-ID: CVE-2026-43050)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in sock_def_readable() when accessing priv->lecd during concurrent socket teardown. A local user can trigger a race condition to cause a denial of service.
The issue occurs because concurrent code paths dereference priv->lecd without protection while lec_atm_close() clears the pointer and the socket may be freed via RCU.
187) Use-after-free (CVE-ID: CVE-2026-43060)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in nft_ct when removing referenced conntrack objects while packets remain enqueued in nfqueue. A local user can trigger processing of packets that retain stale references to cause a denial of service.
The issue involves references to conntrack zone templates, timeout policies, or helpers held by queued packets.
188) Use of uninitialized resource (CVE-ID: CVE-2026-43088)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an information exposure caused by uninitialized memory in PF_KEY export paths when exporting aligned sockaddr payloads for certain PF_KEY messages. A local user can trigger affected PF_KEY message handling to disclose sensitive information.
The issue affects the SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE export paths, while state and policy dump builders are not affected.
189) Out-of-bounds read (CVE-ID: CVE-2026-43110)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in brcmf_fweh_handle_if_event() when handling firmware-provided IF events. A remote attacker can supply a crafted bsscfg index to cause a denial of service.
190) Double free (CVE-ID: CVE-2026-43120)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in rereg_user_mr when re-registering a memory region with IB_MR_REREG_TRANS set. A local user can trigger an error after a new umem is allocated and then call ibv_dereg_mr to cause a denial of service.
The issue occurs because a released umem reference remains non-NULL and is released again on the deregistration path.
191) Use-after-free (CVE-ID: CVE-2026-43126)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service or execute arbitrary code.
The vulnerability exists due to a use-after-free in the ALSA OSS mixer layer when handling OSS mixer accesses during device disconnection. A local user can trigger concurrent mixer control operations on a disconnecting sound card to cause a denial of service or execute arbitrary code.
The issue arises because pending kcontrol operation calls may not be caught while the device is being disconnected.
192) Out-of-bounds read (CVE-ID: CVE-2026-43190)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in the xt_tcpmss TCP option parser when parsing a TCP option field whose last byte is not EOL or NOP. A local user can supply a specially crafted packet to disclose sensitive information.
193) Race condition (CVE-ID: CVE-2026-43214)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper synchronization in __get_sregs2() when reading PDPTR registers during ioctl handling. A local user can issue a crafted ioctl request to cause a denial of service.
The issue is triggered when reading PDPTRs causes access to guest memory through memslot lookups without the required SRCU read-side protection.
194) Improper input validation (CVE-ID: CVE-2026-43265)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state validation in KVM x86 nested virtualization handling when processing userspace-supplied MP_STATE or injected events for a blocked vCPU while L2 is active. A remote user can place the vCPU into an invalid state to cause a denial of service.
The issue can result in a spurious userspace exit, typically with KVM_EXIT_UNKNOWN, after exiting a blocking state.
195) Memory corruption (CVE-ID: CVE-2026-43329)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper restriction of operations within the bounds of a memory buffer in flowtable hardware offload action handling when processing IPv6 flowtable offload configurations with multiple actions. A remote attacker can trigger a flow configuration that exceeds the supported number of actions to cause a denial of service.
The issue can be reached in IPv6 setups involving combinations of ethernet mangling, NAT, double VLAN for QinQ, redirect, and tunnel-related actions.
196) Out-of-bounds read (CVE-ID: CVE-2026-43330)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an out-of-bounds read in the caam crypto driver when processing HMAC keys longer than the block size. A local user can supply a specially crafted long HMAC key to cause memory corruption.
The issue occurs because the copied key buffer is rounded to DMA cache alignment, which can result in reading past the end of the source key buffer.
197) Improper access control (CVE-ID: CVE-2026-43334)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass man-in-the-middle protection during Bluetooth pairing.
The vulnerability exists due to improper access control in the Bluetooth SMP pairing response handling when processing a pairing request. A remote attacker can initiate a pairing request that omits MITM requirements to bypass man-in-the-middle protection during Bluetooth pairing.
Exploitation is possible when the local side requires high security and the selected pairing method becomes inconsistent with the responder's security policy.
198) Improper input validation (CVE-ID: CVE-2026-43365)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause filesystem corruption and a denial of service.
The vulnerability exists due to improper input validation in XFS log roundoff handling when mounting or recovering a crafted XFS filesystem with a malformed superblock. A local user can provide a specially crafted filesystem image to cause filesystem corruption and a denial of service.
The issue can result in corrupt logs and an unmountable filesystem on systems using 4k physical sectors.
199) Improper input validation (CVE-ID: CVE-2026-43366)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state validation in the io_uring kernel buffer recycling logic when recycling a previously grabbed buffer. A local user can trigger recycling of a buffer after the target buffer list has changed type to cause a denial of service.
This can occur when the request is forced via io-wq.
200) Memory leak (CVE-ID: CVE-2026-43419)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in ceph_mdsc_build_path() when handling error paths. A local user can trigger the vulnerable code path to cause a denial of service.
201) Use-after-free (CVE-ID: CVE-2026-43437)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in snd_pcm_drain() when handling a linked stream runtime after releasing the stream lock. A local user can trigger a concurrent close() on the linked stream's file descriptor to cause a denial of service.
The issue occurs because the drain path dereferences stale runtime fields from a linked stream after the runtime can be freed by concurrent unlink and detach operations.
202) NULL pointer dereference (CVE-ID: CVE-2026-43441)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the bonding driver IPv6 neighbor advertisement validation path when processing IPv6 NS/NA packets on a slave while ARP/NS validation is enabled and IPv6 is disabled. A remote attacker can send a specially crafted IPv6 NS/NA packet to trigger a kernel crash and cause a denial of service.
Exploitation requires the system to be booted with the 'ipv6.disable=1' parameter and bonding ARP/NS validation to be enabled.
203) Double free (CVE-ID: CVE-2026-43494)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in rds_message_zcopy_from_user() and rds_message_purge() when handling a zerocopy page pin failure during sendmsg processing. A local user can trigger a page pin failure and subsequent cleanup to cause a denial of service.
204) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43503)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to modify the page cache of a root-owned read-only file.
The vulnerability exists due to improper state management in frag-transfer helpers in the Linux kernel networking stack when moving fragment descriptors between socket buffers. A local user can trigger packet processing through a duplicated skb path to modify the page cache of a root-owned read-only file.
One demonstrated path involves ESP input after a packet is duplicated through an nft 'dup to' rule or another nf_dup_ipv4() / xt_TEE caller.
205) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46300)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to improper state management in skb_try_coalesce() when transferring paged fragments during TCP receive coalescing. A local user can trigger packet processing that moves shared fragments into an unmarked skb to cause memory corruption.
The issue can lead ESP input to incorrectly treat an uncloned nonlinear skb as not having shared fragments and perform in-place decryption over externally owned or page-cache-backed fragments.
Remediation
Install update from vendor's website.