SB2026062309 - Debian update for linux
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 53 vulnerabilities.
1) Resource management error (CVE-ID: CVE-2025-22069)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the 1SZREG() function in arch/riscv/kernel/mcount.S. A local user can perform a denial of service (DoS) attack.
2) Infinite loop (CVE-ID: CVE-2025-68251)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the z_erofs_load_full_lcluster() and z_erofs_load_compact_lcluster() functions in fs/erofs/zmap.c. A local user can perform a denial of service (DoS) attack.
3) Improper locking (CVE-ID: CVE-2025-68768)
CWE-ID: CWE-667 - Improper Locking
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the ip_expire() function in net/ipv4/ip_fragment.c. A local user can perform a denial of service (DoS) attack.
4) Improper Check or Handling of Exceptional Conditions (CVE-ID: CVE-2025-71289)
CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper error handling in attr_set_size() during file truncation when truncating files on ntfs3. A local user can truncate a file in a way that triggers an attr_set_size() failure to cause a denial of service.
The inode may be left in an inconsistent state if the error is ignored.
5) Exposure of sensitive information to an unauthorized actor (CVE-ID: CVE-2026-23247)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper output neutralization in the TCP sequence number generation mechanism when handling SYN cookies. A remote attacker can send specially crafted TCP connection requests to disclose sensitive information.
The attacker can exploit the side-channel to infer TCP source ports, enabling off-path attacks that leak information about connection parameters.
6) Use After Free (CVE-ID: CVE-2026-23272)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, and cause a denial of service.
The vulnerability exists due to a use-after-free in the netfilter nf_tables component when handling set element insertion in a full set. A local user can send a specially crafted request to trigger improper RCU handling, leading to a use-after-free condition.
Exploitation requires non-administrative local privileges and does not require user interaction. The vulnerability occurs during normal operation of netfilter rules with full sets.
7) Out-of-bounds read (CVE-ID: CVE-2026-23346)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the ioremap_prot() function when handling memory protection settings from user mappings. A local user can trigger access to a specially crafted user memory region to cause a kernel memory access violation, leading to a system crash.
The issue specifically affects arm64 systems where user page protection flags are incorrectly processed during physical memory access, resulting in an unreadable memory access from kernel space.
8) Double Free (CVE-ID: CVE-2026-23394)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in the af_unix garbage collection mechanism when handling MSG_PEEK system calls. A local user can send a specially crafted sequence of system calls involving MSG_PEEK and socket closure to trigger incorrect garbage collection of active Unix domain sockets, leading to a denial of service.
The issue arises when MSG_PEEK increases a file reference count without synchronizing with garbage collection, causing the collector to incorrectly identify live sockets as dead and purge their receive queues.
9) Race condition (CVE-ID: CVE-2026-23469)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause a denial of service.
The vulnerability exists due to a race condition in the drm/imagination GPU driver interrupt handling during runtime power management suspend when suspending the GPU while an IRQ handler is still running on another CPU core. A local attacker can trigger GPU activity that races with runtime suspend to cause a denial of service.
This issue can lead to kernel crashes or a kernel panic when the IRQ handler accesses GPU registers while the GPU is suspended.
10) Improper input validation (CVE-ID: CVE-2026-31420)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in br_mrp_start_test(), br_mrp_start_in_test(), and br_mrp_start_in_test_parse() when processing user-supplied netlink attributes. A local user can supply a zero interval value to cause a denial of service.
A zero interval causes delayed work to be rescheduled with no delay, creating a tight loop that allocates and transmits MRP test frames until system memory is exhausted and the kernel panics via OOM deadlock.
11) Race condition (CVE-ID: CVE-2026-31486)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in pmbus regulator operations when accessing PMBus registers and shared data. A local user can trigger concurrent regulator callbacks and voltage operations to cause a denial of service.
12) NULL pointer dereference (CVE-ID: CVE-2026-31560)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in spi-dw-dma error logging when handling an error after a transaction finishes without a current message. A local user can trigger an error condition to cause a denial of service.
13) Out-of-bounds read (CVE-ID: CVE-2026-31613)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to out-of-bounds read in the SMB client symlink response parser when parsing a crafted symlink error response from an untrusted server. A remote attacker can send a specially crafted SMB response to disclose sensitive information.
The exposed heap bytes are UTF-16-decoded into the symlink target and returned to userspace via readlink(2).
14) Use-after-free (CVE-ID: CVE-2026-31663)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in xfrm_input_resume and transport_finish when processing packets after asynchronous crypto completion. A local user can trigger a race with device teardown to cause a denial of service.
15) Improper access control (CVE-ID: CVE-2026-31717)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a remote user to hijack an orphaned durable handle.
The vulnerability exists due to improper access control in durable handle reconnect validation in ksmbd when processing SMB2 durable handle reconnect requests. A remote user can predict or brute-force the persistent ID and reconnect to the orphaned handle to hijack an orphaned durable handle.
The issue occurs because the reconnecting user's security context is not verified against the original opener's identity.
16) Use-after-free (CVE-ID: CVE-2026-43116)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in netfilter ctnetlink expectation handling when processing expectation add, delete, get, or event operations. A local user can trigger access to an invalid master conntrack object to cause a denial of service.
17) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-43219)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in cpsw_unregister_ports() when handling a failed register_netdev() call for the first MAC in cpsw_register_ports(). A local user can trigger an error during network device registration to cause a denial of service.
18) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-43245)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper memory allocation in ntfs dentry comparison and hash handling when processing filesystem path lookups. A local user can trigger blocking allocation in this context to cause a denial of service.
19) Use-after-free (CVE-ID: CVE-2026-43303)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the swap subsystem when handling stale page->private values on reallocated and split pages. A local user can trigger swapoff operations after causing affected page state reuse to cause a denial of service.
The issue occurs because tail pages can retain stale page->private values after split_page(), leading swap_count_continued() to follow an invalid continuation list and access poisoned list entries.
20) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-43331)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of kcOV instrumentation state in machine kexec code when executing kexec on a KCOV-instrumented kernel. A local user can trigger a kexec operation to cause a denial of service.
Exploitation requires CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously, and the issue is not relevant to 32-bit kernels.
21) Out-of-bounds read (CVE-ID: CVE-2026-45838)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in cgroup_storage_get_next_key() when processing end-of-list conditions for cgroup storage map keys. A local user can trigger the function on the last list element to disclose sensitive information.
The issue occurs because the code reads a key from a bogus pointer that aliases internal map fields and copies the result to userspace.
22) Out-of-bounds read (CVE-ID: CVE-2026-45839)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in bpf_core_parse_spec() when processing a crafted BPF program containing negative CO-RE accessor indices. A local privileged user can load a specially crafted BPF program to cause a denial of service.
The issue is reachable during BPF_PROG_LOAD on systems with CONFIG_DEBUG_INFO_BTF enabled.
23) Improper input validation (CVE-ID: CVE-2026-45840)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the openvswitch vport netlink reply helpers when handling a crafted upcall PID array in vport mutation operations. A local user can supply an oversized PID array to trigger a kernel BUG and cause a denial of service.
On systems with unprivileged user namespaces enabled, the issue is reachable via unshare -Urn.
24) Division by zero (CVE-ID: CVE-2026-45841)
CWE-ID: CWE-369 - Divide By Zero
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to divide-by-zero in nf_osf_match_one() in nfnetlink_osf when processing a subsequent matching TCP SYN after a crafted fingerprint is added via nfnetlink. A local user can add a fingerprint with a zero wss value to trigger a kernel panic.
Exploitation requires CAP_NET_ADMIN privileges.
25) NULL pointer dereference (CVE-ID: CVE-2026-45842)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a null pointer dereference in the SLIP/PPP VJ receive handling code when processing inbound VJ-compressed or VJ-uncompressed frames after installing a malformed VJ state with zero receive slots. A local user can configure PPP compression state through /dev/ppp and trigger processing of a frame selecting slot 0 to cause a denial of service.
The issue is reachable through PPPIOCSMAXCID from an unprivileged user namespace.
26) Out-of-bounds read (CVE-ID: CVE-2026-45843)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to an out-of-bounds read in slhc_uncompress() when parsing a short VJ-compressed TCP header with optional fields requested in the change byte. A remote attacker can send a specially crafted compressed packet to disclose sensitive information.
The over-read bytes are incorporated into cached connection state and may be reflected into subsequent reconstructed packets.
27) Out-of-bounds read (CVE-ID: CVE-2026-45844)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause incorrect packet filtering decisions.
The vulnerability exists due to an out-of-bounds read in arp_packet_match() when parsing ARP payloads on IEEE1394 interfaces. A local user can send a specially crafted ARP packet to cause incorrect packet filtering decisions.
The issue occurs because IPv4-over-IEEE1394 ARP omits the target hardware address field, causing rule evaluation to use incorrect bytes for target address comparisons.
28) NULL pointer dereference (CVE-ID: CVE-2026-45845)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in taprio class dump handling when deleting a TAPRIO child qdisc and requesting a class dump. A local user can delete an explicit child qdisc and trigger a class dump to cause a denial of service.
Exploitation is reachable in a network namespace with CAP_NET_ADMIN, and on systems with unprivileged user namespaces enabled, user interaction is not required.
29) NULL pointer dereference (CVE-ID: CVE-2026-45846)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in bareudp_fill_metadata_dst() when processing Open vSwitch packet execution on a bareudp device that is down. A local user can send a crafted netlink request to trigger a kernel crash and cause a denial of service.
The issue occurs on the IPv6 path when the code uses bareudp->sock after it has been cleared during device shutdown.
30) Improper input validation (CVE-ID: CVE-2026-45850)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in ipvs checksum validation when processing IPv6 packets with extension headers. A remote attacker can send specially crafted IPv6 packets to cause a denial of service.
31) Improper Initialization (CVE-ID: CVE-2026-45930)
CWE-ID: CWE-665 - Improper Initialization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper initialization in netlink ndmsg response messages when handling RTM_GETNEIGH requests. A local user can send a crafted netlink request to disclose sensitive information.
The issue affects pad bytes in the ndmsg data returned by the kernel.
32) Improper input validation (CVE-ID: CVE-2026-46117)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to corrupt kernel memory.
The vulnerability exists due to improper input validation in mana_ib_create_qp_rss() when processing user-supplied work queue configurations through the RDMA uAPI. A local user can specify work queues sharing the same completion queue to corrupt kernel memory.
33) Race condition (CVE-ID: CVE-2026-46137)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in mptcp_pm_add_timer() when handling ADD_ADDR retransmission timer callbacks. A local user can trigger concurrent access to cause a denial of service.
34) Improper resource shutdown or release (CVE-ID: CVE-2026-46158)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the mptcp path manager ADD_ADDR retransmission handling when retransmitting ADD_ADDR messages. A local user can trigger ADD_ADDR retransmissions to cause a denial of service.
35) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-46160)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause filesystem corruption and a denial of service.
The vulnerability exists due to improper state update in the btrfs directory unlink handling when removing a directory and later fsyncing it through an open file descriptor. A local user can remove a directory, retain a file descriptor to it, and trigger fsync to cause filesystem corruption and a denial of service.
The issue can cause log replay to fail with an -EIO error when the filesystem is mounted.
36) Improper resource shutdown or release (CVE-ID: CVE-2026-46170)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in the mptcp path manager ADD_ADDR retransmission timer handling when processing ADD_ADDR retransmissions. A local user can trigger ADD_ADDR retransmissions to cause a system hang.
The issue occurs when the last socket reference is released from the timer handler, leading to an indefinite wait on the same timer.
37) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-46203)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access to hardware registers in cadence-quadspi driver unbind handling when unbinding the driver while the controller is runtime suspended. A local user can trigger driver unbind to cause a denial of service.
38) NULL pointer dereference (CVE-ID: CVE-2026-46216)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in intel_hdcp_gsc_check_status() when handling a system state where media_gt is disabled via configfs. A local user can trigger the vulnerable code path to cause a denial of service.
The issue occurs when media GT is disabled and media_gt remains NULL.
39) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-46244)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass firewall restrictions.
The vulnerability exists due to improper handling of the transport header offset in nft_inner_parse_l2l3() in net/netfilter/nft_inner.c when processing inner IPv6 packets with extension headers. A remote attacker can send specially crafted packets to bypass firewall restrictions.
The issue causes a desynchronization between inner_thoff and l4proto, allowing transport header forgery in the inner IPv6 parsing path.
40) Use-after-free (CVE-ID: CVE-2026-46274)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to a use-after-free in io_wq_remove_pending() and hash_tail handling in io_uring when cancelling hashed bucket-0 work with a non-hashed predecessor in the work list. A local user can trigger cancellation and subsequent hashed work insertion to execute arbitrary code.
The dangling pointer can persist for the lifetime of the task because the io_wq is per-task and survives ring open and close operations.
41) Use-after-free (CVE-ID: CVE-2026-46275)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to use-after-free in the hci_uart line discipline lifecycle management when closing or initializing a Bluetooth HCI UART device. A local user can trigger a hangup or race the close and initialization paths to cause a denial of service.
The issue involves workqueue handling and teardown ordering in the close and initialization error paths.
42) Use of uninitialized resource (CVE-ID: CVE-2026-46315)
CWE-ID: CWE-908 - Use of Uninitialized Resource
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to uninitialized memory usage in io_uring IORING_OP_WAITID result handling when copying waitid result data to userspace. A local user can trigger a wait operation that completes without reporting a child event to disclose sensitive information.
The issue occurs because stale bytes from reused io_kiocb command storage may be copied to userspace siginfo when no child event information is written.
43) Double free (CVE-ID: CVE-2026-46316)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in vgic_its_invalidate_cache() in the KVM arm64 vgic-its translation cache when invalidating cache entries concurrently. A local user can trigger concurrent cache invalidation paths to cause a denial of service.
The issue occurs because multiple contexts can drain the same cache at the same time, allowing an entry to be freed while an ITE still maps it.
44) Use-after-free (CVE-ID: CVE-2026-46319)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a use-after-free race condition in tcf_ct_flow_table_get() in net/sched/act_ct.c when looking up a flow table and incrementing its reference count. A local user can trigger the race during act_ct initialization to escalate privileges.
The race window is very short and occurs after the flow table object is returned from the hash table lookup but before its reference count is successfully incremented.
45) Improper resource shutdown or release (CVE-ID: CVE-2026-46320)
CWE-ID: CWE-404 - Improper Resource Shutdown or Release
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper resource shutdown or release in tap_get_user_xdp() when processing XDP frames. A local user can send a crafted short frame or trigger skb allocation failure to cause a denial of service.
Each rejected frame in a batch leaks one page-frag chunk.
46) Memory leak (CVE-ID: CVE-2026-46321)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in tun_xdp_one() in the tun driver when processing short frames through the tun and vhost-net transmit path. A local user can submit TX descriptors whose payload length is shorter than ETH_HLEN to exhaust host memory and trigger an OOM panic.
Exploitation requires the ability to open /dev/net/tun and /dev/vhost-net and to attach a tun/tap device as the vhost-net backend.
47) Memory leak (CVE-ID: CVE-2026-46322)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a memory leak in tun_xdp_one() when handling a build_skb() allocation failure. A local user can trigger this error path to cause a denial of service.
The issue occurs because a page allocated for the frame is not freed on the failure path, and the per-buffer error may be discarded during batch processing.
48) Use-after-free (CVE-ID: CVE-2026-46323)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a use-after-free in skb_gro_receive in the GRO subsystem when merging zerocopy skbs. A local user can trigger GRO processing with zerocopy skbs to cause a denial of service.
The issue occurs when either the source skb or the last skb in the GRO chain is zerocopy and uses managed fragment references.
49) Out-of-bounds write (CVE-ID: CVE-2026-46331)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause memory corruption.
The vulnerability exists due to an out-of-bounds write in tcf_pedit_act() when processing packet edit actions with typed keys and runtime header offsets. A local user can supply crafted pedit parameters that cause writes to a region that has not been properly copy-on-written to cause memory corruption.
The issue can involve negative offsets such as Ethernet header edits at ingress.
50) Improper access control (CVE-ID: CVE-2026-52908)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain write access to memory regions that were not properly pinned as writable.
The vulnerability exists due to improper access control in RDMA memory region re-registration handling when changing IB_MR_REREG_ACCESS from read-only to read-write. A local user can re-register a memory region with writable access to gain write access to memory regions that were not properly pinned as writable.
The issue occurs when a driver reuses an existing umem during memory region re-registration.
51) Improper access control (CVE-ID: CVE-2026-52909)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to move a fallback tunnel device to another network namespace.
The vulnerability exists due to improper access control in the ip6_vti fallback tunnel device initialization when initializing the per-network-namespace fallback device. A local user can move the ip6_vti0 device to another network namespace to move a fallback tunnel device to another network namespace.
The issue affects the per-netns fallback tunnel device ip6_vti0.
52) Out-of-bounds read (CVE-ID: CVE-2026-52910)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in the reuseport cBPF program handling in sk_reuseport_prog_free() when detaching or replacing a reuseport program while UDP packets are being processed concurrently. A local user can trigger concurrent reuseport program updates and packet transmission to cause a denial of service.
The issue occurs because the classic BPF reuseport program may be freed before RCU readers have completed.
53) Improper access control (CVE-ID: CVE-2026-52911)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to access another user's session.
The vulnerability exists due to improper access control in ksmbd_session_lookup_all() when processing a binding SESSION_SETUP request. A remote user can send a crafted session lookup request to access another user's session.
The issue occurs because a connection-wide binding flag can remain set after a binding SESSION_SETUP, allowing the global session lookup path to resolve sessions not bound to that connection.
Remediation
Install update from vendor's website.